You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: setup/security/rbac/rbac_rancher.md
+15-6Lines changed: 15 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,8 +12,6 @@ Two kinds of roles are used for accessing SUSE Observability:
12
12
13
13
A number of `RoleTemplate`s are available to achieve this, with common groupings of permissions. Binding these templates to users or groups on a cluster or namespace will trigger roles and role-bindinds to be provisioned on the target cluster. The default templates are described below. Note that it is possible to define your own combinations of permissions in a custom RoleTemplate.
14
14
15
-
A standalone installation of SUSE Observability supplies predefined groups that correspond to the below instance roles.
16
-
17
15
### Observer role
18
16
19
17
The observer role grants a user the permission to read topology, metrics, logs and trace data for a namespace or a cluster. There are three `RoleTemplate`s that grant access to observability data:
@@ -35,17 +33,22 @@ The permissions assigned to each predefined SUSE Observability role can be found
35
33
{% tabs %}
36
34
{% tab title="Recommended Access" %}
37
35
Recommended access grants permissions that are not strictly necessary, but that make SUSE Observability a lot more useful.
38
-
|*Resource*|*Verbs*|
36
+
37
+
| Resource | Verbs |
38
+
| --- | --- |
39
39
| apitokens | get |
40
40
| favoritedashboards | create, delete |
41
41
| favoriteviews | create, delete |
42
42
| stackpacks | get |
43
43
| visualizationsettings | update |
44
+
44
45
{% endtab %}
45
46
46
47
{% tab title="Troubleshooter" %}
47
48
The Troubleshooter role has access to all data available in SUSE Observability and the ability to create views and enable/disable monitors.
48
-
|*Resource*|*Verbs*|
49
+
50
+
| Resource | Verbs |
51
+
| --- | --- |
49
52
| agents | get |
50
53
| apitokens | get |
51
54
| componentactions | execute |
@@ -64,11 +67,14 @@ The Troubleshooter role has access to all data available in SUSE Observability a
64
67
| traces | get |
65
68
| views | get, create, update, delete |
66
69
| visualizationsettings | get |
70
+
67
71
{% endtab %}
68
72
69
73
{% tab title="Administrator" %}
70
74
The Administrator role has all permissions assigned.
71
-
|*Resource*|*Verbs*|
75
+
76
+
| Resource | Verbs |
77
+
| --- | --- |
72
78
| agents | get |
73
79
| apitokens | get |
74
80
| componentactions | execute |
@@ -93,6 +99,7 @@ The Administrator role has all permissions assigned.
93
99
| traces | get |
94
100
| views | get, create, update, delete |
95
101
| visualizationsettings | update |
102
+
96
103
{% endtab %}
97
104
98
105
@@ -107,7 +114,9 @@ These resources correspond to data collected by the SUSE Observability agent and
107
114
These resources can only be read, so the only applicable verb is `get`.
108
115
109
116
Apart from these RBAC resources controlling access to observability data, "instance" resources define user capabilities for executing and configuring SUSE Observability:
110
-
|*Resource*|*Verbs*|*Description*|
117
+
118
+
| Resource | Verbs | Description |
119
+
| --- | --- | --- |
111
120
|`agents`|`get`| List connected agents with the cli `agent list` command |
112
121
|`apitokens`|`get`| Access the CLI page. This provides the API key to use for authentication with the SUSE Observability CLI |
0 commit comments