/graylog2-server

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Roles Permissions #4254

Closed
TenGbps opened this Issue Oct 17, 2017 · 2 comments

Comments

Assignees

@joschi joschi

Labels
bug security web
Projects
None yet
Milestone
  2.4.0
3 participants
@TenGbps @joschi @bernd
@TenGbps

TenGbps commented Oct 17, 2017

User with roles edit on specific id can edit all roles

Permissions

        "roles:edit:59e........1a43", 
        "roles:edit:59e........1a44",

roles

  • Graylog Version: 2.3.1
  • Elasticsearch Version: 5.5.1
  • MongoDB Version: 2.6.12
  • Operating System: CentOS7
  • Browser version: Firefox ESR 52.4

@joschi joschi added bug security to-verify labels Oct 17, 2017

@bernd bernd added this to the 2.4.0 milestone Oct 17, 2017

@joschi

This comment has been minimized.

Sign in to view
Contributor

joschi commented Oct 18, 2017
edited

@TenGbps What are the complete permissions of the user?

You can fetch them with the following command (replace "your-user-name" with the actual user name and adapt the host and port to your Graylog setup):

# curl -u admin:password 'http://127.0.0.1:9000/api/users/your-user-name?pretty=true'

@joschi joschi self-assigned this Oct 18, 2017

@joschi joschi added needs-input and removed to-verify labels Oct 18, 2017

@TenGbps

This comment has been minimized.

Sign in to view

TenGbps commented Oct 18, 2017
edited 

"permissions": [
    "users:edit:test",
    "users:passwordchange:test",
    "clusterconfigentry:read",
    "indexercluster:read",
    "messagecount:read",
    "journal:read",
    "messages:analyze",
    "inputs:read",
    "metrics:read",
    "savedsearches:edit",
    "fieldnames:read",
    "buffers:read",
    "system:read",
    "savedsearches:create",
    "jvmstats:read",
    "decorators:read",
    "throughput:read",
    "savedsearches:read",
    "messages:read",
    "roles:edit:59e5....",
    "indexranges:rebuild",
    "inputs:edit:59db....",
    "dashboards:read:59c3....",
    "indexsets:read:59c3....",
    "roles:read",
    "inputs:terminate:59db....",
    "indices:failures:59c3....",
    "streams:read:59e5c....",
    "indexranges:read",
    "roles:edit:59e5....",
    "indices:read",
    "inputs:read:59d....",
    "dashboards:edit:59c...."
  ],

Permission for role are not based on id ?

@joschi joschi added web and removed needs-input labels Oct 18, 2017

@joschi joschi referenced this issue Oct 18, 2017

Merged

Fix permission handling for editing/deleting roles #4265

@wafflebot wafflebot bot added the in progress label Oct 18, 2017

@kroepke kroepke closed this in #4265 Oct 19, 2017

@wafflebot wafflebot bot removed the in progress label Oct 19, 2017

@kroepke kroepke referenced this issue Oct 19, 2017

Merged

Fix permission handling for editing/deleting roles #4270

joschi added a commit that referenced this issue Oct 19, 2017

@kroepke @joschi
Fix permission handling for editing/deleting roles (#4265) (#4270) 
* Fix permission checks in RoleResource
* Conditionally display buttons in RoleList component

Fixes #4254
Refs #4265
(cherry picked from commit 5c38d3a)
Loading status checks…
5917767
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment