Problem creating Role (through API) for extractor manager

1. Describe your incident:

I have a task to create a role of Extraktor manager, It went partialy ok, user can go to GUI and can see and click on Manage extrator button. But when clicking on Create extractor and then Load message, this error appears:

“The permissions check for the following request failed,
while trying to access /system/inputs/abcdefg12345/extractors.”

2. Describe your environment:

• OS Information:
  Oracle Linux 8.7

• Package Version:
  graylog RPM package 5.1.5+993cd0f, codename Noir
  mongodb 5.0
  opensearch 1.x (5 nodes)
  3 graylog servers in a cluster

• Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

I worked with API and grants before and can change them for streams, dashboards.
I created a new Role.After assigning to a user he could see Manage extrator button beside Input name .

I used these parameters in creating role:

“name”: “ExtractMgr”,
“permissions”: [
“inputs:create”,
“inputs:edit:abcdefg12345”,
“inputs:read:abcdefg12345”

Problem happens when the user tries to edit existing extrator or creating new one. He can open new window for creating, but then when clicking on blue “Load messeges” button, the mentioned error appears:

“The permissions check for the following request failed,
while trying to access /system/inputs/abcdefg12345/extractors.”

I researched in details the API browser, schemes, searching if there are some grant attributes for extractors. For example using this API

/api/authz/shares/entities/grn::::stream:abcdefghijk12345678/

it lists grants for streams or dashboards. But replacing word “stream” with “input” or “extractor” doesnt work, like it doesnt exist.

I tried many additional fieldd and right cominations in the Role perrmissions json but error is the same.

  "extractors:read:abcdef12345",
   "extractors:edit:abcdef12345",
    "extractor:read",
    "extractor:create"

4. How can the community help?

I am looking for Ideas how to use API to set additional grants to extractor so that user can create extractor.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

There should be an entry in the log that might provide some insight. It looks like this:

Not authorized to access resource id <{}>. User <{}> is missing permission <{}:{}>

Thanks a lot. That was pretty , pretty good ;-). Sorry but my production logs are quite messy due to inputs pollution, and many so I missed this err message. It was easier to search when you specifed template. MEssage was :

" INFO [RestResource] Not authorized. User <10ce708e5b3> is missing permission searches:relative .

That is very useful error message, may I add as it also hints to solution. After I added :searches:relative to role I was abe to enter into extractor editing mode. Thanks again and have a nice weekend.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.