Graylog permissions

(Zero) #1

Is it possible to block permission of reading messages from specific inputs / streams? For example I would like my RoleA to read from InputA and RoleB to read from InputB but they shouldn’t see eachothers messages.

(Jan Doberstein) #2

That is what streams are created for:

Create Custom Roles with the Access you like to give when the Inputs are in seperated streams.

(Zero) #3

But creating a new stream needs to specify an index where that stream would store messages, right? So it means duplication of data. It would be a lot easier to just block people from reading from specific inputs - it is not possible ?

(Jan Doberstein) #4

I guess you think to complicated.

Just leave the index setting untouched and you will not duplicate the data. Only if you chose different index sets for storing it will be duplicate the messages.

You pick the access rights to data where it is visible not where it is ingested. That is the difference.

(Zero) #5

Hmm but when you create a new stream you have to specify an Index Set saying

“Messages that match this stream will be written to the configured index set.”

For example right now I have: InputA, IndexA, StreamA AND InputB, Index, StreamB and so on.
They work like that Input => Stream => Index.
I need to create a RoleA that will have permission to read, create extractors etc. on Inputs A, B, C but will not be able to do anything to do on the rest of my Inputs.

If I wanted to use streams I would have to create a new stream and set 3 rules for it:

Field source must match exactly InputA
Field source must match exactly InputB
Field source must match exactly InputC

But if I want to create it i have to specify to which index it will store data = this will create duplicates.
ALSO, I would have to completely block Search and Inputs toolbars for that role which will completely block anything connected to using extractors.

As you see, the only solution for this case seems to be blocking the option to read inputs for some roles.
Just not allowing some people to click on that “Show received messages” button at all. Sadly, when I try to do in trough permission system it does not work… Even if I set :edit: and :read: for specific Input id’s those roles are still able to click on “Show received messages” on ALL inputs, not only those specified.

(Jan Doberstein) #6

but - as written - your wanted solution is not possible.