|
本文档采用自动化机器翻译技术翻译。 尽管我们力求提供准确的译文,但不对翻译内容的完整性、准确性或可靠性作出任何保证。 若出现任何内容不一致情况,请以原始 英文 版本为准,且原始英文版本为权威文本。 |
角色
概述
在 SUSE Observability 中,每个用户都需要有一个主体和一组 权限;这个组合称为角色。角色描述了一组可以访问特定数据集的用户。SUSE Observability 附带一组预定义角色,您也可以创建角色以满足您的需求。
预定义角色
SUSE Observability 中预定义了四个角色:
-
管理员 - 拥有对所有视图的完全访问权限,并拥有所有权限。
-
高级用户 - 通常授予需要为团队配置 SUSE Observability 的用户,但不会管理整个 SUSE Observability 安装。
-
Kubernetes 故障排除者 - 拥有使用 SUSE Observability 进行故障排除所需的所有权限,包括启用/禁用监视器、创建自定义视图和使用 CLI 的能力。
-
访客 - 仅具有对 SUSE Observability 的只读访问权限。
分配给每个预定义 SUSE Observability 角色的权限如下所示。有关不同权限的详细信息以及如何使用 sts CLI 管理它们,请参见 基于角色的访问控制 (RBAC) 权限。
-
管理员
-
高级用户
-
故障排除者
-
GUEST
管理员角色 (stackstate-admin):已分配所有权限。
分配给预定义管理员角色 (stackstate-admin) 的权限如下所示,这些权限是通过 sts CLI 检索的。有关不同权限的详细信息以及如何使用 sts CLI 管理它们,请参见 基于角色的访问控制 (RBAC) 权限。
❯ ./sts rbac describe-permissions --subject stackstate-admin
Got subject from the following subject sources: Static
PERMISSION | RESOURCE
create-dashboards | system
create-favorite-dashboards | system
create-favorite-views | system
create-ingestion-api-keys | system
create-metric-bindings | system
create-monitors | system
create-notifications | system
create-service-tokens | system
create-stackpack-configurations | system
create-views | system
delete-dashboards | system
delete-favorite-dashboards | system
delete-favorite-views | system
delete-ingestion-api-keys | system
delete-metric-bindings | system
delete-monitors | system
delete-notifications | system
delete-service-tokens | system
delete-stackpack-configurations | system
delete-sync-data | system
delete-views | system
execute-component-actions | system
execute-monitors | system
execute-restricted-scripts | system
execute-scripts | system
get-agents | system
get-api-tokens | system
get-dashboards | system
get-ingestion-api-keys | system
get-metric-bindings | system
get-metrics | system
get-monitors | system
get-notifications | system
get-permissions | system
get-service-tokens | system
get-settings | system
get-stackpacks | system
get-sync-data | system
get-system-notifications | system
get-topic-messages | system
get-topology | system
get-traces | system
get-views | system
update-dashboards | system
update-metric-bindings | system
update-metrics | system
update-monitors | system
update-notifications | system
update-permissions | system
update-scoped-permissions | system
update-settings | system
update-stackpack-configurations | system
update-stackpacks | system
update-views | system
update-visualization | system高级用户角色 (stackstate-power-user) 拥有所有管理员权限,除了:
-
execute-restricted-scripts -
update-permissions -
update-stackpacks
分配给预定义高级用户角色 (stackstate-power-user) 的权限如下所示,这些权限是通过 sts CLI 检索的。有关不同权限的详细信息以及如何使用 sts CLI 管理它们,请参见 基于角色的访问控制 (RBAC) 权限。
❯ ./sts rbac describe-permissions --subject stackstate-power-user
Got subject from the following subject sources: Static
PERMISSION | RESOURCE
create-dashboards | system
create-favorite-dashboards | system
create-favorite-views | system
create-metric-bindings | system
create-monitors | system
create-notifications | system
create-stackpack-configurations | system
create-views | system
delete-dashboards | system
delete-favorite-dashboards | system
delete-favorite-views | system
delete-metric-bindings | system
delete-monitors | system
delete-notifications | system
delete-stackpack-configurations | system
delete-sync-data | system
execute-component-actions | system
execute-monitors | system
execute-scripts | system
get-agents | system
get-api-tokens | system
get-dashboards | system
get-metric-bindings | system
get-metrics | system
get-monitors | system
get-notifications | system
get-permissions | system
get-settings | system
get-stackpacks | system
get-sync-data | system
get-system-notifications | system
get-topic-messages | system
