Use label-based access control with GEL


This feature is available from v1.1.0. For the latest releases, refer to the Releases page.

Label-based access control creates access policies that allow you to query only the logs that meet specific label requirements. The feature allows you to associate multiple sets of Prometheus label selectors with a policy. As a result, queries only return data from the logs that match at least one of the provided selectors. This correlates to disjunctive normal form, which allows you to express any required policy.

Setting up a label policy

Label policies are set when you create an access policy on a per-tenant basis. This means that each tenant that is associated with an access policy can have a unique label policy.

  1. Click Create access policy.
  2. Fill in the Display name field with the access policy name.
  3. Select the logs:read scope.
  4. Select a tenant.
  5. Click Add label selector and add a label selector.
  6. Click Create.

Create LBAC policy

Alertmanager and ruler

Label policies are not enforced by the alertmanager and ruler. This means that the requests that they serve contain everything for a particular tenant without applying label-based access control. For example, listing all rule groups in the ruler will return all rule groups for the tenant even if a label selector in the access policy excludes some of the labels on the rules.

In the case of the ruler this only applies to the HTTP endpoints. All metrics that the ruler generates for alerting or recording rules (alerting rules generate the ALERTS and ALERTS_FOR_STATE metrics) are subject to label-based access control when queried in GEM. Note that GEL recording rules generate metrics which can be sent to a Prometheus-compatible metrics system.

Writing log lines

GEL does not enforce label-based access control on the write requests. This means a logs:write scope in the access policy allows clients to push any log lines without restrictions regarding the labels.

Label policy scope

Label policies are only applied to the log stream selector of the Loki query. They do not apply to label filter expressions. For more information, refer to the Log stream selector and Label filter expression sections in the Loki documentation about Log queries.

Exclude a label

One common use case for creating an LBAC policy is to exclude logs that have a specific label. For example, you can create a label policy that excludes all log lines with the label secret=true by adding a selector with secret!="true" when you create an access policy:

Create exclude label

Use multiple selectors

To create a policy that allows someone to access the production and development environments and excludes logs with the label secret=true in the production environment, use multiple selectors.

Create multiple selectors

The selectors {secret!="true", env="prod"} and {env="dev"} enforce the policy:

  • The selector {secret!="true", env="prod"} matches and returns log lines from the production environment that do not have the secret: true label.
  • The selector {env="dev"} matches and returns log lines from the development environment, even if they have the secret: true label.