Skip to main content

Logs Data Platform - Handling Roles and Permissions

Stephanie R.
Updated

Learn how to configure rights and permissions through role-based access control.

Log policies are often decisions made by an entire team, not individuals. Because collaboration is a priority for Logs Data Platform, it enables everyone to share data easily and securely. Log policies also affect several teams regarding access rights, for instance, the Product managers can access some data but be denied to access security logs. That's why we decided to provide a Role-Based Access Control to users to configure access rights.

 

Instructions

Creating a Role

From the OVHcloud Control Panel:

  1. Select Bare Metal Cloud from the top navigation menu.
  2. In the left-hand menu, click Logs Data Platform and select your account.
  3. Select the Roles tab.
  4. Click the + Add a role button.
  5. Give the role a name and description and click Save.

operate_LDP_GS_roles01.png

 

Managing Permissions

Once created you will be able to configure the role details: the permissions and the members.

Click on the more options ... button on the right to display the menu and head to manage permissions.

operate_LDP_GS_roles02*.png

On the permission page, you will see two tabs Read-Only and Read-Write.

Some items can be shared in read-only whereas others can be shared with a write (or modification) right.

Items Read-Only Read-Write
Stream Yes No
Dashboard Yes Yes
Index Yes Yes
Alias Yes No
OpenSearch Dashboards Yes Yes
  • Data Stream: Graylog Data Streams can only be shared read-only since logs are fully immutable.
  • Dashboards: Graylog Dashboards can be shared read-only or read-write. With the read-write access, the users in the role can add, modify, and remove widgets of a dashboard.
  • Index: OpenSearch indices can be shared read-only or read-write. With the read-write access, users in the role can add, modify, and delete documents in the index. They can also alter the mapping.
  • Aliases: OpenSearch Aliases are read-only. They can only be used to read the data attached to them.
  • OpenSearch Dashboards: OpenSearch Dashboards can be shared read-only or read-write. If OpenSearch Dashboards is read-only, users have access to the OpenSearch Dashboards but cannot modify it. If OpenSearch Dashboards is read-write, users can modify the dashboards or the visualizations or any other OpenSearch Dashboards feature or setting.
To give access to data (index or aliases) explored through OpenSearch Dashboards to a user, you need to give at least read rights to both the instance and the data explored.

Select the items you want to share in the role and they will switch from the available column to the selected column. Go back to the roles page to manage the users in the defined role.

operate_LDP_GS_roles03.png

 

Managing members

To manage the members of a role, use the more options ... button and select Manage members.

operate_LDP_GS_roles04a*.png

Click + Add a member to add a new member for this role. In the username box, you must add a Logs Data Platform username. The LDP username can be found in the Home panel of your manager in the General section. Any Logs Data Platform user can be added to the role even if their assigned cluster is different from yours.

operate_LDP_GS_roles04.png

Once a member has been added, they can see the data streams that have been shared with them in the Data stream tab in the Shared column. The actions available to them can be found by clicking the more options ... button.

Shared Stream*.png

A user can use their usual Logs Data Platform account credentials on a different cluster to access a shared item if it is not on their assigned cluster. If one user has access to items on another cluster, they can create tokens for this new cluster access. As a reminder, creating an account on Logs Data Platform is free, any OVHcloud customer can create one or several accounts and they do not have to pay for data that has been shared with them.

 

Using API

Role management can be automated by using the OVHcloud API.

Here are a few examples of the role API calls you can use:

 

List available services

GET /dbaas/logs

 

Return the list of roles associated with the service

GET /dbaas/logs/{serviceName}/role

Parameters:

  • serviceName: The internal ID of your Logs Data Platform service (string)

 

Return details of a specified role

GET /dbaas/logs/{serviceName}/role/{roleId}

Parameters:

  • serviceName: The internal ID of your Logs Data Platform service (string)
  • roleId: UUID of your role (string)

 

Add a member to a role

POST /dbaas/logs/{serviceName}/role/{roleId}/member

Parameters:

  • serviceName: The internal ID of your Logs Data Platform service (string)
  • roleId: UUID of your role (string)
  • RoleMemberCreation: A JSON object containing the field {username} (string), the username of the member, and a {note}, the description of this member

Don't hesitate to explore the API, and try it with the provided console.

 

Go further

For more information and tutorials, please see our other Logs Data Platform support guides or explore the guides for other OVHcloud products and services.

Related articles