get-topology | system
get-traces | system
get-views | system
update-dashboards | system
update-metric-bindings | system
update-metrics | system
update-monitors | system
update-notifications | system
update-settings | system
update-stackpack-configurations | system
update-views | system
update-visualization | system故障排除者角色 (stackstate-k8s-troubleshooter) 可以访问 SUSE Observability 中的所有可用数据,并具有创建视图和启用/禁用监视器的能力。
分配给预定义故障排除者角色的权限如下所示,这些权限是通过 sts CLI 检索的。有关不同权限的详细信息以及如何使用 sts CLI 管理它们,请参见 基于角色的访问控制 (RBAC) 权限。
❯ ./sts rbac describe-permissions --subject stackstate-k8s-troubleshooter
Got subject from the following subject sources: Static
PERMISSION | RESOURCE
create-dashboards | system
create-favorite-dashboards | system
create-favorite-views | system
create-monitors | system
create-notifications | system
create-views | system
delete-dashboards | system
delete-favorite-dashboards | system
delete-favorite-views | system
delete-monitors | system
delete-notifications | system
delete-views | system
execute-monitors | system
get-agents | system
get-api-tokens | system
get-dashboards | system
get-metric-bindings | system
get-metrics | system
get-monitors | system
get-notifications | system
get-permissions | system
get-settings | system
get-stackpacks | system
get-system-notifications | system
get-topic-messages | system
get-traces | system
get-views | system
update-dashboards | system
update-monitors | system
update-notifications | system
update-stackpacks | system
update-views | system
update-visualization | system访客角色(stackstate-guest)对SUSE Observability具有只读访问权限。
分配给预定义访客角色的权限如下所示,这些权限是通过 sts CLI 检索的。有关不同权限的详细信息以及如何使用 sts CLI 管理它们,请参见 基于角色的访问控制 (RBAC) 权限。
❯ ./sts rbac describe-permissions --subject stackstate-guest
Got subject from the following subject sources: Static
PERMISSION | RESOURCE
create-dashboards | system
create-favorite-dashboards | system
create-favorite-views | system
delete-dashboards | system
delete-favorite-dashboards | system
delete-favorite-views | system
get-api-tokens | system
get-dashboards | system
get-metric-bindings | system
get-metrics | system
get-monitors | system
get-notifications | system
get-permissions | system
get-settings | system
get-system-notifications | system
get-topic-messages | system
get-traces | system
get-views | system
update-dashboards | system
update-visualization | system自定义角色(配置 RBAC)
除了始终可用的预定义角色(stackstate-admin、stackstate-power-user、stackstate-k8s-troubleshooter、stackstate-guest)外,还可以添加自定义角色。有多种方法可以添加自定义角色:
-
通过配置文件,具有与预定义角色相同的权限
-
通过配置文件,具有自定义权限
-
使用
stsCLI,主题及其权限存储在数据库中,并可以在运行时进行修改。
通过配置文件添加的角色需要重启,因此会导致短暂的停机时间。使用 CLI 创建的角色存储在数据库中,并可以在运行时进行修改。
预定义角色的自定义名称
当预定义的 SUSE Observability 角色适合时,但外部身份验证提供者对角色有不同名称时,请使用此选项。例如,当 LDAP 身份验证提供者具有类似但名称不同的角色时,请在 authentication.yaml 中包含此 YAML 片段,以使 LDAP 的角色具有与预定义等效角色相同的权限和范围。
stackstate:
authentication:
roles:
guest: ["ldap-guest-role"]
powerUser: ["ldap-power-user-role"]
admin: ["ldap-admin-role"]
k8sTroubleshooter: ["ldap-troubleshooter-role"]要在您的 SUSE Observability 安装(或已运行的实例)中使用它,请注意它将重启 API:
helm upgrade \
--install \
--namespace suse-observability \
--values values.yaml \
--values authentication.yaml \
suse-observability \
suse-observability/suse-observability通过配置文件的自定义角色
要设置一个名为 development-troubleshooter 的新角色,该角色将允许与预定义故障排除角色相同的权限,但仅适用于 dev-test 集群,请在 authentication.yaml 中包含此 YAML 片段:
stackstate:
authentication:
roles:
custom:
development-troubleshooter:
systemPermissions:
- create-dashboards
- create-favorite-dashboards
- create-favorite-views
- create-monitors
- create-notifications
- create-views
- delete-dashboards
- delete-favorite-dashboards
- delete-favorite-views
- delete-monitors
- delete-notifications
- delete-views
- execute-monitors
- get-agents
- get-api-tokens
- get-dashboards
