Events Permissions

Hello,

I am trying to configure a new user that will have an api token to read the events queue.
I created a new user, assigned them a api token, but I cannot figure out which permissions they need to be able to read the events queue.

the following is the permission list:

“permissions” : [ “users:edit:icinga2_api”, “users:tokencreate:icinga2_api”, “users:passwordchange:icinga2_api”, “users:tokenremove:icinga2_api”, “users:tokenlist:icinga2_api”, “clusterconfigentry:read”, “indexercluster:read”, “messagecount:read”, “journal:read”, “messages:analyze”, “inputs:read”, “metrics:read”, “savedsearches:edit”, “fieldnames:read”, “buffers:read”, “system:read”, “savedsearches:create”, “jvmstats:read”, “decorators:read”, “throughput:read”, “savedsearches:read”, “messages:read”, “streams:read:000000000000000000000002”, “eventnotifications:edit”, “eventdefinitions:read”, “eventdefinitions:create”, “eventdefinitions:delete”, “eventdefinitions:execute”, “eventdefinitions:edit”, “eventnotifications:create”, “eventnotifications:delete”, “eventnotifications:read” ],

Stream 000000000000000000000002 is the “all events” stream
Graylog version: 3.3.8

the default built in Admin user can read the events queue just fine (via a create api token).
If I log into the graylog ui as the icinga2_api user, they can see and search the “all events” stream but if they go to the alerts page, they cannot find any of the alerts via the search (but any admin user can).

What permissions are needed for a user to be able to see the events on the alerts page, and therefore be able to query them via the api?

Try to add:
“notifications:read”

The user now has the following permissions (added notifications:read via a new role), but the user still cannot see events on the alerts page

[ "users:edit:icinga2_api", "users:tokencreate:icinga2_api", "users:passwordchange:icinga2_api", "users:tokenremove:icinga2_api", "users:tokenlist:icinga2_api", "clusterconfigentry:read", "indexercluster:read", "messagecount:read", "journal:read", "messages:analyze", "inputs:read", "metrics:read", "savedsearches:edit", "fieldnames:read", "buffers:read", "system:read", "savedsearches:create", "jvmstats:read", "decorators:read", "throughput:read", "savedsearches:read", "messages:read", "streams:read:000000000000000000000002", "eventnotifications:edit", "eventdefinitions:read", "eventdefinitions:create", "eventdefinitions:delete", "eventdefinitions:execute", "eventdefinitions:edit", "eventnotifications:create", "eventnotifications:delete", "eventnotifications:read", "notifications:read" ],

Still no luck, I do know that full permissions are sufficient for a user to see the events on the alerts pages (because admin users can see them) but my goal was to apply the minimum permissions (for security reasons). There doesn’t seem to be any other obvious permission that need to be added (full list via the api/system/permissions api endpoint), which one am I missing?

Try:

],
“notifications”: [
“delete”,
“read”
],
“eventdefinitions”: [
“delete”,
“edit”,
“execute”,
“read”,
“create”

notifications:delete has been added. Still cannot see the alerts.
The permissions attached to the user are as follows:

[ "users:edit:icinga2_api", "users:tokencreate:icinga2_api", "users:passwordchange:icinga2_api", "users:tokenremove:icinga2_api", "users:tokenlist:icinga2_api", "notifications:delete", "clusterconfigentry:read", "indexercluster:read", "messagecount:read", "journal:read", "messages:analyze", "inputs:read", "metrics:read", "savedsearches:edit", "fieldnames:read", "buffers:read", "system:read", "savedsearches:create", "jvmstats:read", "decorators:read", "throughput:read", "savedsearches:read", "messages:read", "streams:read:000000000000000000000002", "eventnotifications:edit", "eventdefinitions:read", "eventdefinitions:create", "eventdefinitions:delete", "eventdefinitions:execute", "eventdefinitions:edit", "eventnotifications:create", "eventnotifications:delete", "eventnotifications:read", "notifications:read" ]

as the icinga2_api user:


as an admin user:


I still cannot find a definitive answer on the permission set required (to view the alert page), does anyone know?

So I managed to figure out the required permissions after lots of testing.
I assigned a role (alerts_test) to the my user (icinga2_api) and then proceeded via api calls to assign various permissions to the role until that user could see the events on the /alerts page.

get all graylog permissions

curl -XGET -u token:token ‘https://graylog.internal/api/system/permissions?pretty=true

create the new role, with some permissions

curl -v -XPOST -u token:token -H ‘Content-Type: application/json’ -H ‘X-Requested-By: cli’ ‘https://graylog.internal/api/roles’ -d ‘{“read_only”: false,“permissions”: [“stream_outputs:delete,stream_outputs:read,stream_outputs:create”],“name”: “alerts_test”,“description”: “Perms to see alerts”}’

update the role with new permissions

curl -v -XPUT -u token:token -H ‘Content-Type: application/json’ -H ‘X-Requested-By: cli’ ‘https://graylog.internal/api/roles/alerts_test’ -d ‘{“read_only”: false,“permissions”: [“streams:read”],“name”: “alerts_test”,“description”: “Perms to see alerts”}’

I started by assigning all available read permissions to the role

“outputs:read”,“sidecars:read”,“deflector:read”,“loggers:read”,“inputs:read”,“indexercluster:read”,“eventnotifications:read”,“dashboards:read”,“view:read”,“sidecar_collector_configurations:read”,“throughput:read”,“savedsearches:read”,“loggersmessages:read”,“fieldnames:read”,“buffers:read”,“streams:read”,“sidecar_collectors:read”,“system:read”,“collectors:read”,“decorators:read”,“messages:read”,“metrics:read”,“ldapgroups:read”,“stream_outputs:read”,“notifications:read”,“eventdefinitions:read”,“sources:read”,“indexranges:read”,“roles:read”,“urlwhitelist:read”, “contentpack:read”,“licenseinfos:read”,“indexsets:read”,“clusterconfigentry:read”,“pipeline_rule:read”,“journal:read”,“pipeline_connection:read”,“systemjobs:read”,“authentication:read”,“messagecount:read”,“pipeline:read”,“indices:read”,“systemmessages:read”,“lookuptables:read”,“jvmstats:read”

I then split the list in half and checked which half granted my user the permission to see the page. Split the list in half again, check which half, split, check. Eventually I narrowed it down to “streams:read”. At which point I could mess around with various stream read permissions until I came to the conclusion that for a user to read the events the user must also have permission to read the stream the event came from (the stream that contains the message that triggered the event)

So all this to say, to read the events page (/alerts) as user should probably be able to read all streams (unless your events are only ever regarding specific streams).

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.