User permissions v.s. the API

Documentation Campfire
1

Hello nice graylog people,

is there any design document that would explain graylog user roles and permissions wrt. to the API?

-----------------------------------------------------------------

I ask because so far I am failing to see why are some APIs allowed, some disallowed and some live in gray area between. The best example of “gray area” API is /system/indices/index_sets?stats=true executed as user with “Reader” role, which gives the following output:

{
	"total":0,
	"index_sets":[],
	"stats":{
		"60743a31e6a7de93db9c8add":{"indices":75,"documents":402282792540,"size":667193734390749},
		...
		"6e4212de9e7ca8a3e65b21d4":{"indices":25,"documents":7815020172,"size":30915485037590}
	}
}

By one hand graylog tells my user that there are no index sets configured… but at the same time it says there are 4 index sets with these IDs and this many documents.

2

I do believe that all users have to use there credentials for API. Anything else on the Web UI would be from role/s on what they can or can not do.

What version of Graylog do you have?

Resources:
https://docs.graylog.org/docs/permission-management
https://docs.graylog.org/v1/docs/rest-api

3

That is exactly the question - I am failing to see a pattern in the APIs a “Reader” role can use.

I am using Graylog 4.1

4

I do recall there being an issue similar to what you’re seeing in GitHub - Graylog2/graylog2-server: Free and open source log management at one point and I could swear that our developers have already fixed it, though I can’t immediately recall if that’s the case. That said though, you can view exactly what permissions the Reader role has by using the API browser or the /authz/roles endpoint. Performing a GET yields the following info about the role:

    {
      "id": "606f5f7df7e0fe0cde116f54",
      "name": "Reader",
      "description": "Grants basic permissions for every Graylog user (built-in)",
      "permissions": [
        "clusterconfigentry:read",
        "indexercluster:read",
        "customization:notification:read",
        "messagecount:read",
        "journal:read",
        "enterprise_failure_handler_config:read",
        "messages:analyze",
        "inputs:read",
        "metrics:read",
        "fieldnames:read",
        "buffers:read",
        "system:read",
        "customization:theme:read",
        "jvmstats:read",
        "decorators:read",
        "throughput:read",
        "illuminate_bundle_management:read",
        "messages:read"
      ],
      "read_only": true
    },

Which corresponds to the full list here: graylog2-server/RestPermissions.java at master · Graylog2/graylog2-server · GitHub

5

Ha, so I assume that “partial” API response is because of “messagecount:read”.
That matches what I am observing nicely. I can read message counts, but nothing else.

Oh, you mean that the behavior I am seeing is unintentional?
Should I prepare for losing access to message counts, or for gaining access to index set names?

Purpose details

It is no big deal. I am actually (ab)using that value to get “rate of messages” per index set,
which can be obtained by querying the alias/reflector in ES and not the whole index set in Graylog.

It will be just an inconvenience to have this monitoring under “ES cluster” object instead of “graylog cluster”.