Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add trace query RBAC #789

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add trace query RBAC #789

wants to merge 3 commits into from

Conversation

pavolloffay
Copy link
Member

Flag --traces.query-rbac=true enables query RBAC. The user will be able to see span/resource/scope attributes and events only from namespaces it can access (the list of namespaces is returned form opa-openshift).

@pavolloffay pavolloffay mentioned this pull request Jan 22, 2025
Draft
andreasgerstmayr
andreasgerstmayr reviewed Jan 22, 2025
View reviewed changes
api/traces/v1/trace_rbac.go Show resolved Hide resolved
api/traces/v1/trace_rbac.go Outdated Show resolved Hide resolved
api/traces/v1/trace_rbac.go Outdated Show resolved Hide resolved
api/traces/v1/trace_rbac.go Outdated Show resolved Hide resolved
@pavolloffay pavolloffay force-pushed the trace-rbac branch 2 times, most recently from e7a5666 to c22d039 Compare January 23, 2025 15:58
@pavolloffay
Add trace query RBAC
15cd838 
Signed-off-by: Pavol Loffay <[email protected]>
@pavolloffay
Fix
0e0e1f0 
Signed-off-by: Pavol Loffay <[email protected]>
@pavolloffay
Keep service attribute on trace
45bc1fd 
Signed-off-by: Pavol Loffay <[email protected]>
andreasgerstmayr
andreasgerstmayr reviewed Jan 24, 2025
View reviewed changes
api/logs/v1/labels_enforcer.go
matchersTyped := matchers.(AuthzResponseData)

var namespaces []string
for _, m := range matchersTyped.Matchers {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does matchersTyped.Matchers always contain a list of |-separated namespace names?
It's not directly related to this PR, but I wonder why the attribute is called Matchers and not Namespaces.

andreasgerstmayr
andreasgerstmayr reviewed Jan 24, 2025
View reviewed changes
api/traces/v1/trace_rbac.go
}
level.Debug(log).Log("AllowedNamespaces", allowedNamespaces)

if strings.Contains(response.Request.URL.Path, "/api/traces/") || strings.Contains(response.Request.URL.Path, "/api/search") {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we send a 403 error for other API endpoints?
https://grafana.com/docs/tempo/latest/api_docs/#endpoints

https://grafana.com/docs/tempo/latest/api_docs/#search-tag-values-v2 could leak private data (but this will also disable the auto-complete in the tracing UI :/)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andreasgerstmayr andreasgerstmayr andreasgerstmayr left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pavolloffay @andreasgerstmayr