Can we create new roles in graylog community instance

Graylog Central (peer support)
1

Hello Team,

Can we create new roles in graylog community instance 4.0.6, i know that
To use the group synchronization functionality you need the Graylog Enterprise license and the Graylog Enterprise plugin.

can we create new roles in community instance, if yes can you guide how we can do that. any way to add new roles in mongo or any alternate way. Please guide.

Regards,
Sameer

2 Likes
2

Yes, you can still create custom role with custom permissions with REST API:
curl -i -X POST -u admin:PASS -H 'Content-Type: application/json' -H 'X-Requested-By: cli' 'http://172.28.128.15:9000/api/roles' -d @custom-role.json

File content custom-role.json :

{
  "name": "Custom",
  "description": "Custom role",
  "permissions": [
        "clusterconfigentry:read",
        "indexercluster:read",
        "messagecount:read",
        "journal:read",
        "messages:analyze",
        "metrics:read",
        "fieldnames:read",
        "buffers:read",
        "system:read",
        "jvmstats:read",
        "decorators:read",
        "throughput:read",
        "messages:read"
      ],
  "read_only": false
}

To get list of possible permission check this:
curl -XGET -u admin:PASS 'http://172.28.128.15:9000/api/system/permissions?pretty=true'

Note: Some permissions are mandatory for role, without them role can’t work, you will see error messages in web after login with user assigned custom role, you need to experiment.

Then assign newly created role to newly created user. This way you can assign whichever role to newly created user. Or you can assign/unassign role for user from System - Roles. If you try to unassign role from System - Users and Teams it’s not possible without Reader role. Anyway Reader role can’t be unassigned by web gui, if assigned once, but you can unassign Reader role from user using API:

curl -i -X DELETE -u admin:tdXd3RMW -H 'Content-Type: application/json' -H 'X-Requested-By: cli' 'http://172.28.128.15:9000/api/authz/roles/ROLE_ID/assignee/USERNAME'

ROLE_ID can be received by this little bash snippet:

#!/bin/bash
# Unassign Reader role for user
# Username
USERNAME="test5"

# Get id of Role (Reader)
ROLE="Reader"
ROLEID=$(curl -s -X GET -u admin:PASS -H 'Content-Type: application/json' -H 'Accept: application/json' -H 'X-Requested-By: cli' 'http://172.28.128.15:9000/api/authz/roles?page=1&per_page=50&sort=name&order=asc'| jq -r '.roles[] | select(.name=="'"$ROLE"'") | .id')

# Unassign Reader role
curl -i -X DELETE -u admin:PASS -H 'Content-Type: application/json' -H 'X-Requested-By: cli' 'http://172.28.128.15:9000/api/authz/roles/'"$ROLEID"'/assignee/'"$USERNAME"''
3 Likes
3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.