I can't figure out permisions for sidecars API

I’m trying to list some stuff using the API, specifically the /sidecars/all endpoint.
If I use curl with a token for an administrator user it works fine but I don’t want to five my automation so much power just to list something.

I tried all the available roles and besides administrator none grants my user permisions to view sidecars.

I also tried using a token from the “Sidecar System User (built-in)” which I already thought it has too much power just for viewing but surprisingly it’s still not authorized:

{"type":"ApiError","message":"Not authorized"}

I know my request is correct because I get the proper json list if I use a token from the admin user.

TL;DR can I GET /api/sidecars/all with anything less than admin privileges?

FWIW I tried with 4.2.2 and the latest (as of now) 4.2.5. Running the official docker with mongo 4.2 and elastic 7.10.2

Hello @icegray && Welcome

We might be able to help you but could you explain in greater detail what your doing or trying to accomplish ?
I kind of understand but I’m not to sure. What I understand is you want to use the Graylog API and you need to use a UserName/Password, but you don’t what to use credentials? Is this correct?


I’m trying to do a GET /api/sidecars/all Until now the only credentials that are allowed are the admin ones (either user/pass or token). What I want is to create a user with less privileges than admin to use for this API call.

I tried creating a new user and started granting roles one by one but the only role that allowed the user to do GET on /api/sidecars/all is admin

I also tried using the “Sidecar System User (built-in)” user but again it doesn’t have enough permisions.

Is it possible to read this API from a user with less privileges than admin ?


I understand, So I did a test in my lab. I created a user with Read permissions as shown below.

I logged in with user “test”, navigated to System/Nodes and click on “API browser”. I was able to read and execute GET /API’s using my user called “test” credential. Depend on your installation to can use AD to sync permissions/groups but this would require Enterprise edition but its free under 5GB day.

Thanks for checking in. I think we are talking about different end points

Created test1 user with Reader
(new user, not allowed to upload two pictures)

Then tried to run the API /api/sidecars/all

I see now.

Just tested this out and I have the same results. If I’m reading this correct, I would assume that having the sidecar role would allow that a user should see and configure sidecars .

You may want to post this issue here.

Thanks for the confirmation, I’ll open a bug report. Cheers!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.