You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: pages/manage_and_operate/observability/logs_data_platform/iam_access_management/guide.en-gb.md
+71-45Lines changed: 71 additions & 45 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,21 @@ excerpt: A comprehensive guide to managing access rights for Logs Data Platform
4
4
updated: 2025-07-22
5
5
---
6
6
7
-
> ![primary]
7
+
<style>
8
+
details>summary {
9
+
color:rgb(33, 153, 232) !important;
10
+
cursor: pointer;
11
+
}
12
+
details>summary::before {
13
+
content:'\25B6';
14
+
padding-right:1ch;
15
+
}
16
+
details[open]>summary::before {
17
+
content:'\25BC';
18
+
}
19
+
</style>
20
+
21
+
> [!primary]
8
22
> IAM for Logs Data Platform will be available starting **17th September 2025**.
9
23
> The content of this documentation will be valid from this date.
10
24
>
@@ -17,7 +31,7 @@ This guide provides instructions for configuring access rights on OVHcloud IAM t
17
31
18
32
- An [OVHcloud account](/pages/account_and_service_management/account_information/ovhcloud-account-creation)
19
33
- Access to the [OVHcloud Control Panel](/links/manager)
20
-
- A Logs Data Platform Account With [IAM enabled](/pages/manage_and_operate/observability/logs_data_platform/iam_presentation_faq).
34
+
- A Logs Data Platform Account With [IAM enabled](/pages/manage_and_operate/observability/logs_data_platform/iam_presentation_faq)
21
35
22
36
## Policies and identities
23
37
@@ -31,9 +45,9 @@ This section details how to configure local user/identity groups and policies to
31
45
32
46
### Create a group for local users
33
47
34
-
By default, the least privileged group available for local users is read-only over all the products of your account. If you would like to have an even more restricted account able to read only shared data from your Logs Data Platform, we advise you to create a group with the role **None** and attach your local users to it. In the OVHcloud Control Panel, navigate to `IAM`{.action} {.action} > `Identities`{.action} > `User groups` to create such a group.
48
+
By default, the least privileged group available for local users is read-only over all the products of your account. If you would like to have an even more restricted account able to read only shared data from your Logs Data Platform, we advise you to create a group with the role **None** and attach your local users to it. In the OVHcloud Control Panel, navigate to `IAM`{.action} {.action} > `Identities`{.action} > `User groups`{.action} to create such a group.
35
49
36
-
{.thumbnail}
50
+
{.thumbnail}
37
51
38
52
You can then create a policy with the basic rights to access the OVHcloud Control Panel and attach it to the group. All your local users will be able to connect to the OVHcloud Control Panel. Navigate to `IAM`{.action} > `Policies`{.action} > `My Policies`{.action} to create this policy and attach it to the user group.
39
53
@@ -88,7 +102,7 @@ One of the new feature available thanks to IAM is the ability to group sub-resou
88
102
89
103
To create a resource group, navigate to `IAM`{.action} > `Policies`{.action} > `Resource Groups`{.action}.
You need to select the product type (Dashboards, Streams, Alias, Index, OpenSearch Dashboards) and then select the specific resource you want to share.
94
108
@@ -100,55 +114,67 @@ Similarly to the previous policy, you need to add your local user and you need t
100
114
101
115
{.thumbnail}
102
116
103
-
> ![warning]
117
+
> [!warning]
104
118
> Do not add a Logs Data Platform service to this policy. If you do so it will transitively give access to all sub-resources of this service (ie all LDP items) to the local users/identities or groups attached to the policy. The previous service policy has been created to prevent this behaviour.
105
119
106
120
You can mix Resource Groups and specific resources in the same policy. All actions attached to the policy will be then be attached to all related sub-resources.
107
121
You have several actions for each sub-resource type. For brevity, this guide will not detail all the actions available for all the items.
108
122
109
123
Here are some use cases of several rights which can all be together in one policy showcasing the complexity enabled by IAM policies. Actions starting with **ldp:apiovh** are actions related to OVHcloud APIs (thus the control panel UI). The other actions are related to their specific backend: Graylog or OpenSearch.
