graylog2-server icon indicating copy to clipboard operation
graylog2-server copied to clipboard
verified publisher icon Graylog2

`Field Type Mappings Manager` role does not have indices-related permissions.

Open luk-kaminski opened this issue 2 years ago • 3 comments

Expected Behavior

We don't know yet. May need consulting with Kay or Seth. Possibilities:

  1. Add some index-related permissions to Field Type Mappings Manager role (at least read to do CRUD on profiles, but maybe edit as well, to be able to set profiles on index sets).
  2. Move the UI somewhere else, outside of System->Indices?
  3. Accept that for now this new functionality is only visible to admins?
  4. ...

Current Behavior

Field Type Mappings Manager role does not have indices-related permissions. Because of that, System->Indices page is not visible for non-admin user with this role. Effectively, that kind of users can only work with profile via REST calls, not via GL UI.

luk-kaminski avatar Jan 18 '24 13:01 luk-kaminski

I'm torn, but overall, since the functionality is potentially pretty disruptive if the user doesn't fully think through the consequences, it's probably best to retain the functionality for admins only in this release and not create a dedicated role.

If we created a role, I would layer it on top of existing index management and not implicitly include index management permissions in the new role.

kroepke avatar Jan 26 '24 11:01 kroepke

@kroepke - we already have a role, with CRUD permissions on profiles and custom mappings. I assume that I will leave this role and simply close this issue with "Won't do" resolution.

Important consideration - non-admin users with the new role will be able to perform some actions via REST API instead of UI (i.e. change profile) but only admin will be able to assign a profile to an index set or remove it from there.

If you are not satisfied with that, I can remove all the permissions checks and verify that user is an admin in the corresponding resource classes, instead...

FYI: @bernd , @dennisoelkers

luk-kaminski avatar Jan 26 '24 14:01 luk-kaminski

If you are not satisfied with that, I can remove all the permissions checks and verify that user is an admin in the corresponding resource classes, instead...

@luk-kaminski We should definitely keep the fine-grained permissions. Admins will have access because their permission is *, so they have all permissions. What Kay means is to remove the new pre-defined "Field Type Mappings Manager" role for now.

bernd avatar Jan 29 '24 09:01 bernd