while playing around with stream permissions, i found out that it is possible for a user with editing permission (e.g. “permissions”: [ “streams:edit:xxxxxxxxxxxxxxxxxxxxxxxxxxx” ]) on a particular stream to create either the “always match” rule or build a tautology using “field exists” in kombination with OR (field “source” exists OR field “source” not exists), using a catch-all regex rule, etc. Isn´t this undermining the security concept to allow non-admin user to see every log message ? I would welcome at least a hint or information in the doc for users planing a security concept in graylog.
Versions used: graylog 2.3.1, elasticsearch 5.5.2, Oracle jre 1.8.0_144, mongodb 3.4.7, all on Ubuntu 16.04 LTS.