Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3841

Loki - Fine grained Logs Access

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Normal Normal
    • Logging 5.8.0
    • None
    • Log Storage
    • None
    • Loki - Fine grained Logs Access
    • 5
    • False
    • None
    • False
    • Green
    • NEW
    • Done
    • OBSDA-296 - Better control over access to logs in LokiStack for enterprise environments
    • OBSDA-296Better control over access to logs in LokiStack for enterprise environments
    • VERIFIED
    • 0% To Do, 0% In Progress, 100% Done
    • With this update, LokiStack administrators can have more fine-grained control over who can access which logs by granting access to logs on a namespace basis.
    • Feature

      Goals

      • Support denying users to access the workload logs of an entire namespace.
      • Support denying users with elevated rights similar to cluster-admins to access the workload logs.
      • Support limiting users with elevated across many namespaces to access only logs where they are namespace admin.

      Non-Goals

      • Custom access policies for the LokiStack authentication and authorization provider on OpenShift.

      Motivation

      In enterprise environments, where OpenShift Container Platform 4 is used across different legal entities, it's common to have central teams that support the application teams in the respective entities. But given that some application may log sensitive data, those centralized support teams are not granted access to logs but they can only view specific objecs, such as pods in the namespace.

      Even though OpenShift Container Platform 4 does allow to configure RBAC to address these use-cases, LokiStack does not and therefore grants access to logs for people that should not see them.

      Also important, users can have elevanted permissions to accesss all namespaces in a OpenShift Container Platform 4 - Cluster and not see logs but also have their own application running where they are full application admin and thus require access to logs, also through LokiStack.

      Alternatives

      Acceptance Criteria

      • The LokiStack administrator can deny/approve workload logs access per namespace per user/group.
      • The LokiStack administrator can deny access to workload logs even if the user/group can see the multiple namespaces or has cluster-admin-like rights.
      • The LokiStack administrator can limit users with many namespaces to access logs of namespaces where they are admin only.

      Risk and Assumptions

      Documentation Considerations

      Open Questions

      Additional Notes

              ptsiraki@redhat.com Periklis Tsirakidis
              ptsiraki@redhat.com Periklis Tsirakidis
              Kabir Bharti Kabir Bharti
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: