Uploaded image for project: 'Observability and Data Analysis Program'
  1. Observability and Data Analysis Program
  2. OBSDA-296

Better control over access to logs in LokiStack for enterprise environments

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Not Selected
    • 100
    • 100% 100%
    • 0

    Description

      1. Proposed title of this feature request
      Better control over access to logs in LokiStack for enterprise environments

      2. What is the nature and description of the request?
      Currently, access to logs in LokiStack is granted when a user access has to the given namespace or when the user is part of a specific cluster-admin Group.

      Still there are different use-cases that are not covered with this scenario but should be evaluated as otherwise RBAC permissions from OpenShift Container Platform 4 are not properly reflected in LokiStack.

      Use Case number one, is where a user has access to specific namespace to see the objects included but is denied to view logs from pods (for legal reason mostly).

      Use Case number two, is where a number of people have elevated permissions and therefore are able to access pretty much all namespaces on the OpenShift Container Platform 4 - Cluster. Usually those people are responsible to enable and support application when onboarding to OpenShift Container Platform 4 and therefore have again permissions to see most of the objects in the given namespaces. But again due to legal and data protection constrains, those users can not have access to logs and therefore LokiStack should prevent them from seeing applicaiton specific logs.

      Important, the users having access to all namespaces in the OpenShift Container Platform 4 - Clusters may still be namespace admin for specific namespaces (as they may be responsible for some application) and for the same, they should be able to see the logs in LokiStack.

      3. Why does the customer need this? (List the business requirements here)
      In enterprise environments, where OpenShift Container Platform 4 is used across different legal entities, it's common to have central teams that support the application teams in the respective entities. But given that some application may log sensitive data, those centralized support teams are not granted access to logs but they can only view specific objecs, such as pods in the namespace.

      Even though OpenShift Container Platform 4 does allow to configure RBAC to address these use-cases, LokiStack does not and therefore grants access to logs for people that should not see them.

      Also important, users can have elevanted permissions to accesss all namespaces in a OpenShift Container Platform 4 - Cluster and not see logs but also have their own application running where they are full application admin and thus require access to logs, also through LokiStack.

      4. List any affected packages or components.

      Attachments

        Issue Links

          is caused by

          Bug - A problem that impairs or prevents the functions of the product. LOG-3434 Elasticsearch authorization not working as expected with "auth can-i get pods/log"

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is related to

          Spike - Represents a research-related task. LOG-3855 Evaluate possible solutions for fine-grained per-namespace logs access

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. LOG-4236 Users with cluster-admins previlages except kubeadmin cannot view logs in Loki if the total character length crosses limit of 5120.

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. LOG-3750 Error message is not helpful when querying Loki

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          Web Link KCS 7018952: Loki returns input size too long in RHOCP 4 web console

          Activity

            People

              jamparke@redhat.com Jamie Parker
              rhn-support-sreber Simon Reber
              Votes:
              4 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: