Events Permissions

jgrammen_agility · October 29, 2020, 2:07pm

Hello,

I am trying to configure a new user that will have an api token to read the events queue.
I created a new user, assigned them a api token, but I cannot figure out which permissions they need to be able to read the events queue.

the following is the permission list:

“permissions” : [ “users:edit:icinga2_api”, “users:tokencreate:icinga2_api”, “users:passwordchange:icinga2_api”, “users:tokenremove:icinga2_api”, “users:tokenlist:icinga2_api”, “clusterconfigentry:read”, “indexercluster:read”, “messagecount:read”, “journal:read”, “messages:analyze”, “inputs:read”, “metrics:read”, “savedsearches:edit”, “fieldnames:read”, “buffers:read”, “system:read”, “savedsearches:create”, “jvmstats:read”, “decorators:read”, “throughput:read”, “savedsearches:read”, “messages:read”, “streams:read:000000000000000000000002”, “eventnotifications:edit”, “eventdefinitions:read”, “eventdefinitions:create”, “eventdefinitions:delete”, “eventdefinitions:execute”, “eventdefinitions:edit”, “eventnotifications:create”, “eventnotifications:delete”, “eventnotifications:read” ],

Stream 000000000000000000000002 is the “all events” stream
Graylog version: 3.3.8

the default built in Admin user can read the events queue just fine (via a create api token).
If I log into the graylog ui as the icinga2_api user, they can see and search the “all events” stream but if they go to the alerts page, they cannot find any of the alerts via the search (but any admin user can).

What permissions are needed for a user to be able to see the events on the alerts page, and therefore be able to query them via the api?

shoothub · October 29, 2020, 2:14pm

Try to add:
“notifications:read”

jgrammen_agility · October 29, 2020, 2:39pm

The user now has the following permissions (added notifications:read via a new role), but the user still cannot see events on the alerts page

[ "users:edit:icinga2_api", "users:tokencreate:icinga2_api", "users:passwordchange:icinga2_api", "users:tokenremove:icinga2_api", "users:tokenlist:icinga2_api", "clusterconfigentry:read", "indexercluster:read", "messagecount:read", "journal:read", "messages:analyze", "inputs:read", "metrics:read", "savedsearches:edit", "fieldnames:read", "buffers:read", "system:read", "savedsearches:create", "jvmstats:read", "decorators:read", "throughput:read", "savedsearches:read", "messages:read", "streams:read:000000000000000000000002", "eventnotifications:edit", "eventdefinitions:read", "eventdefinitions:create", "eventdefinitions:delete", "eventdefinitions:execute", "eventdefinitions:edit", "eventnotifications:create", "eventnotifications:delete", "eventnotifications:read", "notifications:read" ],

jgrammen_agility · October 30, 2020, 12:33pm

Still no luck, I do know that full permissions are sufficient for a user to see the events on the alerts pages (because admin users can see them) but my goal was to apply the minimum permissions (for security reasons). There doesn’t seem to be any other obvious permission that need to be added (full list via the api/system/permissions api endpoint), which one am I missing?

joe.gross · October 30, 2020, 9:56pm

Try:

],
“notifications”: [
“delete”,
“read”
],
“eventdefinitions”: [
“delete”,
“edit”,
“execute”,
“read”,
“create”

jgrammen_agility · October 31, 2020, 1:04am

notifications:delete has been added. Still cannot see the alerts.
The permissions attached to the user are as follows:

[ "users:edit:icinga2_api", "users:tokencreate:icinga2_api", "users:passwordchange:icinga2_api", "users:tokenremove:icinga2_api", "users:tokenlist:icinga2_api", "notifications:delete", "clusterconfigentry:read", "indexercluster:read", "messagecount:read", "journal:read", "messages:analyze", "inputs:read", "metrics:read", "savedsearches:edit", "fieldnames:read", "buffers:read", "system:read", "savedsearches:create", "jvmstats:read", "decorators:read", "throughput:read", "savedsearches:read", "messages:read", "streams:read:000000000000000000000002", "eventnotifications:edit", "eventdefinitions:read", "eventdefinitions:create", "eventdefinitions:delete", "eventdefinitions:execute", "eventdefinitions:edit", "eventnotifications:create", "eventnotifications:delete", "eventnotifications:read", "notifications:read" ]

as the icinga2_api user:

as an admin user:

jgrammen_agility · November 3, 2020, 12:15pm

I still cannot find a definitive answer on the permission set required (to view the alert page), does anyone know?

jgrammen_agility · November 10, 2020, 5:51pm

So I managed to figure out the required permissions after lots of testing.
I assigned a role (alerts_test) to the my user (icinga2_api) and then proceeded via api calls to assign various permissions to the role until that user could see the events on the /alerts page.

get all graylog permissions

curl -XGET -u token:token ‘https://graylog.internal/api/system/permissions?pretty=true’

create the new role, with some permissions

curl -v -XPOST -u token:token -H ‘Content-Type: application/json’ -H ‘X-Requested-By: cli’ ‘https://graylog.internal/api/roles’ -d ‘{“read_only”: false,“permissions”: [“stream_outputs:delete,stream_outputs:read,stream_outputs:create”],“name”: “alerts_test”,“description”: “Perms to see alerts”}’

update the role with new permissions

curl -v -XPUT -u token:token -H ‘Content-Type: application/json’ -H ‘X-Requested-By: cli’ ‘https://graylog.internal/api/roles/alerts_test’ -d ‘{“read_only”: false,“permissions”: [“streams:read”],“name”: “alerts_test”,“description”: “Perms to see alerts”}’

I started by assigning all available read permissions to the role

“outputs:read”,“sidecars:read”,“deflector:read”,“loggers:read”,“inputs:read”,“indexercluster:read”,“eventnotifications:read”,“dashboards:read”,“view:read”,“sidecar_collector_configurations:read”,“throughput:read”,“savedsearches:read”,“loggersmessages:read”,“fieldnames:read”,“buffers:read”,“streams:read”,“sidecar_collectors:read”,“system:read”,“collectors:read”,“decorators:read”,“messages:read”,“metrics:read”,“ldapgroups:read”,“stream_outputs:read”,“notifications:read”,“eventdefinitions:read”,“sources:read”,“indexranges:read”,“roles:read”,“urlwhitelist:read”, “contentpack:read”,“licenseinfos:read”,“indexsets:read”,“clusterconfigentry:read”,“pipeline_rule:read”,“journal:read”,“pipeline_connection:read”,“systemjobs:read”,“authentication:read”,“messagecount:read”,“pipeline:read”,“indices:read”,“systemmessages:read”,“lookuptables:read”,“jvmstats:read”

I then split the list in half and checked which half granted my user the permission to see the page. Split the list in half again, check which half, split, check. Eventually I narrowed it down to “streams:read”. At which point I could mess around with various stream read permissions until I came to the conclusion that for a user to read the events the user must also have permission to read the stream the event came from (the stream that contains the message that triggered the event)

So all this to say, to read the events page (/alerts) as user should probably be able to read all streams (unless your events are only ever regarding specific streams).

system · November 24, 2020, 5:51pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog 3.1.0 Events permission Graylog Central (peer support)	3	837	September 25, 2019
Permissions for managing event definitions Graylog Central (peer support)	3	943	November 30, 2021
API Events Request Graylog Central (peer support)	1	27	August 16, 2024
Permissions to read auditlog entries via REST API Graylog Central (peer support)	3	556	June 15, 2018
Graylog edit extractor and notification permissions Graylog Central (peer support)	1	704	August 8, 2017

Events Permissions

Related topics