Skip to content

Commit

Permalink
editing shared tokens
Browse files Browse the repository at this point in the history
  • Loading branch information
@Simplychee
Simplychee committed Aug 20, 2024
1 parent 7da44ed commit 6b0f466
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 83 deletions.
44 changes: 16 additions & 28 deletions docs/user-guide/admin/authentication-tokens/shared-tokens.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,56 +7,44 @@ keywords: [api token management, api token, api, token, key creation, token auth
---


Shared tokens give you the option to share OpenSearch Dashboards objects and visualizations with stakeholders who don't have access to your Logz.io account.
Shared tokens allow you to share objects and visualizations with stakeholders who don't have access to your Logz.io account. Note that even non-admin users of your account can utilize these shared tokens.

Note that also non-admin users of your account will be able to use the account's shared tokens.

## Best-practice recommendations
## Best practices for shared tokens

A shared token has access to all of its account logs. When using a shared token, it is better not to rely on the OpenSearch Dashboards filters applied to the dashboard or visualizations being shared. Instead, it is best to limit access at the token level using token filters.

These best-practice recommendations will help you keep your data secure when using shared tokens:
Using a shared token provides access to all of its account logs. When using a shared token, it's better to not rely on OpenSearch Dashboards filters applied to the dashboard or visualizations being shared. Instead, it's strongly recommended to use token filters to limit access at the token level.

* **Shared tokens can potentially give read-only access to all logs in your account.**

It is therefore strongly recommended that you apply **token filters** to every token.

* **Shared tokens do not expire.**
* **Set an expiration date for your shared tokens.**

Always make sure to cancel them once they are no longer needed. Rotating your shared tokens often is a good idea in general and another way to make sure old tokens get canceled.
By default, shared tokens expire in 7 days, but you can adjust this based on your needs. Regularly rotating tokens helps ensure old ones are no longer active. Remember to edit or delete the tokens once they are no longer needed.

For example, the shared token powering the sharing link of a snapshot is still active and continues to enable access to the logging database even after the logs included in the snapshot are no longer in retention. Always make sure to delete the token once it has fulfilled its purpose.
For legacy tokens created before August 19th, 2024, which have no expiration, it’s advisable for admins to set expiration dates or delete them as needed.

* **Changes in token filters take effect immediately.**

Any changes will be reflected in affected sharing links, regardless of when they were created.

This means that you can add or remove token filters to a shared token at any time to change access permissions. This can be done both _before or after_ the sharing link has been sent out. For example, if you've accidentally shared too much, you can add token filters to tighten control and your recipients' links will be updated accordingly.
Of course, this works the other way as well. If you delete a sharing token, any existing sharing links that were previously sent out, will reflect the updated permissions.

It is always a good idea to double-check token filters before using the public sharing option to make sure they are up-to-date.
Any modifications to token filters take effect instantly, affecting all associated sharing links, whether they were created before or after the change. This allows you to tighten or loosen access controls as necessary. If you delete a token, any related sharing links will be updated accordingly.

* **Exercise caution and take note of who you're sharing your links with.**

Opt for in-app sharing options whenever possible. If you plan on sharing links with clients, you can use sub accounts to keep each client's logs separate and more secure.
Always double-check token filters before using the public sharing option to ensure they are current. It's important to be mindful of who you share links with, and whenever possible, use in-app sharing options. For client sharing, consider using sub-accounts to keep logs secure and separated.

## Managing shared tokens

To manage your shared tokens:

From your account, go to the <a href="https://app.logz.io/#/dashboard/settings/manage-tokens/shared" target ="_blank"> **Manage Tokens** > **Shared tokens** tab.</a> of your Operations workspace It can be reached by selecting **<i class="li li-gear"></i> > Settings > Tools > Manage Tokens**.
Navigate to [Settings > Manage tokens > Shared tokens](https://app.logz.io/#/dashboard/settings/manage-tokens/shared)

The token for each account is listed in the table along with the date it was created.
The token for each account is listed in the table along with its filter logic, last used, and its expiration date.

