Data Access¶
In order to make the data query scope of different member roles in the current workspace finer, Guance supports configuring corresponding log data access query scope for different roles on the data access page.
Configuration¶
On the Logs > Access page, click Create.
For more information on additional operations related to indexes, see Log Index.
Field |
Description |
|---|---|
| Index | Multiple choices; Log index in current workspace includes default index, custom index and bound external index. |
| Data Range | The logical relationship between different fields can be customized to choose OR or AND; AND is selected by default, AND switching to OR is supported: Examples of logical relationships are as follows: Example 1: (default AND) host=[host1,host2] AND service = [service1,service2]; Example 2: (switch to OR) host=[host1,host2] OR service = [service1,service2]。 It supports value filtering by Label/Attribute, including forward filtering, reverse filtering, fuzzy matching, reverse fuzzy matching, existence and nonexistence, etc. |
| Authorize to | Multiple choices; Contain default roles and self-built roles in the system. |
Multi-role Data Query Permission
If some member has multiple roles (as follows), and the coverage of query permissions of each role is different, the data query permissions of the member finally adopt the highest permissions under the roles.
Permission Control Correspondence
- The relationship between multiple filters in a rule: the relationship between multiple values with the same key is OR; the relationship between different keys is AND;
- The relationship between multiple rules is OR.
So, if:
Rule 1:host = [host 1, host 2] AND service = [service 1, service 2]
Rule 2:host = [host 3, host 4] AND source = [source 1, source 2]
If the user has both permission rules, the actual data will display rule 1 OR rule 2 to achieve the union effect.
The actual range of data you can see is:
(host = [host 1, host 2] AND service = [service 1, service 2])OR (host = [host 3, host 4] AND source = [source 1, source 2])
Example¶
i. On the Logs > Index page, create a new index named tcp_dial_testing, filter the log data whose filter source is tcp_dial_testing, and set the data storage strategy to 7 days.
ii. Go back to the Access page, click Create, select the index tcp_dial_testing, set the filter condition as container_type to kubernetes, and select the target role that owns the log data query.
iii. After completing the creation, you can view the number of roles associated with data access rights under the index and the corresponding number of members under the roles.
Warning
- When the default role is not configured with data access rules, it has data query permission for all logs;
- The log data access rules can only take effect based on the existence of log data query authority in user roles;
- After a role matches a rule, you can only continue to add filters within the basic range of the rule configuration. If you query beyond this range, the returned data is empty.
Snapshot Sharing¶
Based on the support of log data access rights, you can save the filtered data under the current rule as a snapshot. After the snapshot is shared, the shared object can view the filter criteria of the data list in the search bar at the top of the snapshot page, and can add search criteria, so as to achieve a more accurate data sharing effect of the data under the current snapshot.
Other Operations¶
After the rule configuration is completed, you can view the number of roles associated with this rule and the number of members corresponding to the roles:
Click to modify the index, filter conditiond and authorization target role settings under the rule:
Click on the right side of the rule and click Confirm to delete the rule:
