Skip to content

Commit

Permalink
update the content and add abck to the top button
Browse files Browse the repository at this point in the history
  • Loading branch information
@shavidissa
shavidissa committed Jan 3, 2024
1 parent a50c650 commit 9756955
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 12 deletions.
42 changes: 35 additions & 7 deletions pages/doc/csp_security_policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,13 +71,13 @@ For example, assume you have two traces security rules:
<tr>
<td markdown="span">BlockPaymentService</td>
<td>2</td>
<td>All spans that include the <code>myapp.payment*</code> data.</td>
<td>All spans that include the <code>myapp.payment.*</code> data.</td>
<td>All accounts</td>
</tr>
<tr>
<td markdown="span">AllowPaymentData</td>
<td>1</td>
<td>All spans that include the <code>myapp.payment*</code> data.</td>
<td>All spans that include the <code>myapp.payment.*</code> data.</td>
<td>All accounts in Finance group</td>
</tr>
</tbody>
Expand All @@ -89,6 +89,12 @@ After the rules are in force, only the users in the Finance group can:
* See the RED metrics for the Payment service on the Operations Dashboard.
* See the trace data that includes the payments service on the Traces Browser.

<table style="width: 100%;">
<tbody>
<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_security_policy.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
</tbody>
</table>

## Rule Priority and Rule Pairs

Rules are evaluated in priority order. In many cases, it's useful to think of pairs of rules, for example:
Expand Down Expand Up @@ -116,6 +122,12 @@ Rules are evaluated in priority order. In many cases, it's useful to think of pa

When you apply this policy, the users included in the user group will have access to the metrics starting with the `cpu.` prefix and point tag `env=dev`, because the **Allow metrics** rule overrides the **Block all** rule.

<table style="width: 100%;">
<tbody>
<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_security_policy.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
</tbody>
</table>

## Metrics Security Policy

You can block sensitive metrics data from time series, histograms, RED metrics, and delta counters so that they don't show on charts and dashboards, and alerts.
Expand Down Expand Up @@ -237,7 +249,7 @@ You create a metrics security policy rule following these steps. See the annotat
* If you want to specify multiple key=value pairs, select whether you want to combine them with `and` or `or` using the dropdown menu on the right.
1. Specify the Access definition for the rule.
1. Select **Allow** or **Block** from the menu.
2. Specify accounts, groups, or roles.
2. Specify accounts, or groups.
1. Click **OK.**


Expand Down Expand Up @@ -311,6 +323,11 @@ With this policy in place:
* Members of the `Admins` group are granted access to all metrics (Rule 3).
* Users who don’t belong to the groups covered by the rules have no access.

<table style="width: 100%;">
<tbody>
<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_security_policy.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
</tbody>
</table>

## Traces Security Policies

Expand Down Expand Up @@ -387,7 +404,7 @@ You create a traces security policy rule following these steps. See the annotate
`supermarket.vegtables*`
</td>
<td markdown="span">
Using this prefix format, you can block or allow the trace operations data of all the services that start with `vegetables`. In this example, the traces operation data of the `vegetablesGreen` and `vegetablesRed` services can be blocked or shown to specific users.
Using this prefix format, you can block or allow the data of all the services that start with `vegetables`. In this example, the data of the `vegetablesGreen` and `vegetablesRed` services can be blocked or shown to specific users.
</td>
</tr>
<tr>
Expand All @@ -398,13 +415,13 @@ You create a traces security policy rule following these steps. See the annotate
`supermarket.vegtablesGreen.*`
</td>
<td markdown="span">
Using this prefix format, you can allow or block the traces operations data of the `supermarket` applications `egtablesGreen` service, which includes the `add` and `purchased` operations.
Using this prefix format, you can allow or block the data of the `supermarket` applications `vegtablesGreen` service, which includes the `add` and `purchased` operations.
</td>
</tr>
</table>
1. Specify the Access definition for the rule.
1. Select **Allow** or **Block** from the menu.
2. Specify accounts, groups, or roles.
2. Specify accounts or groups.
1. Click **OK.**


Expand All @@ -430,6 +447,11 @@ The screenshots below show you how the blocked trace data does not show up for a
* Application Map: The Super Admin user can see the passenger service on the Application Map, while the other user, who belongs to the Everyone group, cannot see the passenger service on the Application Map.
![A screenshot of how the Super Admin user and a user that belongs to the everyone group sees data on the application map.](images/traces_security_policy_example_service_map.png)

<table style="width: 100%;">
<tbody>
<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_security_policy.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
</tbody>
</table>

## Manage Multiple Security Policy Rules

Expand All @@ -451,4 +473,10 @@ Here's a tour:
1. Select the check box to the left of a rule to select it, then use the icons above to clone or delete the selected rule.
1. Select the check boxes to the left of multiple rules to select them, use the icons to indicate changes, and click **Save** to commit the changes.
1. Click the six-dot icon to explicitly drag a rule where you want it and change the rule prioritization.
1. If you've moved, cloned, or deleted one or more rules, use the **Undo** button to undo the change, or **Redo** to revert the undo.
1. If you've moved, cloned, or deleted one or more rules, use the **Undo** button to undo the change, or **Redo** to revert the undo.

