How to hide or disable the System / Input menu for non-admin (read only) users

Hi Community,

I’m not sure if anyone else has run into this caveat (or maybe I’m the only one), but a pointer into the right direction would be very much appreciated!

I’ve created a few user (read-only) accounts, set to view specific streams and/or dashboards, and what I’m running into is that each of these users have access to the System / Input menu, being able to see all inputs, ports and especially input names on the whole system, thus giving them “sensitive” information as to who and what else is on the system.

After a lot of hunting on the net, the only other resource I’ve been able to find was a github thread from a couple of years back: https://github.com/Graylog2/graylog2-server/issues/3883

Even though my understanding from reading the docs is that there’s no easy workaround for this (or workaround at all), this thread got me thinking after having a look at creating users through the REST API, but I can’t seem to find a way to tweak this.

Thanks in advance for any input!

Regards, Icanus

The linked Github issue already has the solution given:

You can create a role without the inputs:read permission, in that case the System/Inputs menu action will not be visible/executable.

Hi @jan, thanks for the input!

I’ve read and reread that specific message in the thread a few times now (it’s still ringing in my head), but I honestly can’t seem to figure out how that can be applied when creating a new role under System > Authentication > Roles, there’s no further options for this.

I can see the inputs:read permission is set for the users when I launch a query through the REST API, but I’m unsure if it’s possible (or even how) to create a role through the REST API, without the inputs:read part.

Thanks again and regards, Icanus

He @1c4nu5

you can only create new roles using the API - the frontend does not have this option (yet).

Only via API that can be done, like seen here: https://docs.graylog.org/en/3.1/pages/faq.html#how-can-i-create-a-restricted-user-to-check-internal-graylog-metrics-in-my-monitoring-system

Hi @jan,

Thanks again for your input and apologies for the delay in getting back. I’ve had some time to go over the link you shared as well as the documentation permission system documentation (http://docs.graylog.org/en/3.1/pages/users_and_roles/permission_system.html).

I think where I’m really stuck is with the fact that any user we create, has to have either the Reader or Admin roles assigned to it (as mandatory), and that’s where the “inputs:read” config takes place, amonst others.

{
    "name" : "Reader",
    "description" : "Grants basic permissions for every Graylog user (built-in)",
    "permissions" : [ "clusterconfigentry:read", "indexercluster:read", "messagecount:read", "journal:read", "messages:analyze", "inputs:read", "metrics:read", "savedsearches:edit", "fieldnames:read", "buffers:read", "system:read", "savedsearches:create", "jvmstats:read", "decorators:read", "throughput:read", "savedsearches:read", "messages:read" ],
    "read_only" : true
  },

Would it be reasonable to create a user using the API without assigning the Reader role?

Just want to make sure before I break anything…

Thanks again and regards, Icanus

those two roles are the only pre-created. With the reader role we can say “a user can use the basics” but you can always define your own role and assign only that to the user …

… you might need then to adjust the rights, but that is totally safe to do.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.