Permission Role for Outputs not working


(Tobias) #1

Hello,
i created a Role with the permissions for the Output
Like that one (the original i use has all permissions without the User Authentication:

{
"permissions":{
  "outputs:create",
  "outputs:edit",
  "outputs:read",
  "outputs:terminate",
  "stream_outputs:edit:*",
  "stream_outputs:create:*",
  "stream_outputs:delete:*",
  "stream_outputs:read:*",
  "streams:changestate:*",
  "streams:create",
  "streams:edit"
}

I can see the Output menue under System, but if i click on it, i’m getting an error.
Any Ideas?

Regards


(Jochen) #2

What error do you get when clicking on the “Outputs” menu item?

You can try using the permission stream_outputs:create (without the trailing :*).


(Tobias) #3

Hello,

i’m getting this error:

Could not load outputs
Loading outputs failed with status: Error: cannot GET http://10.128.130.55:9000/api/system/outputs/available (403)

Also when i have the permission like this:

{
      "name": "Moderator",
      "description": null,
      "permissions": [
  "blacklistentry:create",
  "blacklistentry:delete",
  "blacklistentry:edit",
  "blacklistentry:read",
  "buffers:read",
  "bundle:create",
  "bundle:delete",
  "bundle:export",
  "bundle:import",
  "bundle:read",
  "bundle:update",
  "clusterconfigentry:read",
  "clusterconfigentry:create",
  "clusterconfigentry:delete",
  "clusterconfigentry:edit",
  "clusterconfigentry:read",
  "dashboards:create",
  "dashboards:edit",
  "dashboards:read",
  "decorators:create",
  "decorators:edit",
  "decorators:read",
  "deflector:cycle",
  "deflector:read",
  "fieldnames:read",
  "indexercluster:read",
  "indexranges:read",
  "indexranges:rebuild",
  "indexsets:create",
  "indexsets:delete",
  "indexsets:edit",
  "indexsets:read",
  "indices:changestate",
  "indices:delete",
  "indices:failures",
  "indices:read",
  "inputs:create",
  "inputs:edit",
  "inputs:read",
  "inputs:terminate",
  "journal:edit",
  "journal:read",
  "jvmstats:read",
  "loggers:edit",
  "loggers:editsubsystem",
  "loggers:read",
  "loggers:readsubsystem",
  "messagecount:read",
  "messages:analyze",
  "messages:read",
  "metrics:allkeys",
  "metrics:read",
  "metrics:readall",
  "metrics:readhistory",
  "node:shutdown",
  "notifications:delete",
  "notifications:read",
  "outputs:create",
  "outputs:edit",
  "outputs:read",
  "outputs:terminate",
  "processing:changestate",
  "savedsearches:create",
  "savedsearches:edit",
  "savedsearches:read",
  "searches:absolute",
  "searches:keyword",
  "searches:relative",
  "sources:read",
  "stream_outputs:create",
  "stream_outputs:delete",
  "stream_outputs:read",
  "streams:changestate",
  "streams:create",
  "streams:edit",
  "system:read",
  "systemjobs:create",
  "systemjobs:delete",
  "systemjobs:read",
  "systemmessages:read",
  "threads:dump",
  "throughput:read", 
  "users:passwordchange",
  "collectors:read",
  "collectors:edit",
  "collectors:create",
  "pipeline:edit",
  "pipeline:read",
  "pipeline:create",
  "pipeline:delete",
  "pipeline_connection:edit",
  "pipeline_connection:read",
  "pipeline_rule:edit",
  "pipeline_rule:read",
  "pipeline_rule:create",
  "pipeline_rule:delete"
      ],
      "read_only": false
    }

(Jochen) #4

The /system/outputs/available resource currently requires the user to have the streams:read permission.


(Jochen) #5

Follow up:


(Tobias) #6

Thanks, that was the missing permission.
But with that one, i can see and access all Streams without giving a permission to them.

I want to make a a permission set, where someone can only see a his Stream an can do only a ouput on this.
Would this work?


(Jochen) #7

I don’t know this out of my head, you’d have to try it out yourself or check the respective code locations.


(Tobias) #8

Hi,
i think there is a permission issue.
I have a role and a user without any read or edit rights for a stream.
If i set the “streams:read” permission by the role, the user can see and join every stream.
So if i need the “streams:read” permission for the Outputs, i give that role access to any stream.
can you confirm that?
Regards


(Jochen) #9

Yes, that’s correct (as of Graylog 2.3.1).


(Tobias) #10

Thanks
So If i set the permission like this “streams:read:59b138fb2f969905ddecb310”, then is the Outputs not working again.
Could it be, that it will changed in further Versions? more granular?
Thanks again


(Jochen) #11

Correct, because the required permission is streams:read, not streams:read:{id} or streams:read:*.

Yes, please subscribe to the aforementioned GitHub issues for updates.


(system) #12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.