Roles
Overview
Every user in SUSE Observability needs to have a subject and a set of permissions assigned; this combination is called a role. A role describes a group of users that can access a specific data set. SUSE Observability ships with a set of predefined roles and you can also create roles to match your needs.
Predefined roles
There are four roles predefined in SUSE Observability:
-
Administrator - has full access to all views and has all permissions.
-
Power User - typically granted to a user that needs to configure SUSE Observability for a team(s), but won’t manage the entire SUSE Observability installation.
-
Kubernetes Troubleshooter - has all permissions required to use SUSE Observability for troubleshooting, including the ability to enable/disable monitors, create custom views and use the Cli.
-
Guest - has read-only access to SUSE Observability.
The permissions assigned to each predefined SUSE Observability role can be found below. For details of the different permissions and how to manage them using the sts CLI, see Role based access control (RBAC) permissions
-
Administrator
-
Power User
-
Troubleshooter
-
Guest
The Administrator role (stackstate-admin): has all permissions assigned.
Permissions assigned to the predefined Administrator role (stackstate-admin) are listed below, these were retrieved using the sts CLI. For details of the different permissions and how to manage them using the sts CLI, see RBAC permissions.
❯ ./sts rbac describe-permissions --subject stackstate-admin
PERMISSION | RESOURCE
create-dashboards | system
create-favorite-dashboards | system
create-favorite-views | system
create-ingestion-api-keys | system
create-metric-bindings | system
create-monitors | system
create-notifications | system
create-service-tokens | system
create-stackpack-configurations | system
create-views | system
delete-dashboards | system
delete-favorite-dashboards | system
delete-favorite-views | system
delete-ingestion-api-keys | system
delete-metric-bindings | system
delete-monitors | system
delete-notifications | system
delete-service-tokens | system
delete-stackpack-configurations | system
delete-sync-data | system
delete-views | system
execute-component-actions | system
execute-monitors | system
execute-restricted-scripts | system
execute-scripts | system
get-agents | system
get-api-tokens | system
get-dashboards | system
get-ingestion-api-keys | system
get-metric-bindings | system
get-metrics | system
get-monitors | system
get-notifications | system
get-permissions | system
get-service-tokens | system
get-settings | system
get-stackpacks | system
get-sync-data | system
get-system-notifications | system
get-topic-messages | system
get-topology | system
get-traces | system
get-views | system
update-dashboards | system
update-metric-bindings | system
update-metrics | system
update-monitors | system
update-notifications | system
update-permissions | system
update-scoped-permissions | system
update-settings | system
update-stackpack-configurations | system
update-stackpacks | system
update-views | system
update-visualization | systemThe Power User role (stackstate-power-user) has all Administrator permissions, except for:
-
execute-restricted-scripts -
update-permissions -
update-stackpacks
Permissions assigned to the predefined Power User role (stackstate-power-user) are listed below, these were retrieved using the sts CLI. For details of the different permissions and how to manage them using the sts CLI, see RBAC permissions.
❯ ./sts rbac describe-permissions --subject stackstate-power-user
PERMISSION | RESOURCE
create-dashboards | system
create-favorite-dashboards | system
create-favorite-views | system
create-metric-bindings | system
create-monitors | system
create-notifications | system
create-stackpack-configurations | system
create-views | system
delete-dashboards | system
delete-favorite-dashboards | system
delete-favorite-views | system
delete-metric-bindings | system
delete-monitors | system
delete-notifications | system
delete-stackpack-configurations | system
delete-sync-data | system
execute-component-actions | system
execute-monitors | system
execute-scripts | system
get-agents | system
get-api-tokens | system
get-dashboards | system
get-metric-bindings | system
get-metrics | system
get-monitors | system
get-notifications | system
get-permissions | system
get-settings | system
get-stackpacks | system
get-sync-data | system
get-system-notifications | system
get-topic-messages | system
get-topology | system
get-traces | system
get-views | system
update-dashboards | system
update-metric-bindings | system
update-metrics | system
update-monitors | system
update-notifications | system
update-settings | system
update-stackpack-configurations | system
update-views | system
update-visualization | systemThe Troubleshooter role (stackstate-k8s-troubleshooter) has access to all data available in SUSE Observability and the ability to create views and enable/disable monitors.
