Read-Only user for Monitoring?

Greetings!
I am working on ways to monitor the health of my OpenZiti infrastructure. One of the first things I would like to be observable and alertable, is the health of each router. In looking at this, I have found that my monitor user currently needs to have Admin rights, in order to list the routers using the CLI. Is there a way around this? I know there is the concept of a user that is not an Admin, but it is also not authorized to see the list of routers, and their status. Is there anywhere where I can grant that permission to my monitor user, without making it an Admin? Do you have plans to do any type of RBAC in the future?

Thanks!

Hi @greggw01

That feature doesn't exist yet, but it's being tracked here: Add Edge Management Read Only Capability · Issue #2109 · openziti/ziti · GitHub
My best guess is that it's something that will be implemented in the next 3-6 months, as it's something we definitely want to implement, but there are some features in the queue ahead of it.

There is a client-side CLI feature, that allows you to mark a login as read-only.

ziti edge login <url> --read-only

This sets a flag in the config which causes an error to be emitted whenever the CLI is asked to do any non-GET operation. The feature exists to help prevent making mistakes when you're logging into multiple controllers.

As for general RBAC, it's being considered, and it's likely that something more than just read-only or not will be implemented, but there's no consensus yet on what exactly that will look like.

Paul

Hi @greggw01,

You might also want to check out this thread: Is the health-check API supported on routers? as an alternative to using the CLI for monitoring Edge Router health.

Hope that helps.

Edward

3 Likes