OpenLBAC

Appearance

OpenLBACLabel-Based Access Control

Enforce per-group query policies on Prometheus, Loki, Thanos, and Cortex. No plugins. No datasource changes.

Get Started
Quick Start (5 min)
View on GitHub
OpenLBAC architecture diagram
🔒

Query-Level Enforcement

Rewrites PromQL and LogQL queries in real time. Users only see the data they're allowed to — every request, every time.

🚀

Zero Client Changes

Drop-in reverse proxy. Point any Grafana, CLI, or API client at lbac-proxy and you're done. No plugins, no schema changes, no SDK updates.

🔑

Group-Based Policies

Define label matchers per group. Members of the "payments" group only see metrics labeled namespace=payments, automatically.

🌐

Works with Any IdP

Resolves identity from Grafana Teams or any OIDC provider (Keycloak, Okta, Auth0). Groups sync automatically on first login.

🔭

Prometheus, Loki, Thanos, Cortex

Native PromQL and LogQL rewriting. Works with any Prometheus-compatible backend — Thanos, Cortex, Mimir, VictoriaMetrics — out of the box.

📋

Full Audit Trail

Every access decision — permit or deny — is recorded and queryable. Know exactly who accessed what, and when.

How it works in 60 seconds

Using Keycloak, Okta, Auth0, or any OIDC provider? lbac-proxy validates the JWT and extracts groups from the token directly:

Keycloak / Okta / Auth0
  │  issues JWT with groups: ["platform-team", "sre"]


Any client  →  lbac-proxy:8080/my-datasource/...

                    ├── Validates JWT Bearer token
                    │     └── extracts groups: ["platform-team", "sre"]
                    ├── Looks up group policies from lbac-core
                    │     └── platform-team → namespace=production
                    ├── Rewrites query: up{} → up{namespace="production"}

                    └── Forwards to Prometheus / Loki / Thanos / Cortex

Already using Grafana? No IdP setup needed — lbac-proxy reads identity directly from Grafana Teams:

Grafana (Teams: platform-team, sre)
  │  user opens a dashboard


Grafana  →  lbac-proxy:8080/my-datasource/...

                    ├── Reads X-Grafana-User header
                    │     └── looks up teams via Grafana API → ["platform-team", "sre"]
                    ├── Looks up group policies from lbac-core
                    │     └── platform-team → namespace=production
                    ├── Rewrites query: up{} → up{namespace="production"}

                    └── Forwards to Prometheus / Loki / Thanos / Cortex

Configure a policy once:

json
{
  "group": "platform-team",
  "rules": [
    { "label": "namespace", "operator": "=~", "values": ["production", "staging"] },
    { "label": "env",       "operator": "!=", "values": ["dev"] }
  ]
}

Every query is automatically scoped — no client changes needed.

Community & Support

OpenLBAC is built in the open. Contributions, bug reports, and feature requests are welcome on GitLab.

Released under the Apache 2.0 License.

Copyright © 2026 OpenLBAC Contributors