sensu-go
sensu-go copied to clipboard
sensu
Add support for resource_names support to cluster-role and role resources
Problem
events have no name, making resource_name specific RBAC controls impossible.
Use case
Want to give a specific user RBAC access to create/update specific events via the api.
Feature Suggestion
add special case logic for events that allow you to map "event.entity.name:event.check.name" to resource_name
This would not cover metric only events... but that's okay... because all programmatically generated events could include a check and metrics.
We also have a customer inquiring about limiting roles to creating events for a specific entity, so I wonder if we're already going to need some special handling for event resource "names" (which they have none), if these could facilitate the following use cases:
- only create events matching a specific entity+check name (e.g.
server-01/my-app) - only create events matching a specific entity name (e.g.
server-01/*) - only create events matching a specific check name (e.g.
*/my-app)
Related:
- #3082 is still relevant, but not useful for scoping roles with the
createverb. - #4141 (loosely related)
Wow, I thought I'm doing something wrong, but it's just lack of feature. I want to create user (customer) which could see only some specific checks (and events from them) and been wondering what to put in 'resource_names' for events
See internal ref: https://secure.helpscout.net/conversation/1456911013/24965/
