Graylog API browser access

shachbo · August 9, 2017, 1:21pm

i would like to know if i can prevent access to the API browser for non admin users.

jochen · August 9, 2017, 1:45pm

That’s not possible out of the box, but to actually execute anything using the API browser (Swagger UI), you still need valid credentials.

You can, however, put a reverse proxy in front of the Graylog REST API and lock down access to it.

shachbo · August 9, 2017, 1:50pm

thanks
if my graylog in connceted to AD so every user that has access through it can access the API browser.
am i correct?

jochen · August 9, 2017, 1:52pm

Every user, no matter if they have an account or not, can access the API browser.
But only authenticated users can execute actions (send requests) in the API browser.

shachbo · August 9, 2017, 6:05pm

so basically even a non admin user that has permission to log on to graylog and know what he is doing can use the API browser to alter things and cause damage to graylog.
that is not very good when it comes to organization security
unless i misunderstood the entire thing

jochen · August 9, 2017, 9:06pm

No, that’s wrong. Please read again what I wrote multiple times:

shachbo · August 10, 2017, 5:30am

OK but if i am using an ACTIVE DIRECTORY authentication and grant my users access to graylog so they can perform actions in the API browser?

jochen · August 10, 2017, 6:46am

Please elaborate on what issues you see with that.

shachbo · August 10, 2017, 7:49am

in my company’s point of view users can only view logs and create their own dashboards or create saved searches for their purposes.
only admin users can perform changes on the system it self. we believe that is the policy to be implemented on a mass user application to prevent harm to the system.
i.e if i compare it to splunk the policy is the same and i as a user can only do things related to the log data and not the system

jochen · August 10, 2017, 10:17am

Unless all of your users are administrators in Graylog, I don’t see a problem.

Just let me remind you that the Graylog web interface (and thus the user’s web browser) needs to access the Graylog REST API to work and the API browser is just another frontend for that. So by “hiding” the API browser you don’t gain anything.

shachbo · August 10, 2017, 10:56am

i finally understands now how it works.
after i tried for a few times i realized that if a user doesnt have permission to an object he will not be able to change it no matter what method he uses. web interface or API browser
thanks for your help and patience

system · August 24, 2017, 10:57am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Access to API Browser Graylog Central (peer support)	3	1394	March 22, 2017
Proxy between Web ui and backend Graylog Central (peer support)	10	708	March 12, 2019
About non-admin account using curl -XGET Graylog Central (peer support)	2	512	November 8, 2017
REST API Search authorization Graylog Central (peer support)	2	3823	May 24, 2017
Access REST API without admin role Graylog Central (peer support)	3	379	May 5, 2023

Graylog API browser access

Related Topics