I have a call that goes something like this.
https://x.x.x.x:12900/api/search/universal/relative/terms?field=cs-user-agent&query=*&size=250&range=86400
When doing this from my admin account I have no problems but as soon as I try from any non admin account I get this message.
{"type":"ApiError","message":"Not authorized"}
What can I do to work around this. I’m not seeing an “All” messages option in authentication to allow a non admin user or role to run this query.
I’d recommend creating a stream for that specific purpose and allow the non-admin account to access that stream.
If you absolutely want the non-admin account to have access to the universal search (which I wouldn’t recommend), you have to create a role with the permissions searches:absolute, searches:keyword, or searches:relative (depending on what type of search you want to execute).
See http://docs.graylog.org/en/2.3/pages/users_and_roles.html for details.
I applied your first recommendation by creating a stream with a rule that uses “message” as the field with type “field presence” that seems to match the all messages stream. Seems to work from what I see. Would you recommend another route as far as the stream setup. While this works I may be missing a more obvious/efficient method.
Why not check for the presence of the “cs-user-agent” field you’ve mentioned in your first post?
Also, if you’re matching every message, you could simply allow access to the default stream (which already contains all messages).
That was just an example. That field could easily change based on the data we are trying to pull out. I think I can make this work with your current recommendations. But at the most basic level we were looking to create a single user/role to be able to make those universal queries but not have access to any other admin level access so they couldn’t view or make any changes to any “system” options (authentication,configurations,indices, etc.)in the interface or via API.
Last post withdrawn. Looks as though that didn’t work. I allowed access to “all messages stream” in fact it was already enabled. But still retaining that error when querying that stream for in this case the “user-agent” field.
for the role. Here is a screenshot of that being allowed. BTW this role has ALL streams allowed for both viewing and editing at the moment. This isn’t just a problem for all messages but any stream I try to query as a non admin user. Even though all streams are allowed for users in this role that query regardless of stream will get that auth error.
Am I missing something crazy simple here?
I got it Jochen. I wasn’t using the filter correctly. Found that Stream:Streamid in the filter works. Thank you for the help on this. Got me down the right path.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
