Permissions
Permissions in StackState are twofold: System permissions and View permissions. These two sets of permissions are prepared to allow Administrators to take control over actions that users can perform inside StackState, as well as adjusting a user's UI to fit their role. This means that StackState can present a completely different interface and feature set according to the user's active role. UI elements that users don't have access to are simply not displayed in their UI.
Please note that permissions are stored in StackGraph, so performing an upgrade with clear all data will also remove permission setup. Because permissions exist in StackGraph, in order to completely remove the user it needs to be removed from LDAP and from StackGraph manually.
Views permissions are a set of permissions that allow for CRUD operations with Views in StackState. System permissions are scoping user capabilities like access to settings, query execution or scripting.
StackState comes with three predefined roles - stackstate-admin (Adminstrator), stackstate-power-user (Power user) and stackstate-guest (Guest user).
Administrators have all permissions and access to all views.
Power Users have all Administrator permissions except update-permissions and upload-stackpacks. This role is typically granted to users that are not managing the entire StackState installation, but do need to configure StackState for their team(s).
Guests have access to view, as you can see below:
subject permission resource---------------- -------------------- ----------stackstate-guest read-settings systemstackstate-guest access-explore systemstackstate-guest perform-custom-query systemstackstate-guest read-permissions systemstackstate-guest update-visualization systemstackstate-guest access-view everything
The default names for these roles as mentioned above can be overriden, this mechanism can also be used to add extra roles that will have the same permissions. Here an example of how to do this for both Kubernetes and Linux instalaltions.
Include this YAML snippet in an authentication.yaml when customizing the authentication configuration to replace the default role names with these custom role names.
stackstate:authentication:roles:guest: ["custom-guest-role"]powerUser: ["custom-power-user-role"]admin: ["custom-admin-role"]
Of course it is also possible to leave the defaults in place, for example the guestGroups would then have an array with 2 entries: ["stackstate-guest", "custom-guest-role"].
To use it in for your StackState installation (or already running instance, note that it will restart the API):
helm upgrade \--install \--namespace stackstate \--values values.yaml \--values authentication.yaml \stackstate \stackstate/stackstate
Edit the existing keys in the authentication section (nested in stackstate.api) in the configuration file like in the example to replace the default role names with these custom role names. Restart StackState to make the change take effect.
guestGroups = ["custom-guest-role"]powerUserGroups = ["custom-power-user-role"]adminGroups = ["custom-admin-role"]}
Of course it is also possible to leave the defaults in place, for example the guestGroups would then have an array with 2 entries: ["stackstate-guest", "custom-guest-role"].
Permission | Purpose | Guest | Power-user | Administrator |
access-explore | Access the Explore page | ✅ | ✅ | ✅ |
update-visualization | Change visualization settings | ✅ | ✅ | ✅ |
perform-custom-query | Access the topology filter | ✅ | ✅ | ✅ |
read-permissions | List all granted permissions across the entire system via the CLI | ✅ | ✅ | ✅ |
execute-component-actions | Execute component actions | ✅ | ✅ | ✅ |
create-views | Create views | - | ✅ | ✅ |
access-analytics | Access the Analytics page | - | ✅ | ✅ |
execute-scripts | Execute a query in the Analytics page | - | ✅ | ✅ |
read-settings | Access the Settings page | - | ✅ | ✅ |
update-settings | Update settings | - | ✅ | ✅ |
import-settings | Import settings | - | ✅ | ✅ |
export-settings | Export settings | - | ✅ | ✅ |
manage-topology-elements | Create/update/delete topology elements | - | ✅ | ✅ |
manage-stackpacks | Install/upgrade/uninstall StackPacks | - | ✅ | ✅ |
manage-annotations | Persist and fetch Anomaly annotations in StackState | - | ✅ | ✅ |
save-view | Save views | - | ✅ | ✅ |
access-view | Access a specific view (when granted on a view) or all views (when granted on the | - | ✅ | ✅ |
delete-view | Delete views | - | ✅ | ✅ |
manage-telemetry-streams | Edit or create new streams for components via the UI | - | ✅ | ✅ |
access-log-data | Access StackState logs via the CLI | - | ✅ | ✅ |
access-topic-data | Access StackState receiver data via the CLI | - | ✅ | ✅ |
execute-component-templates | Invoke a component template API extension (internal use only) | - | ✅ | ✅ |
execute-node-sync | Reset or delete a synchronization | - | ✅ | ✅ |
access-admin-api | Access the administrator API | - | ✅ | ✅ |
