Hi all,
I have read the permissions page but I can’t see how one would create permissions to stop people view alerts?
he @cuthbe
as the alerting got a complete rework in 3.1 - what version you are asking for? What is exactly your request?
So we have installed 3.1.3 from the last.
you might want to answer my second question also.
Sorry, so I want to setup a user that only has access to views, can’t see alerts or dashboards, or can only see dashboards.
Permissions are based on roles, and roles are based on streams. So if you allow role to view specific stream (and assign role to user), user will be able to view also alerts related to stream. So you can still create clone of original stream (without defined alerts) and assing to role. This way, user will only see messages without alerts.
Dashboards are separated from Streams, so you can assign role permission to read/write specific dashboard. Be more specific, you want user to real all dashboards, or only specific one?
Okay so any alerts that are based on a stream that user will only see alerts for that stream got ya. Dashboards yes I think you can permission users.
UI doesn’t include all permissions available, only basic. Full permissions is editable by API. Check API Browser.
https://docs.graylog.org/en/3.1/pages/configuration/rest_api.html#graylog-rest-api
https://docs.graylog.org/en/3.1/pages/users_and_roles/permission_system.html
Here is complete list of permissions in 3.1.3:
{
"permissions": {
"outputs": [
"create",
"edit",
"terminate",
"read"
],
"sidecars": [
"update",
"create",
"read",
"delete"
],
"deflector": [
"read",
"cycle"
],
"loggers": [
"readsubsystem",
"edit",
"editsubsystem",
"read"
],
"catalog": [
"resolve",
"list"
],
"inputs": [
"terminate",
"read",
"create",
"changestate",
"edit"
],
"lbstatus": [
"change"
],
"indexercluster": [
"read"
],
"eventnotifications": [
"delete",
"create",
"read",
"edit"
],
"dashboards": [
"read",
"create",
"edit"
],
"extendedsearch": [
"create",
"use"
],
"view": [
"use",
"read",
"edit",
"create",
"delete"
],
"ldap": [
"edit"
],
"sidecar_collector_configurations": [
"read",
"update",
"create",
"delete"
],
"throughput": [
"read"
],
"savedsearches": [
"read",
"create",
"edit"
],
"loggersmessages": [
"read"
],
"searches": [
"relative",
"absolute",
"keyword"
],
"fieldnames": [
"read"
],
"buffers": [
"read"
],
"streams": [
"changestate",
"edit",
"create",
"read"
],
"users": [
"tokencreate",
"rolesedit",
"edit",
"permissionsedit",
"list",
"tokenlist",
"create",
"passwordchange",
"tokenremove"
],
"node": [
"shutdown"
],
"sidecar_collectors": [
"update",
"delete",
"read",
"create"
],
"system": [
"read"
],
"collectors": [
"delete",
"create",
"update",
"read"
],
"decorators": [
"create",
"read",
"edit"
],
"messages": [
"read",
"analyze"
],
"processing": [
"changestate"
],
"metrics": [
"read",
"allkeys",
"readall",
"readhistory"
],
"ldapgroups": [
"read",
"edit"
],
"stream_outputs": [
"delete",
"read",
"create"
],
"notifications": [
"delete",
"read"
],
"eventdefinitions": [
"delete",
"edit",
"execute",
"read",
"create"
],
"sources": [
"read"
],
"indexranges": [
"read",
"rebuild"
],
"roles": [
"edit",
"create",
"read",
"delete"
],
"contentpack": [
"create",
"delete",
"read"
],
"default-view": [
"set"
],
"indexsets": [
"create",
"read",
"delete",
"edit"
],
"clusterconfigentry": [
"read",
"delete",
"edit",
"create"
],
"pipeline_rule": [
"edit",
"delete",
"read",
"create"
],
"journal": [
"edit",
"read"
],
"pipeline_connection": [
"read",
"edit"
],
"systemjobs": [
"create",
"read",
"delete"
],
"authentication": [
"read",
"edit"
],
"messagecount": [
"read"
],
"threads": [
"dump"
],
"pipeline": [
"create",
"delete",
"read",
"edit"
],
"indices": [
"changestate",
"delete",
"failures",
"read"
],
"systemmessages": [
"read"
],
"lookuptables": [
"edit",
"create",
"read",
"delete"
],
"jvmstats": [
"read"
]
}
}
okay, so sorry in the UI can I restrict say users from seeing the System/Inputs tab? bec there are input that I don’t want certain users to see.