Permissions assigned to the predefined troubleshooter role are listed below, these were retrieved using the sts CLI. For details of the different permissions and how to manage them using the sts CLI, see RBAC permissions.
❯ ./sts rbac describe-permissions --subject stackstate-k8s-troubleshooter
PERMISSION | RESOURCE
create-dashboards | system
create-favorite-dashboards | system
create-favorite-views | system
create-monitors | system
create-notifications | system
create-views | system
delete-dashboards | system
delete-favorite-dashboards | system
delete-favorite-views | system
delete-monitors | system
delete-notifications | system
delete-views | system
execute-monitors | system
get-agents | system
get-api-tokens | system
get-dashboards | system
get-metric-bindings | system
get-metrics | system
get-monitors | system
get-notifications | system
get-permissions | system
get-settings | system
get-stackpacks | system
get-system-notifications | system
get-topic-messages | system
get-traces | system
get-views | system
update-dashboards | system
update-monitors | system
update-notifications | system
update-stackpacks | system
update-views | system
update-visualization | systemThe Guest role (stackstate-guest) has read-only access to SUSE Observability.
Permissions assigned to the predefined Guest role are listed below, these were retrieved using the sts CLI. For details of the different permissions and how to manage them using the sts CLI, see RBAC permissions.
❯ ./sts rbac describe-permissions --subject stackstate-guest
PERMISSION | RESOURCE
create-dashboards | system
create-favorite-dashboards | system
create-favorite-views | system
delete-dashboards | system
delete-favorite-dashboards | system
delete-favorite-views | system
get-api-tokens | system
get-dashboards | system
get-metric-bindings | system
get-metrics | system
get-monitors | system
get-notifications | system
get-permissions | system
get-settings | system
get-system-notifications | system
get-topic-messages | system
get-traces | system
get-views | system
update-dashboards | system
update-visualization | systemCustom roles (Configuration RBAC)
In addition to the predefined roles (stackstate-admin, stackstate-power-user, stackstate-k8s-troubleshooter, stackstate-guest), which are always available, custom roles can be added. There are multiple ways to add custom roles:
-
via the configuration file, with the same permission as the predefined roles
-
via the configuration file, with a custom permissions
-
using the
stsCLI, the subjects and their permissions are stored in the database and can be modified during runtime
Roles added via the configuration file require a restart and therefore result in a short period of downtime. Roles created using the CLI are stored in the database and can be modified at runtime.
Custom names for predefined roles
Use this option when the predefined SUSE Observability roles are a good fit but the external authentication provider has different names for the roles. For example when the LDAP authentication provider has similar but differently named roles include this YAML snippet in an authentication.yaml to give the roles from LDAP the same permissions and scopes as the predefined, equivalent, roles.
