Can't delete test input in system/input

1. Describe your incident:

I can’t delete a created input from web interface using admin user, but get an error of user permissions

The permissions check for the following request failed,
while trying to access /system/inputs.
There was an error fetching a resource: Access Denied. Additional information: <HTML>
<HEAD>
<TITLE>Access Denied</TITLE>
</HEAD>

<BODY BGCOLOR="white" FGCOLOR="black">
<H1>Access Denied</H1>
<HR>

<FONT FACE="Helvetica,Arial"><B>
Description: You are not allowed to access the document you requested.
</B></FONT>
<HR>
</BODY>

2. Describe your environment:

• OS Information:
  Debian GNU/Linux 12 (bookworm)

• Package Version:
  graylog-server/stable,now 5.1.7-1 amd64
  opensearch/stable,now 2.11.0 amd64 [installed]
  mongodb-org/bullseye,now 6.0.11 amd64 [installed]
  apache2/stable,now 2.4.57-2 amd64 [installed]

• Service logs, configurations, and environment variables:

/etc/graylog/server/server.conf

is_leader = true
node_id_file = /etc/graylog/server/node-id
root_username = admin
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_enable_gzip = true
http_max_header_size = 8192
http_thread_pool_size = 64
stream_aware_field_types=false
allow_leading_wildcard_searches = false
allow_highlighting = false
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
message_journal_max_size = 5gb
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://graylog:graylog@localhost/graylog
mongodb_max_connections = 1000

/etc/opensearch/opensearch.yml

cluster.name: graylog
node.name: ${HOSTNAME}
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
discovery.type: single-node
action.auto_create_index: false
plugins.security.disabled: true
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test, C=de
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"]
node.max_local_storage_nodes: 3

/etc/mongod.conf

storage:
  dbPath: /var/lib/mongodb

systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

net:
  port: 27017
  bindIp: 127.0.0.1

processManagement:
  timeZoneInfo: /usr/share/zoneinfo

/etc/opensearch/jvm.options

-Xms8g
-Xmx8g

8-10:-XX:+UseConcMarkSweepGC
8-10:-XX:CMSInitiatingOccupancyFraction=75
8-10:-XX:+UseCMSInitiatingOccupancyOnly

11-:-XX:+UseG1GC
11-:-XX:G1ReservePercent=25
11-:-XX:InitiatingHeapOccupancyPercent=30

-Djava.io.tmpdir=${OPENSEARCH_TMPDIR}
-XX:+HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=/var/lib/opensearch
-XX:ErrorFile=/var/log/opensearch/hs_err_pid%p.log
8:-XX:+PrintGCDetails
8:-XX:+PrintGCDateStamps
8:-XX:+PrintTenuringDistribution
8:-XX:+PrintGCApplicationStoppedTime
8:-Xloggc:/var/log/opensearch/gc.log
8:-XX:+UseGCLogFileRotation
8:-XX:NumberOfGCLogFiles=32
8:-XX:GCLogFileSize=64m
9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/opensearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m
18-:-Djava.security.manager=allow
20:--add-modules=jdk.incubator.vector
-Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory

-Dclk.tck=100
-Djdk.attach.allowAttachSelf=true
-Djava.security.policy=file:///etc/opensearch/opensearch-performance-analyzer/opensearch_security.policy
--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED

from access and error log of apache i got no particular info

3. What steps have you already taken to try and solve the problem?

Ive tried to investigate on apache, mongodb, opensearch and graylog logs but i cant figure out what i can try to do

4. How can the community help?

How can i delete the input?

Thank you all

How many graylog nodes do you have, is it just the one?

Can you try to delete via the api browser? /api/api-browser/

image1780×444 48.3 KB

And if that fails can you post the response text? Can you check your server.log to see if there are any errors?

Yes, i have just one graylog node

I get on api browser from /api/api-browser/global/index.html because from /api/api-browser i get a login page where i cant login

This is the error if i try to delete from api browser

Response Body


Access Denied


Description: You are not allowed to access the document you requested.


Response Code
403
Response Headers
{"Cache-Control":"no-store","Connection":"keep-alive","Content-Language":"en","Content-Length":"249","Content-Type":"text/html","Date":"Fri, 27 Oct 2023 09:40:24 GMT"}

image963×922 18.9 KB

i found no errors on server.log

Can you try to login to your graylog cluster with your admin account and then navigate to the API browser page? It will reuse the same user session.

Yes, i log in on the cluster (http://graylogIP/) with admin account, then i go to System, then Nodes, then Cluster Global Api Browser and i get to te API browser page. From there i try to delete the input and then get the error

Update: i get this error also when i try to delete streams and inputs, but i can create them with no problem

UPDATE

I finally solved the problem by deactivating from the Internet settings of my client the use of an http proxy. Although it was explicit among the options not to use the proxy for local addresses, once it was disabled I was able to complete all operations

Thnak you

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.