Granular user permissions assignment

ttsandrew · September 1, 2020, 6:28pm

We have developed a custom process which retrieves events, notifications, and performance metrics from Graylog via the REST API. We have assigned a read-only user to retrieve the information. It works great, except today it was demonstrated that non-administrative users are unable to retrieve system notifications.

How can we assign permission to retrieve notifications without making the read-only API user an administrator? I don’t see a way to do it in the documentation. Does it involve directly modifying a configuration stored in MongoDB?

ttsandrew · September 1, 2020, 6:57pm

I was able to accomplish this by adding “notifications:read” to the “reader” role in MongoDB, so my immediate need is solved. But, my question still stands: is this doable some easier way?

shoothub · September 2, 2020, 7:33am

Why not create role only for read notifications and assign it to user with role Reader? Because role permission is cumulative from more roles, it’s not necessary directly edit reader role. Just assign newly created role to specific user.

Create json file role-notification-read.json with content:

{
  "name": "Read notifications",
  "description": "Read only notifications",
  "permissions": [
    "notifications:read",
    "eventnotifications:read"
  ],
  "read_only": "false"
}

Create role using curl commnad:

curl -i -X POST -u user:password -H 'Content-Type: application/json' -H 'X-Requested-By: cli' 'http://GRAYLOG_SERVER:9000/api/roles' -d @role-notification-read.json

ttsandrew · September 2, 2020, 1:34pm

Thanks for the feedback, that is in fact what we ended up doing. But is that the only way to manage granular role permissions?

shoothub · September 2, 2020, 1:39pm

Yest with REST API you can create own or update existing roles with custom permissions.

This command lists all posible permissions:
curl -XGET -u ADMIN:PASSWORD 'http://graylog.example.org:9000/api/system/permissions?pretty=true'

https://docs.graylog.org/en/3.3/pages/users_and_roles/permission_system.html#rest-call-permissions

Best way is to you REST API browser to test it, and curl for command line setup:
https://docs.graylog.org/en/3.3/pages/configuration/rest_api.html?highlight=rest%20api#using-the-api-browser

ttsandrew · September 2, 2020, 1:42pm

Ah, ok. Thanks for the link, somehow I overlooked this in the documentation.

system · September 16, 2020, 1:42pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Create alerts in Graylog Graylog Central (peer support)	3	545	November 11, 2020
Setting Granular Permissions Graylog Central (peer support)	1	884	February 28, 2017
Graylog 3.1.0 Events permission Graylog Central (peer support)	3	837	September 25, 2019
User permissions by role: What does the default Reader grant access to exactly? Graylog Central (peer support)	4	2596	December 21, 2017
Assigning Roles on Graylog Graylog Central (peer support)	9	682	December 11, 2017

Granular user permissions assignment

Related topics