stackstate:
authentication:
roles:
guest: ["ldap-guest-role"]
powerUser: ["ldap-power-user-role"]
admin: ["ldap-admin-role"]
k8sTroubleshooter: ["ldap-troubleshooter-role"]To use it in for your SUSE Observability installation (or already running instance, note that it will restart the API):
helm upgrade \
--install \
--namespace suse-observability \
--values values.yaml \
--values authentication.yaml \
suse-observability \
suse-observability/suse-observabilityCustom roles via the configuration file
To set up a new role called development-troubleshooter, which will allow the same permissions as the predefined troubleshooter role, but only for the dev-test cluster, include this YAML snippet in an authentication.yaml:
stackstate:
authentication:
roles:
custom:
development-troubleshooter:
systemPermissions:
- create-dashboards
- create-favorite-dashboards
- create-favorite-views
- create-monitors
- create-notifications
- create-views
- delete-dashboards
- delete-favorite-dashboards
- delete-favorite-views
- delete-monitors
- delete-notifications
- delete-views
- execute-monitors
- get-agents
- get-api-tokens
- get-dashboards
- get-metric-bindings
- get-metrics
- get-monitors
- get-notifications
- get-permissions
- get-settings
- get-stackpacks
- get-system-notifications
- get-topic-messages
- get-traces
- get-views
- update-dashboards
- update-monitors
- update-notifications
- update-stackpacks
- update-views
- update-visualization
resourcePermissions:
get-topology:
- "cluster-name:dev-test"To use it in for your SUSE Observability installation (or already running instance, note that it will restart the API):
helm upgrade \
--install \
--namespace suse-observability \
--values values.yaml \
--values authentication.yaml \
suse-observability \
suse-observability/suse-observabilityCustom roles via the CLI (Observability RBAC)
To set up a new role called development-troubleshooter, which will allow the same permissions as the normal troubleshooter role, but only for the dev-test cluster, a new subject needs to be created. Further more this subject needs to be assigned the required set of permissions:
-
Create the subject (with the same name as the role, the role-subject matching is name based and case-sensitive):
sts rbac create-subject --subject development-troubleshooter sts rbac grant --subject development-troubleshooter --permission get-topology --resource "cluster-name:dev-test"' -
Configured subjects need permissions to access parts of the UI and to execute actions in it. To grant the same permissions as the troubleshooter role, follow the below example:
sts rbac grant --subject development-troubleshooter --permission create-dashboards sts rbac grant --subject development-troubleshooter --permission create-favorite-dashboards sts rbac grant --subject development-troubleshooter --permission create-favorite-views sts rbac grant --subject development-troubleshooter --permission create-monitors sts rbac grant --subject development-troubleshooter --permission create-notifications sts rbac grant --subject development-troubleshooter --permission create-views sts rbac grant --subject development-troubleshooter --permission delete-dashboards sts rbac grant --subject development-troubleshooter --permission delete-favorite-dashboards sts rbac grant --subject development-troubleshooter --permission delete-favorite-views sts rbac grant --subject development-troubleshooter --permission delete-monitors sts rbac grant --subject development-troubleshooter --permission delete-notifications sts rbac grant --subject development-troubleshooter --permission delete-views sts rbac grant --subject development-troubleshooter --permission execute-monitors sts rbac grant --subject development-troubleshooter --permission get-agents sts rbac grant --subject development-troubleshooter --permission get-api-tokens sts rbac grant --subject development-troubleshooter --permission get-dashboards sts rbac grant --subject development-troubleshooter --permission get-metric-bindings sts rbac grant --subject development-troubleshooter --permission get-metrics sts rbac grant --subject development-troubleshooter --permission get-monitors sts rbac grant --subject development-troubleshooter --permission get-notifications sts rbac grant --subject development-troubleshooter --permission get-permissions sts rbac grant --subject development-troubleshooter --permission get-settings sts rbac grant --subject development-troubleshooter --permission get-stackpacks sts rbac grant --subject development-troubleshooter --permission get-system-notifications sts rbac grant --subject development-troubleshooter --permission get-topic-messages sts rbac grant --subject development-troubleshooter --permission get-traces sts rbac grant --subject development-troubleshooter --permission get-views sts rbac grant --subject development-troubleshooter --permission update-dashboards sts rbac grant --subject development-troubleshooter --permission update-monitors sts rbac grant --subject development-troubleshooter --permission update-notifications sts rbac grant --subject development-troubleshooter --permission update-stackpacks sts rbac grant --subject development-troubleshooter --permission update-views sts rbac grant --subject development-troubleshooter --permission update-visualization
Please note that the subject’s name, as well as permissions, are case-sensitive.