### Working with shared tokens

* To create a token, click **+Add shared token**, type a brief **token name**, select **filters** from the dropdown list, and click **Add**.
* To create a token, click **+Add shared token**, type a brief **token name**, select an **expiration date**, add **filters** from the dropdown list if needed, and click **Add**.
* To delete a token, hover over it, and click **delete** <i class="li li-trash"></i> to delete it.


* To attach filters to a token, hover over the token, click **edit** <i class="li li-pencil"></i>, select filters from the dropdown list, and click **Save**.
* To remove filters from a token, hover over the token, click **edit** <i class="li li-pencil"></i>, <i class="li li-x"></i> out the filters you want to remove, and click **Save**.

* To edit a token, hover over it and click **Edit** to adjust the expiration date or modify filters.

### Working with token filters

Expand All @@ -71,14 +59,14 @@ Each token filter is a `field: value` key-value pair. The value needs to be an e

* To delete a filter, hover over it, and click **delete** <i class="li li-trash"></i> to delete it. You'll be asked to confirm the deletion.

If the filter you just deleted was used in any sharing links, they will immediately be updated to reflect the new access permissions.
If this filter was in use, any sharing links will immediately reflect the updated access permissions.

### Testing token filters

You can open an incognito browser window to test your sharing links.
Open an incognito browser window to test how your sharing links and token filters impact what recipients will see. Refresh the view after making changes to ensure everything works as intended.


For example, if you're trying to share a dashboard, you can add or remove token filters and refresh the view in your browser window to see how the filters affect what your recipients will see.

:::warning Warning
Remember, the OpenSearch Dashboards filters at the dashboard or visualization level affect what your recipients will see. However - from a security point of view - they don't control access tightly enough. Make sure to apply the token filters you need to keep your data secure.
While OpenSearch Dashboards filters control what recipients see, they don't provide adequate security control. Always apply necessary token filters to ensure your data remains secure.
:::
48 changes: 17 additions & 31 deletions docs/user-guide/admin/authentication-tokens/tokens.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,58 +7,44 @@ keywords: [api token management, api token, api, token, key creation, token auth
---


Logz.io uses tokens to manage data shipping for logs, metrics, and traces; permissions for dashboard sharing links; and for API authorizations.
Logz.io uses tokens to manage data shipping for logs, metrics, and traces; control permissions for dashboard sharing; and authorize API access.

You will need to be an account admin to create, delete, or access your tokens.

### Which token should I use?
**Admin Access Required**: Only account admins can create, delete, or manage tokens.

The type of token you use depends on what you're trying to do.
Read on to see your options.

## Tokens to send data to your account
## Data shipping tokens

To send data into your account you should use: **Log shipping token**, **Metrics shipping token**, or **Tracing shipping token**.

The shipping token tells Logz.io which account to send your data to.
Every account has its own tokens.
To send data to your account, use Data Shipping Tokens: **Logs**, **Metrics**, or **Tracing**. These tokens specify which account to send your data to, with each account having its own unique tokens.

You can click any **Token** to copy it with one-click.

* Learn more about managing your [Log shipping tokens](https://docs.logz.io/docs/user-guide/admin/authentication-tokens/log-shipping-tokens/)
* Learn more about your [Metrics shipping token](https://docs.logz.io/docs/user-guide/admin/authentication-tokens/finding-your-metrics-account-token/)
* Learn more about your [Distributed Tracing shipping token](https://docs.logz.io/docs/user-guide/admin/authentication-tokens/finding-your-tracing-account-token/)

## Tokens to share dashboards and more

To share dashboards and other elements with others, use: **Shared token**.

Shared tokens allow you to share visualizations and dashboards with anyone, even if they don't have a login to your account.
## Shared tokens for dashboard sharing

To limit the data available to shared tokens, attach filters.
Keep your data secure by attaching a filter to every token and deleting tokens you no longer need.
To share dashboards or other elements, use a **Shared Token**. These tokens allow you to share visualizations with anyone, even if they don't have access to your account.

