Learn how to configure rights and permissions through role-based access control.
Log policies are often decisions made by an entire team, not individuals. Because collaboration is a priority for Logs Data Platform, it enables everyone to share data easily and securely. Log policies also affect several teams regarding access rights, for instance, the Product managers can access some data but be denied to access security logs. That's why we decided to provide a Role-Based Access Control to users to configure access rights.
Instructions
Creating a Role
From the OVHcloud Control Panel:
- Select
Bare Metal Cloud
from the top navigation menu. - In the left-hand menu, click
Logs Data Platform
and select your account. - Select the
Roles
tab. - Click the
+ Add a role
button. - Give the role a name and description and click
Save
.
Managing Permissions
Once created you will be able to configure the role details: the permissions and the members.
Click on the more options ...
button on the right to display the menu and head to manage permissions.
On the permission page, you will see two tabs Read-Only and Read-Write.
Some items can be shared in read-only whereas others can be shared with a write (or modification) right.
Items | Read-Only | Read-Write |
---|---|---|
Stream | Yes | No |
Dashboard | Yes | Yes |
Index | Yes | Yes |
Alias | Yes | No |
OpenSearch Dashboards | Yes | Yes |
- Data Stream: Graylog Data Streams can only be shared read-only since logs are fully immutable.
- Dashboards: Graylog Dashboards can be shared read-only or read-write. With the read-write access, the users in the role can add, modify, and remove widgets of a dashboard.
- Index: OpenSearch indices can be shared read-only or read-write. With the read-write access, users in the role can add, modify, and delete documents in the index. They can also alter the mapping.
- Aliases: OpenSearch Aliases are read-only. They can only be used to read the data attached to them.
- OpenSearch Dashboards: OpenSearch Dashboards can be shared read-only or read-write. If OpenSearch Dashboards is read-only, users have access to the OpenSearch Dashboards but cannot modify it. If OpenSearch Dashboards is read-write, users can modify the dashboards or the visualizations or any other OpenSearch Dashboards feature or setting.
Select the items you want to share in the role and they will switch from the available column to the selected column. Go back to the roles page to manage the users in the defined role.
Managing members
To manage the members of a role, use the more options ...
button and select Manage members
.
Click + Add a member
to add a new member for this role. In the username box, you must add a Logs Data Platform username. The LDP username can be found in the Home panel of your manager in the General section. Any Logs Data Platform user can be added to the role even if their assigned cluster is different from yours.
Once a member has been added, they can see the data streams that have been shared with them in the Data stream
tab in the Shared column. The actions available to them can be found by clicking the more options ...
button.
A user can use their usual Logs Data Platform account credentials on a different cluster to access a shared item if it is not on their assigned cluster. If one user has access to items on another cluster, they can create tokens for this new cluster access. As a reminder, creating an account on Logs Data Platform is free, any OVHcloud customer can create one or several accounts and they do not have to pay for data that has been shared with them.
Using API
Role management can be automated by using the OVHcloud API.
Here are a few examples of the role API calls you can use:
List available services
Return the list of roles associated with the service
GET /dbaas/logs/{serviceName}/role
Parameters:
-
serviceName
: The internal ID of your Logs Data Platform service (string)
Return details of a specified role
GET /dbaas/logs/{serviceName}/role/{roleId}
Parameters:
-
serviceName
: The internal ID of your Logs Data Platform service (string) -
roleId
: UUID of your role (string)
Add a member to a role
POST /dbaas/logs/{serviceName}/role/{roleId}/member
Parameters:
-
serviceName
: The internal ID of your Logs Data Platform service (string) -
roleId
: UUID of your role (string) -
RoleMemberCreation
: A JSON object containing the field {username} (string), the username of the member, and a {note}, the description of this member
Don't hesitate to explore the API, and try it with the provided console.
Go further
For more information and tutorials, please see our other Logs Data Platform support guides or explore the guides for other OVHcloud products and services.