New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Has Permissions changed in Graylog 2.0.2 #2358

Closed
123dev opened this Issue Jun 16, 2016 · 8 comments

Comments

Projects
None yet
4 participants
@123dev

123dev commented Jun 16, 2016

Problem description

Previously with Graylog 1.3.x we needed more granularity into a role, that was not directly possible to achieve from the ui.
Let me explain
We needed a developer role whose members could see the Search feature without necessarily having to be on a stream (search menu that is available for admins) along with few other permissions.

So what we did was create the dev role from the UI, and then update the permissions using the API

Our dev role was set to this

{
  "name": "Dev",
  "description": "Developers Role",
  "permissions": [
     "dashboards:create",
     "dashboards:read",
     "sources:read",
     "streams:create",
     "streams:read",
     "messages:analyze",
     "searches:absolute",
     "searches:keyword",
     "searches:relative"
  ],
  "read_only": false
}

And this was working fine in 1.3.x
After the upgrade to 2.0.2, this is no longer working, even though when I check the user's permissions that is a member of Dev role, (using the API) I get to see the above permissions.

Checking the RestPermissions.java I see those permissions are still valid.

Did something change that I need to adjust? or is there a regression in the way permissions work?

To make matters worse, I tried to create a test role from the UI to see if there was any change in schema.
I tried with Chrome and Firefox and no matter what the Save button is not clickable
Basically can't add roles
Not sure if this is local to my environment or a possible regression.

Dev console of the browser gives the following warnings (not sure if they are relevant)

Warning: Failed propType: Invalid prop `items` of type `List` supplied to `TableList`, expected instance of `List`. Check the render method of `PermissionSelector`.

Warning: Failed propType: Invalid prop `data` of type `object` supplied to `TypeAheadDataFilter`, expected `array`. Check the render method of `TableList`.

Steps to reproduce the problem

Problem 1

  • Create a Dev role using API as described above
  • add a member to that role
  • test it in 1.3.x, the user has access to Search / Sources ... (whatever permissions allow)
  • Repeat the same in 2.0.2
  • Search is not available

Problem two

  • Try to add a new role using the WEB UI of 2.0.2
  • Fill in a name, description and select at least one permission
  • Can't save (not clickable)

Environment

AWS Image

  • Graylog Version: 2.0.2

Thanks

@edmundoa

This comment has been minimized.

Member

edmundoa commented Jun 16, 2016

Hi @123dev,

Regarding the permissions issue, what do you mean exactly by "search is not available"? Using the example role you kindly provided, I am seeing that the navigation bar doesn't show the search tab, but I can still access /search by typing it on the navigation bar. Is that the issue you are experiencing or is there something else?

I couldn't reproduce the second issue you reported regarding the "Save" button in the roles page. Could you please tell us how you tried to create it? A page screenshot when you would be ready to click "Save" it's probably the best way for me to see how you did it.

Thank you!

@edmundoa edmundoa added the bug label Jun 16, 2016

@123dev

This comment has been minimized.

123dev commented Jun 16, 2016

Thanks edmundoa

Here's what I get logging in with a user with dev role

2016-06-16 08_01_21-graylog web interface - waterfox

and here's what we're missing (I'm logged it as admin for this one)
2016-06-16 08_04_36-graylog web interface

This was working as expected in version 1.3.x

As for creating role issue.
i just tried in IE and same problem
I add a role
Fill in as follows
2016-06-16 08_07_09-graylog web interface - internet explorer

2016-06-16 08_07_32-graylog web interface - internet explorer

The save button is not enabled to be pressed.
And notice the warning message about Please name the role and select at least one permission to save it.
As if some js validation is not detecting that I have those fields already filled.

Thanks for looking into it.

@edmundoa

This comment has been minimized.

Member

edmundoa commented Jun 16, 2016

Thank you for the clarification, it definitely helps!

Could you please check if going to the search page directly by typing http://<graylog-web-host>/search in the navigation bar works?

Regarding the second issue, the checkbox you are checking is meant to apply permissions in more than one stream or dashboard, but has otherwise no effect. You need to select the kind of permissions you want on the right side of the table. The buttons look like this:
screen shot 2016-06-16 at 14 50 43

Once you click on the kind of permissions you want, the save button should be enabled.

@edmundoa edmundoa self-assigned this Jun 16, 2016

@edmundoa edmundoa added this to the 2.0.3 milestone Jun 16, 2016

edmundoa added a commit that referenced this issue Jun 16, 2016

Fix permissions checks for non admin users
Some components were using wrong permission values, so non-admin users
could get to do those actions.

Refs #2358

edmundoa added a commit that referenced this issue Jun 16, 2016

Fix permission checks for non admin users
Some components were using wrong permission values, so non-admin users
could never get to do those actions.

Refs #2358
@123dev

This comment has been minimized.

123dev commented Jun 16, 2016

Thanks edmundoa,

For the problem 1
Indeed I was able to access the search and sources by specifying the url.

For the problem 2
I feel silly that I didn't realize that I needed to set Allow Reading or Allow Editing for the role creation issue. :(
Thanks for pointing it out, that works

Thanks

@edmundoa

This comment has been minimized.

Member

edmundoa commented Jun 16, 2016

You are welcome!

The fix for the first issue is on the way. For the second, don't worry, I even get confused by that sometimes. I think that's a sign saying that we need to improve the usability a bit there.

@123dev

This comment has been minimized.

123dev commented Jun 16, 2016

Awesome :)

Many thanks.

dennisoelkers added a commit that referenced this issue Jun 17, 2016

Fix permission checks for non admin users (#2366)
* Fix permission checks for non admin users

Some components were using wrong permission values, so non-admin users
could never get to do those actions.

Refs #2358

* Fix another couple of broken permissions

This time they were using the `IfPermitted` component

* Replace isPermitted with IfPermitted

Use IfPermitted in previously changed files when possible.

dennisoelkers added a commit that referenced this issue Jun 17, 2016

Fix permission checks for non admin users (#2366)
* Fix permission checks for non admin users

Some components were using wrong permission values, so non-admin users
could never get to do those actions.

Refs #2358

* Fix another couple of broken permissions

This time they were using the `IfPermitted` component

* Replace isPermitted with IfPermitted

Use IfPermitted in previously changed files when possible.

(cherry picked from commit bb5a1ab)

@dennisoelkers dennisoelkers modified the milestones: 2.0.3, 2.0.4 Jun 21, 2016

@edmundoa

This comment has been minimized.

Member

edmundoa commented Jun 22, 2016

This issue was fixed in #2366, and the fix was released in 2.0.3.

@edmundoa edmundoa closed this Jun 22, 2016

@123dev

This comment has been minimized.

123dev commented Jun 23, 2016

Thanks Edmundo,

I can confirm that v2.0.3 resolved our issue.
Much appreciated.

@joschi joschi modified the milestones: 2.0.4, 2.1.0 Aug 11, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment