Topology Scopes
Topology scoping by query is deprecated functionality. It is superseded by the get-topology permission that can grant access to any component with a specific label.
|
How do topology scopes work?
The topology scope is an STQL query that’s combined with the get-topology permissions as a prefix to every topology query executed in SUSE Observability. When a user wants to select a view or pass a query in SUSE Observability, this prefix query runs as part of the user’s query. This limits the results to match the user’s role.
Function calls like withCauseOf and withNeighborsOf aren’t supported as they would not be performant in this context.
|
If a user belongs to multiple groups, they can have multiple topology scopes, translating to multiple prefixes. Here, the prefix is executed as an OR of all topology scopes the user has.
Users need to log out and authenticate again to SUSE Observability whenever their roles or permissions change.
Why topology scopes?
Topology scopes are a security feature for subjects within SUSE Observability. The predefined SUSE Observability roles Administrator, Power User and Guest have no topology scope defined.
It’s possible to specify a topology scope as a query wildcard, however, this results in access to everything and isn’t recommended. If there is a need for access without a topology scope, it’s recommended to use one of the predefined roles instead.
Examples
The below example shows the same topology view called "All Infrastructure" for four users with different permission levels.
This user is a part of SUSE Observability Admin group, so there is no topology scope:
The query for this view is the same as for the others, but without any prefix:
'layer = "Infrastructure" AND domain IN ("Customer1", "Customer2")'Below user is in a group with configured subject X with the following topology scope:
'domain = "Customer1"'
Query with the prefix for this view is:
'(domain = "Customer1") AND (layer = "Infrastructure" AND domain IN ("Customer1", "Customer2"))'Another user who is a part of a group with a configured subject Y that has the following topology scope:
'domain = "Customer2"'gets this topology:
Query with the prefix for this view is:
'(domain = "Customer2") AND (layer = "Infrastructure" AND domain IN ("Customer1", "Customer2"))'User with multiple prefixes
It’s possible to assign a subject to more than just one group. In this example, you can see an Infrastructure Manager who can see the whole view presented above. This user has to be in both groups that have configured subjects as X and Y. In this case, the prefix for the user query will look like the following:
'(domain = "Customer1" OR domain = "Customer2")'Query with prefix for this user is then:
'(domain = "Customer1" OR domain = "Customer2") AND (layer = "Infrastructure" AND domain IN ("Customer1", "Customer2"))'Which results in a following view: