Permission Role for Outputs not working

Wicht · September 11, 2017, 8:52am

Hello,
i created a Role with the permissions for the Output
Like that one (the original i use has all permissions without the User Authentication:

{
"permissions":{
  "outputs:create",
  "outputs:edit",
  "outputs:read",
  "outputs:terminate",
  "stream_outputs:edit:*",
  "stream_outputs:create:*",
  "stream_outputs:delete:*",
  "stream_outputs:read:*",
  "streams:changestate:*",
  "streams:create",
  "streams:edit"
}

I can see the Output menue under System, but if i click on it, i’m getting an error.
Any Ideas?

Regards

jochen · September 11, 2017, 4:43pm

What error do you get when clicking on the “Outputs” menu item?

You can try using the permission stream_outputs:create (without the trailing :*).

Wicht · September 12, 2017, 6:13am

Hello,

i’m getting this error:

Could not load outputs
Loading outputs failed with status: Error: cannot GET http://10.128.130.55:9000/api/system/outputs/available (403)

Also when i have the permission like this:

{
      "name": "Moderator",
      "description": null,
      "permissions": [
  "blacklistentry:create",
  "blacklistentry:delete",
  "blacklistentry:edit",
  "blacklistentry:read",
  "buffers:read",
  "bundle:create",
  "bundle:delete",
  "bundle:export",
  "bundle:import",
  "bundle:read",
  "bundle:update",
  "clusterconfigentry:read",
  "clusterconfigentry:create",
  "clusterconfigentry:delete",
  "clusterconfigentry:edit",
  "clusterconfigentry:read",
  "dashboards:create",
  "dashboards:edit",
  "dashboards:read",
  "decorators:create",
  "decorators:edit",
  "decorators:read",
  "deflector:cycle",
  "deflector:read",
  "fieldnames:read",
  "indexercluster:read",
  "indexranges:read",
  "indexranges:rebuild",
  "indexsets:create",
  "indexsets:delete",
  "indexsets:edit",
  "indexsets:read",
  "indices:changestate",
  "indices:delete",
  "indices:failures",
  "indices:read",
  "inputs:create",
  "inputs:edit",
  "inputs:read",
  "inputs:terminate",
  "journal:edit",
  "journal:read",
  "jvmstats:read",
  "loggers:edit",
  "loggers:editsubsystem",
  "loggers:read",
  "loggers:readsubsystem",
  "messagecount:read",
  "messages:analyze",
  "messages:read",
  "metrics:allkeys",
  "metrics:read",
  "metrics:readall",
  "metrics:readhistory",
  "node:shutdown",
  "notifications:delete",
  "notifications:read",
  "outputs:create",
  "outputs:edit",
  "outputs:read",
  "outputs:terminate",
  "processing:changestate",
  "savedsearches:create",
  "savedsearches:edit",
  "savedsearches:read",
  "searches:absolute",
  "searches:keyword",
  "searches:relative",
  "sources:read",
  "stream_outputs:create",
  "stream_outputs:delete",
  "stream_outputs:read",
  "streams:changestate",
  "streams:create",
  "streams:edit",
  "system:read",
  "systemjobs:create",
  "systemjobs:delete",
  "systemjobs:read",
  "systemmessages:read",
  "threads:dump",
  "throughput:read", 
  "users:passwordchange",
  "collectors:read",
  "collectors:edit",
  "collectors:create",
  "pipeline:edit",
  "pipeline:read",
  "pipeline:create",
  "pipeline:delete",
  "pipeline_connection:edit",
  "pipeline_connection:read",
  "pipeline_rule:edit",
  "pipeline_rule:read",
  "pipeline_rule:create",
  "pipeline_rule:delete"
      ],
      "read_only": false
    }

jochen · September 12, 2017, 3:19pm

The /system/outputs/available resource currently requires the user to have the streams:read permission.

github.com

Graylog2/graylog2-server/blob/2.3.1/graylog2-server/src/main/java/org/graylog2/rest/resources/system/outputs/OutputResource.java#L181


                   @PathParam("outputId") String outputId) throws org.graylog2.database.NotFoundException {
    checkPermission(RestPermissions.OUTPUTS_TERMINATE);
    final Output output = outputService.load(outputId);
    outputService.destroy(output);
}


@GET
@Path("/available")
@Timed
@ApiOperation(value = "Get all available output modules")
@RequiresPermissions(RestPermissions.STREAMS_READ)
@Produces(MediaType.APPLICATION_JSON)
public Map<String, Map<String, AvailableOutputSummary>> available() {
    return ImmutableMap.of("types", messageOutputFactory.getAvailableOutputs());
}


@PUT
@Path("/{outputId}")
@Timed
@ApiOperation(value = "Update output")
@RequiresPermissions(RestPermissions.OUTPUTS_EDIT)

jochen · September 12, 2017, 3:41pm

Follow up:

Wicht · September 12, 2017, 3:43pm

Thanks, that was the missing permission.
But with that one, i can see and access all Streams without giving a permission to them.

I want to make a a permission set, where someone can only see a his Stream an can do only a ouput on this.
Would this work?

jochen · September 12, 2017, 4:01pm

I don’t know this out of my head, you’d have to try it out yourself or check the respective code locations.

Wicht · September 13, 2017, 5:57am

Hi,
i think there is a permission issue.
I have a role and a user without any read or edit rights for a stream.
If i set the “streams:read” permission by the role, the user can see and join every stream.
So if i need the “streams:read” permission for the Outputs, i give that role access to any stream.
can you confirm that?
Regards

jochen · September 13, 2017, 6:17am

Yes, that’s correct (as of Graylog 2.3.1).

Wicht · September 13, 2017, 6:24am

Thanks
So If i set the permission like this “streams:read:59b138fb2f969905ddecb310”, then is the Outputs not working again.
Could it be, that it will changed in further Versions? more granular?
Thanks again

jochen · September 13, 2017, 6:39am

Correct, because the required permission is streams:read, not streams:read:{id} or streams:read:*.

Yes, please subscribe to the aforementioned GitHub issues for updates.

system · September 27, 2017, 6:39am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.