|
| 1 | +--- |
| 2 | +title: IAM for Logs Data Platform - Configuring Access Rights |
| 3 | +excerpt: A comprehensive guide to managing access rights for Logs Data Platform using OVHcloud IAM |
| 4 | +updated: 2025-07-22 |
| 5 | +--- |
| 6 | + |
| 7 | +> ![primary] |
| 8 | +> IAM for Logs Data Platform will be available starting **17th September 2025**. |
| 9 | +> The content of this documentation will be valid from this date. |
| 10 | +> |
| 11 | +
|
| 12 | +## Overview |
| 13 | + |
| 14 | +This guide provides instructions for configuring access rights on OVHcloud IAM to manage permissions for various components of Logs Data Platform. It will give you the best practices to handle the rights given to your users and will ensure that you can replicate the functionnality of roles and permissions with the more advanced system of policies. This guide will use features explained in the [IAM documentation](/pages/account_and_service_management/account_information/iam-policy-ui). It is therefore recommended to read it before reading this guide. |
| 15 | + |
| 16 | +## Requirements |
| 17 | + |
| 18 | +- An [OVHcloud account](/pages/account_and_service_management/account_information/ovhcloud-account-creation) |
| 19 | +- Access to the [OVHcloud Control Panel](/links/manager) |
| 20 | +- A Logs Data Platform Account With [IAM enabled](/pages/manage_and_operate/observability/logs_data_platform/iam_presentation_faq). |
| 21 | + |
| 22 | +## Policies and identities |
| 23 | + |
| 24 | +This guide leverages [local users](/pages/account_and_service_management/account_information/ovhcloud-users-management) to explain how you can share resources to another user. This choice has been done to illustrate through captures how it works inside the OVHcloud Control Panel. The policies created can be applied to any OVHcloud identities through the OVHcloud API. You can use these policies to share data with a local user, another OVHcloud user account or an OAuth client. You can refer to the specific [IAM Policies with API guide](/pages/account_and_service_management/account_information/iam-policies-api) to recreate all these policies with the API. |
| 25 | + |
| 26 | +The identity will see a new service listed in their Logs Data Platform. This service contains the shared Logs Data Platform items. To ensure the recipient can see the shared items, we must share a view of the service with them. |
| 27 | + |
| 28 | +## Access Rights Management |
| 29 | + |
| 30 | +This section details how to configure local user/identity groups and policies to replicate the behavior of the legacy role system. |
| 31 | + |
| 32 | +### Create a group for local users |
| 33 | + |
| 34 | +By default, the least privileged group available for local users is read-only over all the products of your account. If you would like to have an even more restricted account able to read only shared data from your Logs Data Platform, we advise you to create a group with the role **None** and attach your local users to it. In the OVHcloud Control Panel, navigate to `IAM`{.action} {.action} > `Identities`{.action} > `User groups` to create such a group. |
| 35 | + |
| 36 | +{.thumbnail} |
| 37 | + |
| 38 | +You can then create a policy with the basic rights to access the OVHcloud Control Panel and attach it to the group. All your local users will be able to connect to the OVHcloud Control Panel. Navigate to `IAM`{.action} > `Policies`{.action} > `My Policies`{.action} to create this policy and attach it to the user group. |
| 39 | + |
| 40 | +{.thumbnail} |
| 41 | + |
| 42 | +After attaching the group, you can add the **controlPanelAccess** right to it. |
| 43 | + |
| 44 | +{.thumbnail} |
| 45 | + |
| 46 | +The group is now configured, you can then create the local users. |
| 47 | + |
| 48 | +### Create a local user |
| 49 | + |
| 50 | +Creating a local user is fully documented in the [dedicated documentation](/pages/account_and_service_management/account_information/ovhcloud-users-management). Remember to attach the user to the group. |
| 51 | + |
| 52 | +{.thumbnail} |
| 53 | + |
| 54 | +### Create a policy for the service |
| 55 | + |