so I can’t see to get or edit a user role, this
curl -XGET -u admin:password ‘http://127.0.0.1:9000/api/users/support?pretty=true’ returns nothing. but on the frontend I see that user? I want edit the users role to remove everything but search and dashboards.
I have tried to setup a token using this
https://docs.graylog.org/en/3.1/pages/configuration/rest_api.html
But I get this back when trying to request the token as per the docs
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm=“Graylog Server session”
X-Graylog-Node-ID: c95dd19d-203e-444e-bfcf-f2741d963e75
Date: Tue, 17 Dec 2019 07:06:55 GMT
Content-Length: 0
Like I sent, it’s easier to use restapi browser, you can open it from System- Nodes - button API Browser.
You can still use curl, but your command missing some parameters, try this:
curl -u admin:password -H 'Accept: application/json' -X GET 'http://192.168.1.2:9000/api/users/user_name?pretty=true'
I think, your requrement is not possible in latest version graylog 3.1, if you want user to search, you should allow at least read permissions for stream, which add Stream to main menu. You can add any dashboard you want, because it works independently from stream. Some fileds from System menu you can hide, but not all.
For example System - Input is able to hide using this role permissions (It’s copy of default Reader role without input: read permission):
http://graylog.domain.com:9000/api/api-browser/#!/Roles/create_post_1
"name": "Reader2",
"description": "Reader role without Input read",
"permissions": [
"indexercluster:read",
"clusterconfigentry:read",
"messagecount:read",
"journal:read",
"messages:analyze",
"metrics:read",
"savedsearches:edit",
"fieldnames:read",
"buffers:read",
"system:read",
"savedsearches:create",
"jvmstats:read",
"decorators:read",
"throughput:read",
"savedsearches:read",
"messages:read"
],
"read_only": false
}```
Role permission you can update using:
http://graylog.domain.com:9000/api/api-browser/#!/Roles/update_put_2
By default you can't edit default Reader role, and web interface require to assign user at least role Reader. So you need to use API to assign another role to user, replace line with:
http://graylog.beset.sk:9000/api/api-browser/#!/Users/changeUser_put_2
“roles”: [
“Reader2”
],
Before updating role, you should read user parameters (use it in update user field, and change roles)
http://graylog.domain.com:9000/api/api-browser/#!/Users/get_get_4Okay so you can’t restrict the drop down items on the System / Authentication menu. Bec it looks like some options are missing when I setup new users so it must be possible.
Of course normal user won’t see menu like System - Authentivation. Normal user with role Reader will still see these menus on System - Overview, Configuration, Input, Nodes, Enterprise. Usually it is not a big deal.
okay, I want to remove it for normal users.
Example role Reader2 that i posted above hide System - Input, it should be enought for you, as you wrote, that your input list shouldn’t see normal user.
would love to use that api browser but it does not seem to work, it trys to go to 127.0.0.1 rather than my base url
Chech your /etc/graylog/server/server.conf parameters:
http_bind_address =
http_publish_uri =
http_external_uri =
http_bind_address = 127.0.0.1:9000
http_publish_uri = http://127.0.0.1:9000
#http_external_uri
I have this behind an apache proxy
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
RequestHeader set X-Graylog-Server-URL "https://prod-logging.celer-tech.com/"
ProxyPass http://127.0.0.1:9000/
ProxyPassReverse http://127.0.0.1:9000/
</Location>
<Location /api/api-browser>
RequestHeader set X-Graylog-Server-URL "https://prod-logging.celer-tech.com/"
ProxyPass http://127.0.0.1:9000/api/api-browser
ProxyPassReverse http://127.0.0.1:9000/api/api-browser
</Location>Somebody talked about it recently.