SSO-Auth users with Admin role are Unauthorized for some calls

Hey folks, I’m having an issue with getting permissions to work properly with users authenticating via the SSO-Auth plugin.

Users can authenticate and search streams without issues, but still receive an “Unauthorized” error that prevents things in the UI from loading (i.e. throughput metrics). These calls all work for the default admin user, but I’m using the same built-in Admin role for my SSO-Auth users that the built-in admin user has so I don’t know why these calls are failing. I’ve also tried creating a custom role that explicitly lists all the permissions and got the same result.

Here are some logs from my Graylog server while an SSO-Auth user is connected:

2020-05-26 18:37:18,244 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call http://10.33.41.214:9000/api/system on node <d9aa9853-4025-4dfa-a7ec-462aeb99430a>, result: Unauthorized

2020-05-26 18:37:19,449 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call http://10.33.41.214:9000/api/system/metrics/multiple on node <d9aa9853-4025-4dfa-a7ec-462aeb99430a>, result: Unauthorized

2020-05-26 18:37:20,150 WARN : org.graylog2.rest.resources.cluster.ClusterSystemResource - Unable to get jvm information on node d9aa9853-4025-4dfa-a7ec-462aeb99430a: Unauthorized

2020-05-26 18:37:21,420 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call http://10.33.41.214:9000/api/system/metrics/multiple on node <d9aa9853-4025-4dfa-a7ec-462aeb99430a>, result: Unauthorized

2020-05-26 18:37:22,433 WARN : org.graylog2.rest.resources.cluster.ClusterSystemResource - Unable to get plugin list on node d9aa9853-4025-4dfa-a7ec-462aeb99430a: Unauthorized

2020-05-26 18:37:23,253 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call http://10.33.41.214:9000/api/system on node <d9aa9853-4025-4dfa-a7ec-462aeb99430a>, result: Unauthorized

2020-05-26 18:37:23,411 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call http://10.33.41.214:9000/api/system/metrics/multiple on node <d9aa9853-4025-4dfa-a7ec-462aeb99430a>, result: Unauthorized

I’ve tried to get these permissions working on versions 2.4.2, 2.5.1, 3.0.2, 3.1.4, 3.2.5, and the latest 3.3.0 without any luck. I haven’t found any other posts describing similar issues, so I don’t know if this is a long-standing bug, an issue in my configuration, or what. :confused:

Any help figuring out how to get these calls working for SSO-Auth users is much appreciated!

he @Capitrium

what permission did you give explizit to the users? What groups what non default groups and what permission do this include?

Hey @jan

I added every permission listed in the code to my test role: https://github.com/Graylog2/graylog2-server/blob/master/graylog2-server/src/main/java/org/graylog2/shared/security/RestPermissions.java#L33-L150

@jan Digging into this more using the global api browser, it seems like the /cluster calls are what’s broken for SSO users:

request body:
{"metrics":["org.graylog2.throughput.input.1-sec-rate","org.graylog2.throughput.output.1-sec-rate"]}

POST /api/cluster/metrics/multiple:
{
  "a298833e-a004-4491-9b37-5c681bea68c5": null
}

POST /api/system/metrics/multiple:
{
  "total": 2,
  "metrics": [
    {
      "full_name": "org.graylog2.throughput.input.1-sec-rate",
      "metric": {
        "value": 61
      },
      "name": "1-sec-rate",
      "type": "gauge"
    },
    {
      "full_name": "org.graylog2.throughput.output.1-sec-rate",
      "metric": {
        "value": 61
      },
      "name": "1-sec-rate",
      "type": "gauge"
    }
  ]
}

I think I know what’s happening here - most requests use the http_external_uri so they pass through our reverse proxy which is configured to pass the SSO headers to Graylog, but the requests that directly hit Graylog nodes via IP aren’t going through that same path so they’re coming back as Unauthorized, which definitely seems like a bug.

might be related to IN/OUT messages reported for node and not for cluster

@Capitrium

BUt it would be nice if you can open a bug report for that over at github!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.