| 56 | +You now need to create a policy in order to allow the local user to see the Logs Data Platform service inside the OVHcloud Control Panel. The goal here is to have access to the service only but without any sub resources visible (ie no streams, dashboards, indices, aliases or OpenSearch Dashboards instances). Navigate to `IAM`{.action} > `Policies`{.action} > `My Policies`{.action} to create this policy. Add the local user to your policy and select the **Logs Data Platform: service** product type to list your services in the *Resources* dropdown list and enable the panel of the *Actions* related to Logs Data Service. |
| 57 | + |
| 58 | +{.thumbnail} |
| 59 | + |
| 60 | +The policy can then allow the service with read only access on the choosen service. Some mandatory actions need to be given for users to be able to see the Logs Data Platform control panel without error. The minimal set of actions are listed below: |
| 61 | + |
| 62 | +```yaml |
| 63 | +- ldp:apiovh:cluster/get |
| 64 | +- ldp:apiovh:cluster/retention/get |
| 65 | +- ldp:apiovh:encryptionKey/get |
| 66 | +- ldp:apiovh:get |
| 67 | +- ldp:apiovh:input/get |
| 68 | +- ldp:apiovh:metrics/get |
| 69 | +- ldp:apiovh:role/get |
| 70 | +- ldp:apiovh:service/get |
| 71 | +- ldp:apiovh:serviceInfos/get |
| 72 | +- ldp:apiovh:services/form/get |
| 73 | +- ldp:apiovh:services/get |
| 74 | +- ldp:apiovh:token/get |
| 75 | +- ldp:apiovh:url/get |
| 76 | +``` |
| 77 | +
|
| 78 | +{.thumbnail} |
| 79 | +
|
| 80 | +Once the policy is attached to the identity, the users will see the new service in their control panel, but with no items available. |
| 81 | +
|
| 82 | +{.thumbnail} |
| 83 | +
|
| 84 | +### Create a sub resources group |
| 85 | +
|
| 86 | +All the items created by a Logs Data Platform (ie streams, dashboards etc) are materialized as sub-resources of the LDP service. |
| 87 | +One of the new feature available thanks to IAM is the ability to group sub-resources in a **Resource group**. A Resource group can be used to share related resources together and are a convenient way to groups items which are supposed to be used together. For example: a stream and its related dashboard, an alias and a OpenSearch Dashboard to explore it, an alias with all the streams attached to it. This feature is a good way to completely isolate sub-resources and make sure you don't have to handle them one by one over all your policies. |
| 88 | +
|
| 89 | +To create a resource group, navigate to `IAM`{.action} > `Policies`{.action} > `Resource Groups`{.action}. |
| 90 | + |
| 91 | +{.thumbnail} |
| 92 | + |
| 93 | +You need to select the product type (Dashboards, Streams, Alias, Index, OpenSearch Dashboards) and then select the specific resource you want to share. |
| 94 | + |
| 95 | +### Create a policy for the sub resources |
| 96 | + |
| 97 | +This policy is the one you need to effectively replicate the [legacy roles permissions](/pages/manage_and_operate/observability/logs_data_platform/getting_started_roles_permission). You will attach OVHcloud APIs rights and backend (Graylog, OpenSearch) rights to allow identities to see the items in their shared service and interact with them in the corresponding Web UIs and APIs. Again navigate to `IAM`{.action} > `Policies`{.action} > `My Policies`{.action} to create a policy. |
| 98 | + |
| 99 | +Similarly to the previous policy, you need to add your local user and you need to select the product type of your ressource or sub-resource if you want to enable the actions selection panel for these specific sub-resources. |
| 100 | + |
| 101 | +{.thumbnail} |
| 102 | + |
| 103 | +> ![warning] |
| 104 | +> Do not add a Logs Data Platform service to this policy. If you do so it will transitively give access to all sub-resources of this service (ie all LDP items) to the local users/identities or groups attached to the policy. The previous service policy has been created to prevent this behaviour. |
| 105 | + |
| 106 | +You can mix Resource Groups and specific resources in the same policy. All actions attached to the policy will be then be attached to all related sub-resources. |
