Set up a Grafana Enterprise Logs tenant
Tenants provide a mechanism for log stream isolation. Access policies may be set on a per-tenant basis. Authorization of requests is based on specified access policies.
These instructions assume that you have the Grafana Enterprise Logs administrative plugin installed. Use this plugin to create tenants, access policies, and tokens for your GEL cluster.
Create a tenant
Once a cluster is running, you can create new tenants.
Navigate to Grafana Enterprise Logs > Tenants.
Click Create tenant.
Enter a chosen display name and name for this tenant.
Choose the cluster for this tenant.
Click Save changes.
Create an access policy
Access policies are used to authorize actions and operations by specified tenants. Access policies have a realm, which defines the set of tenants they apply to, and a scope which defines the set of actions that they confer permissions to use.
Navigate to Grafana Enterprise Logs > Access Policies.
Click Create access policy.
Enter a chosen display name and name for access policy.
To enter the scopes for this access policy, click on either the Yes or No box, as appropriate to answer the question, under the Scopes heading to bring up a list of clickable scopes. Place check marks next to those scopes that correspond to operations that will be authorized under this access policy.
Sequentially select all tenants this access policy will grant access to.
Click Create.
Create tokens for the access policies
A token will be needed by any entity requesting actions or operations. One or more tokens may be created for each access policy. Tokens can be created with an expiration date, if the administrator wishes access granted to the system for a specific length of time.
Navigate to Grafana Enterprise Logs > Access Policies.
Click Add token for the access policy.
Enter a chosen name for the token and specify the expiration details.
Click Create.
Copy and save the token displayed.
Create a Grafana data source
To allow Grafana to read logs from GEL, you must create a Loki data source with the proper credentials.
Create an access policy with scope
logs:read
for the tenant you want to read logs from. Create and save a token for this access policy.In Grafana Enterprise, navigate to Configuration > Data Sources.
Click Add data source.
Specify a name for this data source. Set the URL to
http://<GEL host>:3100
.Enable Basic Auth.
The User differs based on use case. Set the User to one of:
For single tenant access, set the User to the name of the tenant you want to read from.
For explicitly-specified, multiple-tenant access, set the User to include the names of the each tenant you want to read from; delimit the tenant names with a pipe character (
|
). As an example, for the two tenants namedteam-engineering
andteam-finance
, the User will beteam-engineering|team-finance
. This data source explicitly limits the tenants. The data source must be modified to add or remove a tenant.For multiple tenant access by all tenants specified in an access policy, set the User to
*
. If the access policy changes, the data source will not need to be modified to honor the modified access policy.
Set the Password to your saved token for the access policy with
logs:read
access to the tenant(s).Click Save & Test.
Promtail access policy and token
Promtail will need an access policy with logs:write
scope in order to push logs to a GEL cluster.
Create an access policy and token to be used by Promtail.
Capture the token and specify it in the Promtail configuration.