graylog2-server
graylog2-server copied to clipboard
Graylog2
non-admin user cannot create content pack
Expected Behavior
As a GrayLog user with the contentpacks:* permission I can create a content new content pack.
Current Behavior
As a GrayLog user with the contentpacks:* permission, when I attempt to create a new content pack with the web UI I get the error:
The permissions check for the following request failed,
while trying to access /system/contentpacks/create.
There was an error fetching a resource: Forbidden. Additional information: Not authorized
However, I can view the content pack page and create a new version of an existing content pack. I can then successfully download that content pack, uninstall it, delete it, upload it, and install it again.
The only thing I can't do is create a new content pack.
Possible Solution
Steps to Reproduce (for bugs)
- Create a non-administrative user with broad permissions including
contentpacks:* - Log in as that non-admin user and navigate to
system/contentpacks - Click “Create a Content Pack”. Set Name, Summary, and Vendor to “foo”. Select any trivial object. Click
Next. - Observe the error
Background: I used the "Power User" role, defined as:
$ curl http://graylog:9000/api/authz/roles -X GET -H "X-Requested-By: cli" -u admin:AdministratorPassword -sS | jq '.roles[] | select(.name == "Power User")'
{
"id": "62bb485f292b91331d5ef92c",
"name": "Power User",
"description": "Power Users can do everything except admin GrayLog itself",
"permissions": [
"clusterconfigentry:read",
"pipeline:*",
"authhttpheaderconfig:read",
"sidecar_collector_configurations:read",
"users:read",
"aws:read",
"journal:read",
"licenseinfos:read",
"eventdefinitions:*",
"systemjobs:read",
"authservicebackend:read",
"dashboards:*",
"sources:read",
"notifications:read",
"collectors:read",
"lookuptables:read",
"searches:*",
"inputs:read",
"loggersmessages:read",
"decorators:*",
"sidecar_collectors:read",
"fieldnames:read",
"contentpack:*",
"eventnotifications:*",
"jvmstats:read",
"throughput:read",
"pipeline_rule:*",
"stream_outputs:*",
"messages:*",
"messagecount:read",
"view:*",
"systemmessages:read",
"indexsets:read",
"streams:*",
"catalog:list",
"outputs:read",
"default-view:set",
"authserviceglobalconfig:read",
"indexercluster:read",
"pipeline_connection:*",
"sidecars:read",
"urlwhitelist:read",
"roles:read",
"deflector:read",
"grantsoverview:read",
"buffers:read",
"indexranges:read",
"system:read",
"indices:read",
"metrics:*",
"loggers:read"
],
"read_only": false
}
Context
Some Graylog non-admin users need to create content packs so they can take their dashboards and pipelines from one graylog instance to another, such as promotion dev to stage to prod or for different geographies.
Discussion started in https://community.graylog.org/t/content-packs-and-permissions/24546
Your Environment
- Graylog Version: 2.1.3
- Java Version: included
- Elasticsearch Version: included
- MongoDB Version: included
- Operating System: Kubernetes/Helm
- Browser version: Chrome 103
I found the issue, posting for the benefit posterity.
In actual fact, the api that fails is a POST to api/system/catalog despite the error message naming /system/contentpacks/create.
Granting catalog:resolve in addition to catalog:list corrects this issue.
I'd still really like to know how I can more effectively debug permissions problems, but I'm unblocked.
Thank you!