update-permissions | Grant/revoke permissions or modify subjects | - | - | ✅ |
upload-stackpacks | Upload new (versions of) StackPacks | - | - | ✅ |
Analytics page - requires
access-analyticspermission. Without this permission, Analytics section is hidden in the UI, and it is not accessible via URL.StackPacks page - requires
manage-stackpackssystem permission. Without this permission, StackPacks section is hidden in the UI and it is not accessible via URL.Settings page - requires
read-settingssystem permission. Without this permission, Settings section is hidden in the UI and it is not accessible via URL.Explore Mode page - requires
access-exploresystem permission. Without this permission, Explore Mode section is hidden in the UI and it is not accessible via URL.Saved views page - Requires
access-viewpermission and a resource. It is possible to grant access for specific views by addingaccesss-viewpermission with a specific view ID or (as it is for the Administrator role) withEverythingresource, allowing to see all views.Import Settings Page - requires
import-settingssystem permission. Without this permission, Import Settings is removed from Settings Menu.Export Settings page - requires
export-settingssystem permission. Without this permission, Export Settings is removed from Settings Menu.Admin API - requires
access-admin-apisystem permission. Without this permission, Admin API is removed from Settings Menu.
Create a view - requires
create-viewssystem permission. If not granted, save buttons are not present for the user.Save as... - requires
save-viewpermission. It's dependant onEverythingor the specific view permissions.Edit a view - requires
save-viewpermission. It's dependant onEverythingor the specific view permissions.Delete a view - requires
delete-viewpermission. It's dependant onEverythingor the specific view permissions.Sidebar access - requires
save-view,delete-viewor both of them to access these options in the sidebar.
Basic and Advanced filtering -
perform-custom-queryis required to access filtering tools. Filtering options are hidden for users without this permission.Component pane - requires system permissions:
manage-topology-elements,perform-custom-query, andread-settings. Component pane is hidden for users without this set of permissions.Visualization Settings - requires
update-visualizationsystem permission. Visualization settings are hidden for users without this permission.
| | |
| | |
Drag and drop components - requires
manage-topology-elementssystem permission.Access to a node actions menu - requires
execute-component-actionspermission.Create relations between topology elements - requires system permissions:
manage-topology-elements,perform-custom-query, andread-settings.
Executing scripts - requires
execute scriptssystem permission. Execute button will not be present for users without this permission.
| | |
| | |
Data streams actions - requires
manage-topology-elementssystem permission. Without this permission only "Inspect" action is available.Add data streams - requires
manage-topology-elementssystem permission. Without this permission, user cannot see the Add button.Health check - requires
manage-topology-elementssystem permission. Without this permission, user cannot see any actions.Add health check - requires
manage-topology-elementssystem permission. Without that permission, user cannot see the Add button.Delete element - requires
manage-topology-elementssystem permission. Delete button is not present if the user does not have this permission.Edit element (also edit element template) - requires
manage-topology-elements,perform-custom-query, andread-settingssystem permissions.
| |
| |
Below capabilities are shared across all settings pages.
Add New capability - requires
update-settingssystem permission. It unlocks Add... buttons on all Settings Pages.Edit capability - requires
update-settingssystem permission. Three dots menu (kebab menu) is not displayed for the users without that permission.Delete capability - requires
update-settingssystem permission. Delete option is not displayed for the users without this permission.Export capability - requires
export-settingssystem permission. Checkboxes are not available for the user without this permission.Delete and Reset synchronization capabilities - requires
execute-node-syncsystem permission.
Important note: all permissions in StackState are case sensitive.
List all permissions:
sts permission list
Provide a subject with permission to open a view:
sts permission grant [subject-handle] access-view [view-name]
Revoke permissions for a subject to open a view:
sts permission revoke [subject-handle] access-view [view-name]
Provide a subject with system permission to check StackState settings:
sts permission grant [subject-handle] read-settings system
Provide a subject with system permission to create (save) views:
sts permission grant [subject-handle] create-views system
UI of a user without any permissions:
