User permissions v.s. the API

Hello nice graylog people,

is there any design document that would explain graylog user roles and permissions wrt. to the API?


I ask because so far I am failing to see why are some APIs allowed, some disallowed and some live in gray area between. The best example of “gray area” API is /system/indices/index_sets?stats=true executed as user with “Reader” role, which gives the following output:


By one hand graylog tells my user that there are no index sets configured… but at the same time it says there are 4 index sets with these IDs and this many documents.

I do believe that all users have to use there credentials for API. Anything else on the Web UI would be from role/s on what they can or can not do.

What version of Graylog do you have?


That is exactly the question - I am failing to see a pattern in the APIs a “Reader” role can use.

I am using Graylog 4.1

I do recall there being an issue similar to what you’re seeing in GitHub - Graylog2/graylog2-server: Free and open source log management at one point and I could swear that our developers have already fixed it, though I can’t immediately recall if that’s the case. That said though, you can view exactly what permissions the Reader role has by using the API browser or the /authz/roles endpoint. Performing a GET yields the following info about the role:

      "id": "606f5f7df7e0fe0cde116f54",
      "name": "Reader",
      "description": "Grants basic permissions for every Graylog user (built-in)",
      "permissions": [
      "read_only": true

Which corresponds to the full list here: graylog2-server/ at master · Graylog2/graylog2-server · GitHub

Ha, so I assume that “partial” API response is because of “messagecount:read”.
That matches what I am observing nicely. I can read message counts, but nothing else.

Oh, you mean that the behavior I am seeing is unintentional?
Should I prepare for losing access to message counts, or for gaining access to index set names?

Purpose details

It is no big deal. I am actually (ab)using that value to get “rate of messages” per index set,
which can be obtained by querying the alias/reflector in ES and not the whole index set in Graylog.

It will be just an inconvenience to have this monitoring under “ES cluster” object instead of “graylog cluster”.