<table style="width: 100%;">
<tbody>
<tr><td width="90%">&nbsp;</td><td width="10%"><a href="csp_security_policy.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
</tbody>
</table>
40 changes: 35 additions & 5 deletions pages/doc/security_policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ For example, assume you have two traces security rules:
2
</td>
<td>
All spans that include the <code>myapp.payment*</code> data.
All spans that include the <code>myapp.payment.*</code> data.
</td>
<td>
All accounts
Expand All @@ -118,7 +118,7 @@ For example, assume you have two traces security rules:
1
</td>
<td>
All spans that include the <code>myapp.payment*</code> data.
All spans that include the <code>myapp.payment.*</code> data.
</td>
<td>
All accounts in Finance group
Expand All @@ -133,6 +133,12 @@ After the rules are in force, only the users in the Finance group can:
* See the RED metrics for the Payment service on the Operations Dashboard.
* See the trace data that includes the payments service on the Traces Browser.

<table style="width: 100%;">
<tbody>
<tr><td width="90%">&nbsp;</td><td width="10%"><a href="security_policy.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
</tbody>
</table>

## Rule Priority and Rule Pairs

Rules are evaluated in priority order. In many cases, it's useful to think of pairs of rules, for example:
Expand Down Expand Up @@ -160,6 +166,12 @@ Rules are evaluated in priority order. In many cases, it's useful to think of pa

When you apply this policy, the users included in the user group will have access to the metrics starting with the `cpu.` prefix and point tag `env=dev`, because the **Allow metrics** rule overrides the **Block all** rule.

<table style="width: 100%;">
<tbody>
<tr><td width="90%">&nbsp;</td><td width="10%"><a href="security_policy.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
</tbody>
</table>

## Metrics Security Policy

You can block sensitive metrics data from time series, histograms, RED metrics, and delta counters so that they don't show on charts and dashboards, and alerts.
Expand Down Expand Up @@ -368,6 +380,11 @@ With this policy in place:
* Members of the `Admins` group are granted access to all metrics (Rule 3).
* Users who don’t belong to the groups covered by the rules have no access.

<table style="width: 100%;">
<tbody>
<tr><td width="90%">&nbsp;</td><td width="10%"><a href="security_policy.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
</tbody>
</table>

## Traces Security Policies

Expand Down Expand Up @@ -444,7 +461,7 @@ You create a traces security policy rule following these steps. See the annotate
`supermarket.vegtables*`
</td>
<td markdown="span">
Using this prefix format, you can block or allow the trace operations data of all the services that start with `vegetables`. In this example, the traces operation data of the `vegetablesGreen` and `vegetablesRed` services can be blocked or shown to specific users.
Using this prefix format, you can allow or block the data of all the services that start with `vegetables`. In this example, the data of the `vegetablesGreen` and `vegetablesRed` services can be blocked or shown to specific users.
</td>
</tr>
<tr>
Expand All @@ -455,7 +472,7 @@ You create a traces security policy rule following these steps. See the annotate
`supermarket.vegtablesGreen.*`
</td>
<td markdown="span">
Using this prefix format, you can allow or block the traces operations data of the `supermarket` applications `egtablesGreen` service, which includes the `add` and `purchased` operations.
Using this prefix format, you can allow or block the data of the `supermarket` applications `vegtablesGreen` service, which includes the `add` and `purchased` operations.
</td>
</tr>
</table>
Expand Down Expand Up @@ -487,6 +504,13 @@ The screenshots below show you how the blocked trace data does not show up for a
![A screenshot of how the Super Admin user and a user that belongs to the everyone group sees data on the application map.](images/traces_security_policy_example_service_map.png)


<table style="width: 100%;">
<tbody>
<tr><td width="90%">&nbsp;</td><td width="10%"><a href="security_policy.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
</tbody>
</table>


## Manage Multiple Security Policy Rules

The following annotated screenshot gives an overview of rule management options:
Expand All @@ -507,4 +531,10 @@ Here's a tour:
1. Select the check box to the left of a rule to select it, then use the icons above to clone or delete the selected rule.
1. Select the check boxes to the left of multiple rules to select them, use the icons to indicate changes, and click **Save** to commit the changes.
1. Click the six-dot icon to explicitly drag a rule where you want it and change the rule prioritization.
1. If you've moved, cloned, or deleted one or more rules, use the **Undo** button to undo the change, or **Redo** to revert the undo.
1. If you've moved, cloned, or deleted one or more rules, use the **Undo** button to undo the change, or **Redo** to revert the undo.

<table style="width: 100%;">
<tbody>
<tr><td width="90%">&nbsp;</td><td width="10%"><a href="security_policy.html"><img src="/images/to_top.png" alt="click for top of page"/></a></td></tr>
</tbody>
</table>

0 comments on commit 9756955

Please sign in to comment.