First, we’re running Graylog 1.3.3 still (long story, looking to upgrade).
I’ve found that when using the REST API for Search, it requires Admin authorization and I’m curious as to why. Is this an issue/feature with the older versions of Graylog, or is this intentional and still found in Graylog 2.x?
I’m using a valid user to submit the searches. This user can login to the web UI and conduct the exact same searches I’m trying via the REST API. While some REST API requests (/system/cluster/stats/) require no authorization, certain requests require basic level authorization (you have to be a user on the system), and when using these credentials, those requests are granted.
However, the Search REST API seems to require Admin privileges, so I receive a ‘403 Forbidden’ response along with ‘{"type":"ApiError","message":"Not authorized"}’. The search request string is valid as it works if I use Admin credentials.
Here’s an example cURL search:
curl -u 'user:passwd' -XGET -i 'http://hostname:12900/search/universal/relative?query=*&range=300&fields=facility%2Csess_id'
Thinking perhaps it is security-related due to Role or Stream restrictions, I’ve also inserted the Stream ID into the request to narrow the search to a specific stream that this non-Admin user has valid access to; same result, not authorized. I’ve also tried multiple different users; all non-Admin users are considered ‘Not authorized’.
I’ve checked the Graylog configuration and haven’t found anything related to security for these types of features. I’d appreciate any insight in to this.