110
124
111
-
- These actions give an access in read-only to one or several indices:
112
-
```yaml
113
-
- ldp:apiovh:output/opensearch/index/get
114
-
- ldp:apiovh:output/opensearch/index/url/get
115
-
- ldp:opensearch:index/read
116
-
```
117
-
118
-
{.thumbnail}
119
-
120
-
- These actions allow to read and modify a Graylog Dashboard:
121
-
```yaml
122
-
- ldp:graylog:dashboard/update
123
-
- ldp:apiovh:output/graylog/dashboard/get
124
-
- ldp:apiovh:output/graylog/dashboard/url/get
125
-
- ldp:graylog:dashboard/read
126
-
```
127
-
128
-
{.thumbnail}
129
-
130
-
- These actions allow to consult and create visualizations in one or several OpenSearch Dashboard instances:
131
-
```yaml
132
-
- ldp:opensearch:osd/update
133
-
- ldp:apiovh:output/opensearch/osd/get
134
-
- ldp:apiovh:output/opensearch/osd/url/get
135
-
- ldp:opensearch:osd/get
136
-
```
137
-
138
-
{.thumbnail}
139
-
140
-
- These actions give a read-only access in both Graylog and the control panel to one or several streams:
141
-
```yaml
142
-
- ldp:apiovh:output/graylog/stream/get
143
-
- ldp:apiovh:output/graylog/stream/url/get
144
-
- ldp:graylog:stream/read
145
-
```
146
-
147
-
{.thumbnail}
125
+
/// details | These actions give an access in read-only to one or several indices:
126
+
127
+
```yaml
128
+
- ldp:apiovh:output/opensearch/index/get
129
+
- ldp:apiovh:output/opensearch/index/url/get
130
+
- ldp:opensearch:index/read
131
+
```
132
+
133
+
{.thumbnail}
134
+
135
+
///
136
+
137
+
/// details | These actions allow to read and modify a Graylog Dashboard:
138
+
139
+
```yaml
140
+
- ldp:graylog:dashboard/update
141
+
- ldp:apiovh:output/graylog/dashboard/get
142
+
- ldp:apiovh:output/graylog/dashboard/url/get
143
+
- ldp:graylog:dashboard/read
144
+
```
145
+
146
+
{.thumbnail}
147
+
148
+
///
149
+
150
+
/// details | These actions allow to consult and create visualizations in one or several OpenSearch Dashboard instances:
151
+
152
+
```yaml
153
+
- ldp:opensearch:osd/update
154
+
- ldp:apiovh:output/opensearch/osd/get
155
+
- ldp:apiovh:output/opensearch/osd/url/get
156
+
- ldp:opensearch:osd/get
157
+
```
158
+
159
+
{.thumbnail}
160
+
161
+
///
162
+
163
+
/// details | These actions give a read-only access in both Graylog and the control panel to one or several streams:
164
+
165
+
```yaml
166
+
- ldp:apiovh:output/graylog/stream/get
167
+
- ldp:apiovh:output/graylog/stream/url/get
168
+
- ldp:graylog:stream/read
169
+
```
170
+
171
+
{.thumbnail}
172
+
173
+
///
148
174
149
175
Once the policy is created, the local user/identity will only see the related sub resource of the policy in its own control panel.
150
176
151
-
{.thumbnail}
177
+
{.thumbnail}
152
178
153
179
### Analyse your policy results
154
180
@@ -167,7 +193,7 @@ Thanks to OVHcloud IAM, you can then delegates the creation rights of sub-resour
167
193
168
194
The actions related to create items are part of the service actions. You will need to add them to a policy to allow a user to create items with their PAT.
169
195
170
-
> ![info]
196
+
> [!primary]
171
197
> You don't need to allow any OVHcloud APIs action to allow a local user to interact with the Logs Data Platform backends (OpenSearch, Graylog, OpenSearch Dashboards) APIs.
172
198
> Local users allow you to generate tokens which can only interact with the backend similarly to legacy Logs Data Platform tokens.
Copy file name to clipboardExpand all lines: pages/manage_and_operate/observability/logs_data_platform/iam_migration_to_iam/guide.en-gb.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,7 +47,7 @@ If you use the role and permission system, we strongly recommend [migrating to I
47
47
48
48
The Graylog Web UI will now display an Identity Provider selector. You can find the username/password authenticator by selecting **Legacy username/password**. You can also try the OVHcloud IAM authenticator by selecting the appropriate provider (EU or CA).
0 commit comments