Graylog API browser access


#1

i would like to know if i can prevent access to the API browser for non admin users.


(Jochen) #2

That’s not possible out of the box, but to actually execute anything using the API browser (Swagger UI), you still need valid credentials.

You can, however, put a reverse proxy in front of the Graylog REST API and lock down access to it.


#3

thanks
if my graylog in connceted to AD so every user that has access through it can access the API browser.
am i correct?


(Jochen) #4

Every user, no matter if they have an account or not, can access the API browser.
But only authenticated users can execute actions (send requests) in the API browser.


#5

so basically even a non admin user that has permission to log on to graylog and know what he is doing can use the API browser to alter things and cause damage to graylog.
that is not very good when it comes to organization security
unless i misunderstood the entire thing


(Jochen) #6

No, that’s wrong. Please read again what I wrote multiple times:


#7

OK but if i am using an ACTIVE DIRECTORY authentication and grant my users access to graylog so they can perform actions in the API browser?


(Jochen) #8

Please elaborate on what issues you see with that.


#9

in my company’s point of view users can only view logs and create their own dashboards or create saved searches for their purposes.
only admin users can perform changes on the system it self. we believe that is the policy to be implemented on a mass user application to prevent harm to the system.
i.e if i compare it to splunk the policy is the same and i as a user can only do things related to the log data and not the system


(Jochen) #10

Unless all of your users are administrators in Graylog, I don’t see a problem.

Just let me remind you that the Graylog web interface (and thus the user’s web browser) needs to access the Graylog REST API to work and the API browser is just another frontend for that. So by “hiding” the API browser you don’t gain anything.


#11

i finally understands now how it works.
after i tried for a few times i realized that if a user doesnt have permission to an object he will not be able to change it no matter what method he uses. web interface or API browser
thanks for your help and patience


(system) #12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.