To manage your shared tokens, select [**<i class="li li-gear"></i> > Tools > Manage tokens**](https://app.logz.io/#/dashboard/settings/manage-tokens/shared) in the top menu and select the **Shared tokens** tab.
* **Secure Sharing**: Set an expiration date and attach filters to limit data access and ensure security. Delete tokens that are no longer needed.

* For more information on [managing shared tokens](https://docs.logz.io/docs/user-guide/admin/authentication-tokens/shared-tokens/)
* **Manage Shared Tokens**: Go to [Tools > Manage Tokens](https://app.logz.io/#/dashboard/settings/manage-tokens/shared) and select the Shared Tokens tab.

## Tokens to develop an integration
Learn more about [managing shared tokens](https://docs.logz.io/docs/user-guide/admin/authentication-tokens/shared-tokens/).

If you're interested in developing an integration, you should use **API token**.
## API tokens for integration development

Use API tokens to authenticate integrations with your Logz.io account.
API tokens are available to Enterprise and Pro plan subscribers, as well as during an account's trial period.
To develop integrations, use an **API Token**. API tokens authenticate integrations with your Logz.io account and are available to Enterprise and Pro plan subscribers, as well as during trial periods.

To manage your API tokens, select [**<i class="li li-gear"></i>Settings > Tools > Manage tokens**](https://app.logz.io/#/dashboard/settings/manage-tokens/api) in the top menu and select the **API tokens** tab.
Manage API Tokens: Go to [Settings > Tools > Manage Tokens](https://app.logz.io/#/dashboard/settings/manage-tokens/api) and select the API Tokens tab.

* For more information on [managing API tokens](https://docs.logz.io/docs/user-guide/admin/authentication-tokens/api-tokens/)
* If you want to build your own integration, visit the [Logz.io API Developer Guide](https://api-docs.logz.io/docs/logz/logz-io-api/)

## About token permissions
* Learn more about [managing API tokens](https://docs.logz.io/docs/user-guide/admin/authentication-tokens/api-tokens/)
* Build your own integration with [Logz.io API Developer Guide](https://api-docs.logz.io/docs/logz/logz-io-api/)

Tokens are account-specific. This means their permissions are scoped to the account they are created in.
If you change your account permissions, tokens respect the updated permissions.
## Token permissions

For example, if you create an API token in your main account, it can be used to search the data indexed in the main account and any of the sub accounts by default.
Tokens are specific to the account they are created in and adhere to the account’s permissions. If account permissions change, the tokens respect these changes.

If you change the account permissions so that the sub account is not searchable from the main account, the main account's API token can no longer be used to search the sub account's data.
For example, if you create an API token in your main account, it can access data from the main account and its sub-accounts by default. If permissions are updated so the sub-account is no longer accessible from the main account, the API token will lose access to the sub-account's data.
41 changes: 17 additions & 24 deletions docs/user-guide/log-management/collaboration/sharing-links.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,43 +6,39 @@ image: https://dytvr9ot2sszz.cloudfront.net/logz-docs/social-assets/docs-social.
keywords: [logz.io, collaboration, sharing, log analysis, observability]
---

You can use shared tokens to share OpenSearch dashboards and visualizations with
stakeholders who don't have access to your Logz.io account.
You can use shared tokens to share objects and visualizations with stakeholders who don't have access to your Logz.io account. This is particularly useful for communicating with clients outside your organization or with other teams internally.

This can be useful for communicating with clients outside your organization or internally with other teams.
### Configuring a shared token

To share objects, queries, and dashboards, you need to configure a shared token. Only account admins can create, delete, or manage tokens.

### Decide which dashboard to share

Open the dashboard you would like to share.
When you share a dashboard, you can decide whether to share the dashboard with a relative or fixed timeframe.
To create a token, navigate to [Settings > Manage tokens](https://app.logz.io/#/dashboard/settings/manage-tokens/shared), select **+ New shared token**, configure an expiration date, add any necessary filters, and save the token.

