Hey folks, I’m having an issue with getting permissions to work properly with users authenticating via the SSO-Auth plugin.
Users can authenticate and search streams without issues, but still receive an “Unauthorized” error that prevents things in the UI from loading (i.e. throughput metrics). These calls all work for the default admin user, but I’m using the same built-in Admin
role for my SSO-Auth users that the built-in admin user has so I don’t know why these calls are failing. I’ve also tried creating a custom role that explicitly lists all the permissions and got the same result.
Here are some logs from my Graylog server while an SSO-Auth user is connected:
2020-05-26 18:37:18,244 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call http://10.33.41.214:9000/api/system on node <d9aa9853-4025-4dfa-a7ec-462aeb99430a>, result: Unauthorized
2020-05-26 18:37:19,449 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call http://10.33.41.214:9000/api/system/metrics/multiple on node <d9aa9853-4025-4dfa-a7ec-462aeb99430a>, result: Unauthorized
2020-05-26 18:37:20,150 WARN : org.graylog2.rest.resources.cluster.ClusterSystemResource - Unable to get jvm information on node d9aa9853-4025-4dfa-a7ec-462aeb99430a: Unauthorized
2020-05-26 18:37:21,420 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call http://10.33.41.214:9000/api/system/metrics/multiple on node <d9aa9853-4025-4dfa-a7ec-462aeb99430a>, result: Unauthorized
2020-05-26 18:37:22,433 WARN : org.graylog2.rest.resources.cluster.ClusterSystemResource - Unable to get plugin list on node d9aa9853-4025-4dfa-a7ec-462aeb99430a: Unauthorized
2020-05-26 18:37:23,253 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call http://10.33.41.214:9000/api/system on node <d9aa9853-4025-4dfa-a7ec-462aeb99430a>, result: Unauthorized
2020-05-26 18:37:23,411 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call http://10.33.41.214:9000/api/system/metrics/multiple on node <d9aa9853-4025-4dfa-a7ec-462aeb99430a>, result: Unauthorized
I’ve tried to get these permissions working on versions 2.4.2, 2.5.1, 3.0.2, 3.1.4, 3.2.5, and the latest 3.3.0 without any luck. I haven’t found any other posts describing similar issues, so I don’t know if this is a long-standing bug, an issue in my configuration, or what.
Any help figuring out how to get these calls working for SSO-Auth users is much appreciated!