signoz
signoz copied to clipboard
RBAC control on Clickhouse
Is your feature request related to a problem?
It would be nice if each Signoz component had fine-grained RBAC for the operations it needs to perform.
Describe the solution you'd like
- OTel collector: Currently, each exporter runs its own migrations at startup. Migrations could be run in a different process with credentials that have only DDL permissions and no DML permissions and have the collector use only DML permissions.
This change can be backward-compatible.
- Log exporter: A sample PR for logs:
- Trace exporter: Similar to logs, this could be solved for traces as well
- Metric exporter: We'll need to first create a migration directory for metrics to have a solution like above.
I have not dug much into query-service/UI to comment on it but hoping this issue serves as an umbrella issue as fine-grained RBAC would reduce the attack surface.