1. Describe your incident:
I have created a service account (nrpe) for monitoring various aspects of Graylog via the REST API (using token authentication). While I can access some of the APIs with the Reader role I’m really wanting to be able to access the index set statistics (/api/system/indices/index_sets/stats)… which seems to only be available to the Admin role.
I can’t seem to find much in the way of detailed documentation concerning the configuration of roles.
I really just require GET access to /api/system/indices/index_sets/stats, but would be okay with GET access to all API’s… but really want to avoid allowing POST/PUT for the monitoring account.
2. Describe your environment:
- Package Version:
Graylog v6.1.5
3. What steps have you already taken to try and solve the problem?
I’ve tried a lot of random strings, however in order to allow access to that API it seems that full admin access (ie “*:*”) must be included in order to access that API.
# A Monitoring role with lots of random attempts!
curl -sk -XPUT -u "$(cat admin.token):token" -H 'Content-Type: application/json' -H 'Accept: application/json; charset=utf-8' -H 'X-Requested-By: GrayMetrics' 'https://127.0.0.1/api/roles/monitoring' -d '{"name":"Monitoring","description":"Monitoring User","permissions":["indices:*","indexes:*","shards:*","index_sets:*","index:*","stat:*","stats:*","metrics:*","system:*","indexset:*","index_sets:*","api:*","elastic:*"],"read_only":false}'
# Attempt to access the API via a token assigned to the Monitoring role
curl -sk -u "$(cat nrpe.token):token" -X GET -H 'Content-Type: application/json' -H 'Accept: application/json; charset=utf-8' -H 'X-Requested-By: GrayMetrics' 'https://127.0.0.1/api/system/indices/index_sets/stats'
4. How can the community help?
Is there more detail concerning the creation of custom roles, in particular which permission strings are available and the available parameters.