policy.yaml¶

Use the policy.yaml file to define additional access controls that will be applied to Aetos:
#"segregation": "rule:context_is_admin"

# Delete metrics.
# POST  /api/v1/admin/tsdb/delete_series
# Intended scope(s): project
#"telemetry:admin_delete_metrics": "role:admin and project_id:%(project_id)s"

# Take snapshot of the database.
# POST  /api/v1/admin/tsdb/snapshot
# Intended scope(s): project
#"telemetry:admin_snapshot": "role:admin and project_id:%(project_id)s"

# Clean tombstones.
# POST  /api/v1/admin/tsdb/clean_tombstones
# Intended scope(s): project
#"telemetry:admin_clean_tombstones": "role:admin and project_id:%(project_id)s"

# Prometheus Query endpoint with tenancy enforced.
# GET  /api/v1/query
# Intended scope(s): project
#"telemetry:query": "role:reader and project_id:%(project_id)s"

# Prometheus Query endpoint without tenancy enforced.
# GET  /api/v1/query
# Intended scope(s): project
#"telemetry:query:all_projects": "(role:admin and project_id:%(project_id)s) or (role:service)"

# Prometheus label endpoint with tenancy enforced.
# GET  /api/v1/label
# Intended scope(s): project
#"telemetry:label": "role:reader and project_id:%(project_id)s"

# Prometheus label endpoint without tenancy enforced.
# GET  /api/v1/label
# Intended scope(s): project
#"telemetry:label:all_projects": "(role:admin and project_id:%(project_id)s) or (role:service)"

# Prometheus labels endpoint with tenancy enforced.
# GET  /api/v1/labels
# Intended scope(s): project
#"telemetry:labels": "role:reader and project_id:%(project_id)s"

# Prometheus labels endpoint without tenancy enforced.
# GET  /api/v1/labels
# Intended scope(s): project
#"telemetry:labels:all_projects": "(role:admin and project_id:%(project_id)s) or (role:service)"

# Prometheus series endpoint with tenancy enforced.
# GET  /api/v1/series
# Intended scope(s): project
#"telemetry:series": "role:reader and project_id:%(project_id)s"

# Prometheus series endpoint without tenancy enforced.
# GET  /api/v1/series
# Intended scope(s): project
#"telemetry:series:all_projects": "(role:admin and project_id:%(project_id)s) or (role:service)"

# Prometheus targets endpoint.
# GET  /api/v1/targets
# Intended scope(s): project
#"telemetry:targets": "(role:admin and project_id:%(project_id)s) or (role:service)"

# Prometheus status endpoint.
# GET  /api/v1/status
# Intended scope(s): project
#"telemetry:status": "(role:admin and project_id:%(project_id)s) or (role:service)"
policy.yaml

policy.yaml¶

aetos 1.1.0.dev6
