2.0a4 User with correct permissions not allowed to view stream

[SjonHortensius]

I have created a user with a Reader role and a proper role to view a few streams. This user can list the stream(names), but clicking a stream logs the user out immediately. The backend then says

INFO : org.graylog2.shared.security.ShiroAuthorizationFilter - User org.apache.shiro.subject.support.DelegatingSubject@47f819e9not authorized.
org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [clusterconfigentry:read]
at org.apache.shiro.authz.ModularRealmAuthorizer.checkPermission(ModularRealmAuthorizer.java:323) ~[server.jar:?]
at org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:137) ~[server.jar:?]
at org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:205) ~[server.jar:?]
at org.apache.shiro.authz.aop.PermissionAnnotationHandler.assertAuthorized(PermissionAnnotationHandler.java:74) ~[server.jar:?]
at org.graylog2.shared.security.ShiroAuthorizationFilter.filter(ShiroAuthorizationFilter.java:51) [server.jar:?]
at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:132) [server.jar:?]
at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:68) [server.jar:?]
at org.glassfish.jersey.process.internal.Stages.process(Stages.java:197) [server.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:318) [server.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [server.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [server.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [server.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [server.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [server.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [server.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [server.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [server.jar:?]
at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [server.jar:?]
at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [server.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [server.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_74]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_74]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_74]
2016-03-03 11:49:37,872 ERROR: org.graylog2.shared.rest.exceptionmappers.AnyExceptionClassMapper - Unhandled exception in REST resource
org.apache.shiro.session.UnknownSessionException: There is no session with id [8a80a184-d5cd-4ea8-9675-c9e226fff76b]
at org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170) ~[server.jar:?]
at org.apache.shiro.session.mgt.eis.CachingSessionDAO.readSession(CachingSessionDAO.java:261) ~[server.jar:?]
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236) ~[server.jar:?]
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222) ~[server.jar:?]
at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118) ~[server.jar:?]
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:108) ~[server.jar:?]
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:112) ~[server.jar:?]
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.getAttribute(AbstractNativeSessionManager.java:209) ~[server.jar:?]
at org.apache.shiro.session.mgt.DelegatingSession.getAttribute(DelegatingSession.java:141) ~[server.jar:?]
at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) ~[server.jar:?]
at org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469) ~[server.jar:?]
at org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153) ~[server.jar:?]
at org.apache.shiro.subject.support.DelegatingSubject.hasPrincipals(DelegatingSubject.java:126) ~[server.jar:?]
at org.apache.shiro.subject.support.DelegatingSubject.isPermitted(DelegatingSubject.java:158) ~[server.jar:?]
at org.graylog2.shared.rest.resources.RestResource.isPermitted(RestResource.java:96) ~[server.jar:?]
at org.graylog2.shared.rest.resources.RestResource.checkPermission(RestResource.java:110) ~[server.jar:?]
at org.graylog2.rest.resources.streams.StreamResource.get(StreamResource.java:185) ~[server.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_74]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_74]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_74]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_74]
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) ~[server.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144) ~[server.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161) ~[server.jar:?]
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205) ~[server.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99) ~[server.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389) ~[server.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347) ~[server.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102) ~[server.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) [server.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [server.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [server.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [server.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [server.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [server.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [server.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [server.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [server.jar:?]
at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [server.jar:?]
at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [server.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [server.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_74]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_74]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_74]

[kroepke]

The newly added permissions need to be added to the built-in roles.
See

graylog2-server/graylog2-server/src/main/java/org/graylog2/shared/security/RestPermissions.java

Line 224 in 1f6da40

protected static final Set<String> READER_BASE_PERMISSION_SELECTION = ImmutableSet.<String>builder().add(

[SjonHortensius]

Is there a work-around for this? I'm now assigning Admin roles to my users to work around this :)

[kroepke]

You could manually (via the API) create a role that grants the clusterconfigentry:read permission and assign that role to the users, yes.
Or wait until the next alpha which will have the fix ;)

[SjonHortensius]

If you also add fieldnames:read, that does indeed work

[kroepke]

The fieldnames:read is already part of the base permissions for reader users and should not need to be added (it worked with that in my tests). Did you modify the reader role in the database?

[SjonHortensius]

I did not modify the Reader role, but this install started as a 0.x install, maybe some sort of upgrade issue? Unless I added it, it didn't work