[PLUGIN] Execute API requests / mongoDB instruction as user logged in graylog


I’m looking for a solution to execute any request to the graylog’s API or mongoDB through the code of a custom plugin.

I did not find any information about how interaction between graylog’s data and the plugin is possible.

My main goal could be sumed up to obtain the current logged in user’s token.

I did not succeed to obtain the token using the mysterious classes : graylog2-server/src/main/java/org/graylog2/rest/resources/users/UsersResource.java , graylog2-server/src/main/java/org/graylog2/security/AccessToken.java , neither with the cli.js.

I did not find any info about how to retrieve mongoConnection from https://github.dev/airbus-cyber/graylog-plugin-alert-wizard/blob/4e8d9fd1c98c350b46a9781c4752095e6ee4bd0f/src/main/java/com/airbus_cyber_security/graylog/wizard/alert/rest/models/requests/AlertRuleRequest.java

(Obtaining access to the mongoDb would allow me to request the token of my current logged in user (assuming I am able to retrieve it’s username))

If you have any idea about how retrieving current logged in username or directly it’s token using java or js / ts, don’t hesitate ! ^^

Is there a reason you need to or want to use code to obtain/generate a token vs creating one via the Graylog Web Interace?

Currently this is the only supported way of obtaining tokens.

However, to answer your question:

Graylog stores access tokens in its MongoDB instance in the access_tokens collection, however, the token is encrypted with the graylog cluster’s password_secret

See https://github.com/Graylog2/graylog2-server/blob/e15058fc59316daab00e27daf1ad639e86a96906/graylog2-server/src/main/java/org/graylog2/security/AccessTokenCipher.java#L26

1 Like

Thanks for your response !

Okay seems quite unpleasant for my aims.

I developed a web application interacting with siems data. The data retrieving is all based on API requests. Which allow to be easily adapted according to the siem it is embedded in.

The objective was to integrate the web application in an iframe loaded from a simple webui Graylog plugin.

Up to Graylog 4.2.x (or 4.3.x, I don’t remember the exact version) the web application was retrieved the user access token through localstorage.

But an update from 4.[2|3].x set the httpFlagOnly to true for this token stored in localstorage which prevent the web application to retrieve the token.

This prevent me using the graylog’s authentication system transparently. Setting a service token for the web application is not an option as a service token would prevent the traceability of all users requests.

@drewmiranda-gl Concerning graylog’s plugins, do you know if it is possible to store configuration informations ?

The solution I see would be for the user to generate its own token from the GUI and record it himself in a configuration field which would be readable by the plugin.

Does plugins in graylog support this kind of process ? I see no mention of customizable configuration data in the documentation.

My apologies, graylog code development and plugin development goes a bit above my head :frowning:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.