Set up a Grafana Enterprise Logs tenantUsing LBAC

Using label-based access control

Note: This feature is available from v1.1.0. For the latest releases, refer to Download Grafana Enterprise Logs.

Label-based access control creates access policies that allow you to query only the logs that meet specific label requirements. The feature allows you to associate multiple sets of Prometheus label selectors with a policy. As a result, queries only return data from the logs that match at least one of the provided selectors. This correlates to disjunctive normal form, which allows you to express any required policy.

Setting up a label policy

Label policies are set when you create an access policy on a per-tenant basis. This means that each tenant that is associated with an access policy can have a unique label policy.

  1. Click the Create access policy button.
  2. Fill in the Display name field with the access policy name.
  3. Select the logs:read scope.
  4. Select a tenant.
  5. Click the Add label selector button and add a label selector.
  6. Click the Create button.

Create LBAC policy

Label policy scope

Label policies are only applied to the log stream selector of the Loki query. They do not apply to label filter expressions. For more information, refer to the Log stream selector and Label filter expression sections in the Loki documentation about Log queries.

Exclude a label

One common use case for creating an LBAC policy is to exclude logs that have a specific label. For example, you can create a label policy that excludes all log lines with the label secret=true by adding a selector with secret!="true" when you create an access policy:

Create exclude label

Use multiple selectors

To create a policy that allows someone to access the production and development environments and excludes logs with the label secret=true in the production environment, use multiple selectors.

Create multiple selectors

The selectors {secret!="true", env="prod"} and {env="dev"} enforce the policy:

  • The selector {secret!="true", env="prod"} matches and returns log lines from the production environment that do not have the secret: true label.
  • The selector {env="dev"} matches and returns log lines from the development environment, even if they have the secret: true label.