We have developed a custom process which retrieves events, notifications, and performance metrics from Graylog via the REST API. We have assigned a read-only user to retrieve the information. It works great, except today it was demonstrated that non-administrative users are unable to retrieve system notifications.
How can we assign permission to retrieve notifications without making the read-only API user an administrator? I don’t see a way to do it in the documentation. Does it involve directly modifying a configuration stored in MongoDB?
I was able to accomplish this by adding “notifications:read” to the “reader” role in MongoDB, so my immediate need is solved. But, my question still stands: is this doable some easier way?
Why not create role only for read notifications and assign it to user with role Reader? Because role permission is cumulative from more roles, it’s not necessary directly edit reader role. Just assign newly created role to specific user.
Create json file
role-notification-read.json with content:
"name": "Read notifications",
"description": "Read only notifications",
Create role using curl commnad:
curl -i -X POST -u user:password -H 'Content-Type: application/json' -H 'X-Requested-By: cli' 'http://GRAYLOG_SERVER:9000/api/roles' -d @role-notification-read.json
Thanks for the feedback, that is in fact what we ended up doing. But is that the only way to manage granular role permissions?
Yest with REST API you can create own or update existing roles with custom permissions.
This command lists all posible permissions:
curl -XGET -u ADMIN:PASSWORD 'http://graylog.example.org:9000/api/system/permissions?pretty=true'
Best way is to you REST API browser to test it, and curl for command line setup:
Ah, ok. Thanks for the link, somehow I overlooked this in the documentation.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.