From c5c779e49344779b86be2b83bfa73993fbd59df3 Mon Sep 17 00:00:00 2001 From: Maxim Svistunov Date: Mon, 20 Jan 2020 13:57:57 +0100 Subject: [PATCH] Add a section on giving view permissions; many changes --- ...accessing-the-metrics-of-your-service.adoc | 4 +-- ...ole-for-setting-up-metrics-collection.adoc | 6 ++-- ...nitoring-giving-view-access-to-a-user.adoc | 28 +++++++++++++++++++ ...onitoring-granting-the-role-to-a-user.adoc | 2 +- monitoring/monitoring-your-own-services.adoc | 1 + 5 files changed, 35 insertions(+), 6 deletions(-) create mode 100644 modules/monitoring-giving-view-access-to-a-user.adoc diff --git a/modules/monitoring-accessing-the-metrics-of-your-service.adoc b/modules/monitoring-accessing-the-metrics-of-your-service.adoc index 09f32762a3..2fb1f5fa02 100644 --- a/modules/monitoring-accessing-the-metrics-of-your-service.adoc +++ b/modules/monitoring-accessing-the-metrics-of-your-service.adoc @@ -5,14 +5,14 @@ [id="accessing-the-metrics-of-your-service_{context}"] = Accessing the metrics of your service -Once you have enabled monitoring your own services, deployed a service, and set up metrics collection for it, you can access the metrics of the service as a cluster administrator, as a developer, or as a user associated with the project. +Once you have enabled monitoring your own services, deployed a service, and set up metrics collection for it, you can access the metrics of the service as a cluster administrator, as a developer, or as a user with view permissions for the project. .Prerequisites * You need to deploy the service that you want to monitor. * You need to enable monitoring of your own services. * You need to have metrics scraping set up for the service. -* You need to log in as a cluster administrator, a developer, or as a user associated with the project. +* You need to log in as a cluster administrator, a developer, or as a user with view permissions for the project. .Procedure diff --git a/modules/monitoring-creating-a-role-for-setting-up-metrics-collection.adoc b/modules/monitoring-creating-a-role-for-setting-up-metrics-collection.adoc index 47315f5e7f..af2a54cb88 100644 --- a/modules/monitoring-creating-a-role-for-setting-up-metrics-collection.adoc +++ b/modules/monitoring-creating-a-role-for-setting-up-metrics-collection.adoc @@ -5,13 +5,13 @@ [id="creating-a-role-for-setting-up-metrics-collection_{context}"] = Creating a role for setting up metrics collection -By default, only cluster administrator users have access to metrics from your services. Using the soft tenancy feature, it is possible to also grant metrics access to an arbitrary user, who only has access to a particular project. To be able to grant metrics access, a user needs special permissions. This procedure shows how to create a role that gives such permissions. +This procedure shows how to create a role that allows a user to set up metrics collection for a service as described in "Setting up metrics collection". .Procedure . Create a YAML file for the new role. In this example, it is called `custom-metrics-role.yaml`. -. Fill the file with the configuration for the alerting rules: +. Fill the file with the configuration for the `monitor-crd-edit` role: + [source,yaml] ---- @@ -25,7 +25,7 @@ rules: verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] ---- + -This configuration creates the `monitor-crd-edit` role, which enables the user to set up metrics collection for a service. +This role enables a user to set up metrics collection for services. . Apply the configuration file to the cluster: + diff --git a/modules/monitoring-giving-view-access-to-a-user.adoc b/modules/monitoring-giving-view-access-to-a-user.adoc new file mode 100644 index 0000000000..163075c398 --- /dev/null +++ b/modules/monitoring-giving-view-access-to-a-user.adoc @@ -0,0 +1,28 @@ +// Module included in the following assemblies: +// +// * monitoring/monitoring-your-own-services.adoc + +[id="giving-view-access-to-a-user_{context}"] += Giving view access to a user + +By default, only cluster administrator users and developers have access to metrics from your services. This procedure shows how to grant metrics access to a particular project to an arbitrary user. + +.Prerequisites + +* You need to have a user created. + +.Procedure + +* Run this command to give access to all metrics of your services in : ++ +---- +$ oc policy add-role-to-user view -n +---- ++ +For example, to give view access to the `ns1` namespace to user `bobwilliams`, run: ++ +---- +$ oc policy add-role-to-user view bobwilliams -n ns1 +---- + +* Alternatively, in the Web console, switch to the Developer Perspective, and click *Advanced* -> *Project Access*. From there, you can select the correct namespace and assign the `view` role to a user. diff --git a/modules/monitoring-granting-the-role-to-a-user.adoc b/modules/monitoring-granting-the-role-to-a-user.adoc index 97e27e7af8..b6a8b130d6 100644 --- a/modules/monitoring-granting-the-role-to-a-user.adoc +++ b/modules/monitoring-granting-the-role-to-a-user.adoc @@ -2,7 +2,7 @@ // // * monitoring/monitoring-your-own-services.adoc -[id="granting-the-role-to-a-user.adoc_{context}"] +[id="granting-the-role-to-a-user_{context}"] = Granting the role to a user This procedure shows how to assign the `monitor-crd-edit` role to a user. diff --git a/monitoring/monitoring-your-own-services.adoc b/monitoring/monitoring-your-own-services.adoc index 039d10e40a..433a70cdb2 100644 --- a/monitoring/monitoring-your-own-services.adoc +++ b/monitoring/monitoring-your-own-services.adoc @@ -22,4 +22,5 @@ include::modules/monitoring-creating-a-role-for-setting-up-metrics-collection.ad include::modules/monitoring-granting-the-role-to-a-user.adoc[leveloffset=+1] include::modules/monitoring-setting-up-metrics-collection.adoc[leveloffset=+1] include::modules/monitoring-creating-alerting-rules.adoc[leveloffset=+1] +include::modules/monitoring-giving-view-access-to-a-user.adoc[leveloffset=+1] include::modules/monitoring-accessing-the-metrics-of-your-service.adoc[leveloffset=+1]