Control access to APM data
editControl access to APM data
editStarting in version 8.2.0, the Applications UI is Kibana space aware. This allows you to separate your data—and access to that data—by team, use case, service environment, or any other filter that you choose.
To take advantage of this feature, your APM data needs to be written to different data streams.
One way to accomplish this is with different namespaces.
For example, you can send production data to an APM integration with a namespace of production
,
while sending staging data to a different APM integration with a namespace of staging
.
Multiple APM integration instances is not required though. The simplest way to take advantage of this feature is by creating filtered aliases. See the guide below for more information.
This guide will explain how to separate your staging and production data. This can be helpful to either remove noise when troubleshooting a production issue, or to create more granular access control for certain data.
This guide assumes that you:
- Are sending both staging and production APM data to an Elasticsearch cluster.
-
Have configured the
environment
variable in your APM agent configurations. This variable sets theservice.environment
field in APM documents. You should have documents whereservice.environment: production
andservice.environment: staging
. If this field is empty, see service environment filter to learn how to set this value.
The Applications UI uses index patterns to query your APM data. An index pattern can match data streams, indices, and/or aliases. The default values are:
Index setting | Default index pattern |
---|---|
Error |
|
Span/Transaction |
|
Metrics |
|
The default index settings also query the apm-*
data view.
This data view matches APM data shipped in earlier versions of APM (prior to v8.0).
Instead of querying the default APM data views, we can create filtered aliases for the Applications UI to query. A filtered alias is a secondary name for a group of data streams that has a user-defined filter to limit the documents that the alias can access.
To separate staging
and production
APM data, we’d need to create six filtered aliases—three
aliases for each service environment:
Index setting | production env |
staging env |
---|---|---|
Error |
|
|
Span/Transaction |
|
|
Metrics |
|
|
The production-<event>-apm
aliases will contain a filter that only provides access to documents
where the service.environment
is production
.
Similarly, the staging-<event>-apm
aliases will contain a filter that only provides access to documents
where the service.environment
is staging
.
To create these six filtered aliases, use the Elasticsearch Aliases API. In Kibana, open Dev Tools and run the following POST requests.
traces-apm*
production alias example
logs-apm*
production alias example
metrics-apm*
production alias example
traces-apm*
staging alias example
logs-apm*
staging alias example
metrics-apm*
staging alias example
Next, you’ll need to create a Kibana space for each service environment.
To open Spaces, find Stack Management in the main menu or use the global search field.
To create a new space, click Create a space.
For this guide, we’ve created two Kibana spaces, one named production
and one named staging
.
See Kibana spaces for more information on creating a space.
Now we can change the default data views that the Applications UI queries in each space.
Open the Applications UI and navigate to Settings → Indices. Use the table below to update your settings for each space. The values in each column match the names of the filtered aliases we created in step one.
Index setting | production space |
staging space |
---|---|---|
Error indices |
|
|
Span indices |
|
|
Transaction indices |
|
|
Metrics indices |
|
|
To open Roles, find Stack Management in the main menu or use the global search field. Click Create role.
You’ll need to create two roles: one for staging
users (we’ll call this role staging_apm_viewer
)
and one for production
users (we’ll call this role production_apm_viewer
).
Using the table below, assign each role the following privileges:
Privileges | production_apm_viewer |
staging_apm_viewer |
---|---|---|
Index privileges |
index: |
index: |
Kibana privileges |
space: |
space: |
Alternatively, you can use the Elasticsearch Create or update roles API:
Create a production_apm_viewer
role
This request creates a production_apm_viewer
role:
Create a staging_apm_viewer
role
This request creates a staging_apm_viewer
role:
The last thing to do is assign users to the newly created roles above. Users will only have access to the data within the spaces that they are granted.
For information on how to create users and assign them roles with the Kibana UI, see Securing access to Kibana.
Alternatively, you can use the Elasticsearch Create or update users API.
This example creates a new user and assigns them the production_apm_viewer
role created in the previous step.
This user will only have access to the production space and data with a service.environment
of production
.
Remember to change the password
, full_name
, and email
fields.
POST /_security/user/production-apm-user { "password" : "l0ng-r4nd0m-p@ssw0rd", "roles" : [ "production_apm_viewer" ], "full_name" : "Jane Production Smith", "email" : "janesmith@example.com" }
This example creates a new user and assigns them the staging_apm_viewer
role created in the previous step.
This user will only have access to the staging space and data with a service.environment
of staging
.
Remember to change the password
, full_name
, and email
fields.
POST /_security/user/staging-apm-user { "password" : "l0ng-r4nd0m-p@ssw0rd", "roles" : [ "staging_apm_viewer" ], "full_name" : "John Staging Doe", "email" : "johndoe@example.com" }
That’s it! Head back to the Applications UI and marvel at your space-specific data.