| 107 | +You have several actions for each sub-resource type. For brevity, this guide will not detail all the actions available for all the items. |
| 108 | + |
| 109 | +Here are some use cases of several rights which can all be together in one policy showcasing the complexity enabled by IAM policies. Actions starting with **ldp:apiovh** are actions related to OVHcloud APIs (thus the control panel UI). The other actions are related to their specific backend: Graylog or OpenSearch. |
| 110 | + |
| 111 | +- These actions give an access in read-only to one or several indices: |
| 112 | + ```yaml |
| 113 | + - ldp:apiovh:output/opensearch/index/get |
| 114 | + - ldp:apiovh:output/opensearch/index/url/get |
| 115 | + - ldp:opensearch:index/read |
| 116 | + ``` |
| 117 | + |
| 118 | + {.thumbnail} |
| 119 | + |
| 120 | +- These actions allow to read and modify a Graylog Dashboard: |
| 121 | + ```yaml |
| 122 | + - ldp:graylog:dashboard/update |
| 123 | + - ldp:apiovh:output/graylog/dashboard/get |
| 124 | + - ldp:apiovh:output/graylog/dashboard/url/get |
| 125 | + - ldp:graylog:dashboard/read |
| 126 | + ``` |
| 127 | + |
| 128 | + {.thumbnail} |
| 129 | + |
| 130 | +- These actions allow to consult and create visualizations in one or several OpenSearch Dashboard instances: |
| 131 | + ```yaml |
| 132 | + - ldp:opensearch:osd/update |
| 133 | + - ldp:apiovh:output/opensearch/osd/get |
| 134 | + - ldp:apiovh:output/opensearch/osd/url/get |
| 135 | + - ldp:opensearch:osd/get |
| 136 | + ``` |
| 137 | + |
| 138 | + {.thumbnail} |
| 139 | + |
| 140 | +- These actions give a read-only access in both Graylog and the control panel to one or several streams: |
| 141 | + ```yaml |
| 142 | + - ldp:apiovh:output/graylog/stream/get |
| 143 | + - ldp:apiovh:output/graylog/stream/url/get |
| 144 | + - ldp:graylog:stream/read |
| 145 | + ``` |
| 146 | + |
| 147 | + {.thumbnail} |
| 148 | + |
| 149 | +Once the policy is created, the local user/identity will only see the related sub resource of the policy in its own control panel. |
| 150 | + |
| 151 | +{.thumbnail} |
| 152 | + |
| 153 | +### Analyse your policy results |
| 154 | + |
| 155 | +You can verify the accuracy of your policies using [the IAM troubleshooting guide](/pages/manage_and_operate/iam/iam-troubleshooting). |
| 156 | + |
| 157 | +### Going further with local users |
| 158 | + |
| 159 | +Local users are useful for generating Personal Access Tokens (PATs). These tokens have a configurable expiration date and can be used to interact with both the OVHcloud APIs and the Logs Data Platform backends. |
| 160 | + |
| 161 | +> [!api] |
| 162 | +> |
| 163 | +> @api {v1} /me POST /me/identity/user/{user}/token |
| 164 | +> |
| 165 | + |
| 166 | +Thanks to OVHcloud IAM, you can then delegates the creation rights of sub-resources (indices, aliases) to your local user and interact with the backend APIs directly with these Personal Access Tokens. |
| 167 | + |
| 168 | +The actions related to create items are part of the service actions. You will need to add them to a policy to allow a user to create items with their PAT. |
| 169 | + |
| 170 | +> ![info] |
| 171 | +> You don't need to allow any OVHcloud APIs action to allow a local user to interact with the Logs Data Platform backends (OpenSearch, Graylog, OpenSearch Dashboards) APIs. |
| 172 | +> Local users allow you to generate tokens which can only interact with the backend similarly to legacy Logs Data Platform tokens. |
| 173 | + |
| 174 | +For example, these two rights allow a local user to create indices/aliases directly on OpenSearch without having any other rights on the OVHcloud APIs. |
| 175 | + |
| 176 | +{.thumbnail} |
| 177 | + |
| 178 | +## Go further |
| 179 | + |
| 180 | +- [Introduction to Logs Data Platform](/pages/manage_and_operate/observability/logs_data_platform/getting_started_introduction_to_LDP) |
| 181 | +- [IAM for Logs Data Platform - Presentation and FAQ](/pages/manage_and_operate/observability/logs_data_platform/iam_presentation_faq) |
| 182 | +- [Our documentation](/products/observability-logs-data-platform) |
| 183 | +- Join our [community of users](/links/community) |
| 184 | +- Create an account: [Try it!](/links/manage-operate/ldp) |
0 commit comments