signoz icon indicating copy to clipboard operation
signoz copied to clipboard

Published 20 hours ago • verified publisher icon SigNoz

RBAC control on Clickhouse

Open RealHarshThakur opened this issue 1 year ago • 2 comments

Is your feature request related to a problem?

It would be nice if each Signoz component had fine-grained RBAC for the operations it needs to perform.

Describe the solution you'd like

  • OTel collector: Currently, each exporter runs its own migrations at startup. Migrations could be run in a different process with credentials that have only DDL permissions and no DML permissions and have the collector use only DML permissions. This change can be backward-compatible.
    • Log exporter: A sample PR for logs:
    • Trace exporter: Similar to logs, this could be solved for traces as well
    • Metric exporter: We'll need to first create a migration directory for metrics to have a solution like above.

I have not dug much into query-service/UI to comment on it but hoping this issue serves as an umbrella issue as fine-grained RBAC would reduce the attack surface.

RealHarshThakur avatar Apr 07 '23 04:04 RealHarshThakur