- get-metric-bindings
- get-metrics
- get-monitors
- get-notifications
- get-permissions
- get-settings
- get-stackpacks
- get-system-notifications
- get-topic-messages
- get-traces
- get-views
- update-dashboards
- update-monitors
- update-notifications
- update-stackpacks
- update-views
- update-visualization
resourcePermissions:
get-topology:
- "cluster-name:dev-test"要在您的 SUSE Observability 安装(或已运行的实例)中使用它,请注意它将重启 API:
helm upgrade \
--install \
--namespace suse-observability \
--values values.yaml \
--values authentication.yaml \
suse-observability \
suse-observability/suse-observability通过 CLI 的自定义角色(Observability RBAC)
要设置一个名为 development-troubleshooter 的新角色,该角色将允许与故障排除者角色相同的权限,但仅适用于 dev-test 集群,需要创建一个新主题。此外,此主题需要分配所需的权限集:
-
创建主题(名称与角色相同,角色-主题匹配是基于名称且区分大小写):
sts rbac create-subject --subject development-troubleshooter sts rbac grant --subject development-troubleshooter --permission get-topology --resource "cluster-name:dev-test"' -
配置的主题需要权限以访问用户界面的部分并在其中执行操作。要授予与故障排除者角色相同的权限,请遵循以下示例:
sts rbac grant --subject development-troubleshooter --permission create-dashboards sts rbac grant --subject development-troubleshooter --permission create-favorite-dashboards sts rbac grant --subject development-troubleshooter --permission create-favorite-views sts rbac grant --subject development-troubleshooter --permission create-monitors sts rbac grant --subject development-troubleshooter --permission create-notifications sts rbac grant --subject development-troubleshooter --permission create-views sts rbac grant --subject development-troubleshooter --permission delete-dashboards sts rbac grant --subject development-troubleshooter --permission delete-favorite-dashboards sts rbac grant --subject development-troubleshooter --permission delete-favorite-views sts rbac grant --subject development-troubleshooter --permission delete-monitors sts rbac grant --subject development-troubleshooter --permission delete-notifications sts rbac grant --subject development-troubleshooter --permission delete-views sts rbac grant --subject development-troubleshooter --permission execute-monitors sts rbac grant --subject development-troubleshooter --permission get-agents sts rbac grant --subject development-troubleshooter --permission get-api-tokens sts rbac grant --subject development-troubleshooter --permission get-dashboards sts rbac grant --subject development-troubleshooter --permission get-metric-bindings sts rbac grant --subject development-troubleshooter --permission get-metrics sts rbac grant --subject development-troubleshooter --permission get-monitors sts rbac grant --subject development-troubleshooter --permission get-notifications sts rbac grant --subject development-troubleshooter --permission get-permissions sts rbac grant --subject development-troubleshooter --permission get-settings sts rbac grant --subject development-troubleshooter --permission get-stackpacks sts rbac grant --subject development-troubleshooter --permission get-system-notifications sts rbac grant --subject development-troubleshooter --permission get-topic-messages sts rbac grant --subject development-troubleshooter --permission get-traces sts rbac grant --subject development-troubleshooter --permission get-views sts rbac grant --subject development-troubleshooter --permission update-dashboards sts rbac grant --subject development-troubleshooter --permission update-monitors sts rbac grant --subject development-troubleshooter --permission update-notifications sts rbac grant --subject development-troubleshooter --permission update-stackpacks sts rbac grant --subject development-troubleshooter --permission update-views sts rbac grant --subject development-troubleshooter --permission update-visualization
请注意,主题的名称以及权限是区分大小写的。