* **Snapshot** - Converts the time selection to absolute dates. Your recipients will view the same data you are viewing now. For example, if you send out a snapshot when viewing the dashboard for the last 24 hours, your recipients will receive the dashboard with a fixed date range selection.

Of course, this type of permalink is short lived, depending on your log retention policy. Once the logs are too old, they will no longer feed the dashboard, and your recipients won't have anything to see.
Learn more about the different [types of tokens](https://docs.logz.io/docs/user-guide/admin/authentication-tokens/tokens/).

* **Saved object** - Shares the dashboard with a relative time selection.

The permalink will load the dashboard with its default time selection and filters. For example, if the dashboard is set for the last 15 minutes, this is the time frame your recipients will also review.
### Choosing a Dashboard to Share

This option means the sharing link will automatically be updated to reflect any changes made to the dashboard in the future. So if someone saves changes to the dashboard after the sharing link was sent out, your recipients will see the updated version without you having to resend them a new link.
Open the dashboard or saved query you would like to share. When you share an item, you can decide whether to share it as a snapshot or a saved object.

<!-- <video autoplay loop>
<source src="https://dytvr9ot2sszz.cloudfront.net/logz-docs/dashboards/share-permalink_aug2021.mp4" type="video/mp4" />
</video> -->
* **Snapshot** - Converts the time selection to absolute dates, allowing recipients to view the exact data you're seeing. For example, if you send a snapshot for the last 24 hours, recipients will receive a dashboard with a fixed date range. Note that this link is short-lived based on your log retention policy; once the logs expire, the dashboard will no longer display data.

* **Saved object** - Shares the dashboard with a relative time selection, meaning the dashboard will load with its default time selection and filters. This option keeps the link updated automatically if changes are made to the dashboard, so recipients always see the latest version without needing a new link.

![Share your dashboard](https://dytvr9ot2sszz.cloudfront.net/logz-docs/kibana/dashboard-to-share.gif)


### How recipients will see the shared dashboards
### How recipients will view shared dashboards

When you choose to **Share Public**, your recipients will receive a link to the dashboard you've shared with them. The dashboard will appear without the top and side navigation bars, and without the OpenSearch Dashboards time filtering options.
When you select **Share Public**, you'll choose the relevant [shared token](https://docs.logz.io/docs/user-guide/admin/authentication-tokens/shared-tokens/), and recipients will receive a link to the shared dashboard. The dashboard will appear without the top and side navigation bars and without the OpenSearch Dashboards time filtering options.

However, you can edit the link to **include the time frame** by adding the following string to the end of the link:
To **include the time frame** and search functionality in the shared link, add the following string to the end of the URL:

`&forceShowQueryBar=true`

For example, if your public link is:
For example, the original link:

`https://app.logz.io/?embed=true&shareToken=8d90-fbe1c84836d3#/dashboard/osd/discover/?=&_a=(columns%3A...15m%2Cto%3Anow))`

Expand All @@ -51,15 +47,12 @@ This is how users will see it:
![public share no time](https://dytvr9ot2sszz.cloudfront.net/logz-docs/sharing-logs/share-public-link.png)


When you add the time frame string to the end of the URL, it changes the view and includes the time frame and search abilities:

With the time frame string added:

`https://app.logz.io/?embed=true&shareToken=8d90-fbe1c84836d3#/dashboard/osd/discover/?=&_a=(columns%3A...15m%2Cto%3Anow))&forceShowQueryBar=true`

![public share with time](https://dytvr9ot2sszz.cloudfront.net/logz-docs/sharing-logs/share-with-time.png)

### Testing your sharing permalink


### Test your sharing permalink

You can open your sharing link in incognito mode to test and verify it's working.
To verify that your sharing link works as expected, you can open it in an incognito browser window.

0 comments on commit 6b0f466

Please sign in to comment.