graylog2-server
graylog2-server copied to clipboard
Graylog2
Pipeline system menu is using input:create for permission check
Expected Behavior
The pipeline system menu item should be shown if the user has the pipeline:create permissions to be able to create custom roles.
Current Behavior
The current check uses inputs:create: https://github.com/Graylog2/graylog2-server/blob/2fdf2e6216b51a8eb93e12229bb4afe47f5b5e97/graylog2-web-interface/src/components/navigation/SystemMenu.jsx#L111
Possible Solution
Change the check to pipeline:create. Investigate whether the page actually needs more permissions than just this one, potentially it loads the pipeline connections as well, and could require pipeline_conncetion:read.
Steps to Reproduce (for bugs)
- Create a custom role that includes
pipeline:createbut notinputs:create. - Assing that role to a reader user.
- Open the System menu, the pipeline item is not shown.
- Go to
/system/pipelinesdirectly in the browser, the page will be shown.
Context
Trying to restrict a user with a custom role.
Your Environment
- Graylog Version: Graylog 3.3
Hi @kroepke,
you are right about pipeline_conncetion:read. It is also required to open the pipeline setting.Error response:
The permissions check for the following request failed, while trying to access /system/pipelines. cannot GET http://192.168.121.89:9000/api/system/pipelines/connections (403)
And without the right pipeline_rule:read your are not able to open a pipeline itself. Error response:
The permissions check for the following request failed, while trying to access /system/pipelines. cannot GET http://192.168.121.89:9000/api/system/pipelines/connections (403)
Your Environment
- Graylog Version: Graylog 3.3
This issue has already been fixed with this PR #13188. In addition, the following issues were created for a better user experience: #13251, #13252
This does not seem to be fixed. inputs:create still needed in order to grant the Pipelines option under the System menu. Tested in Graylog 4.3.8 lab
eg.
{ "name": "Pipeline Editor", "description": "Pipelines!", "permissions": [ "pipeline:create", "pipeline:read", "pipeline:edit", "pipeline:delete", "pipeline_rule:create", "pipeline_rule:read", "pipeline_rule:edit", "pipeline_rule:delete", "pipeline_connection:read", "pipeline_connection:edit" ], "read_only": false }
works fine, except the menu item for pipelines is missing
@tellistone I see that https://github.com/Graylog2/graylog2-server/pull/13188 was merged for 5.0, but I could not find a backport for 4.x.
@ryan-carroll-graylog Was it a deliberate decision not to backport the PR?
@tellistone I see that #13188 was merged for 5.0, but I could not find a backport for 4.x.
@ryan-carroll-graylog Was it a deliberate decision not to backport the PR?
It's been a while so I don't remember exactly, but we may have been worried about disrupting existing customer work flows by changing how the permissions work (breaking change).
I can create a backport though if you think it needs one.
@ryan-carroll-graylog Thanks for the feedback 👍
Right, it does not feel like a change we should introduce in a bugfix release (4.3.x).
So if nobody objects, I would close this issue and keep the change as is (for 5.0).
@kroepke What do you think?
There's currently no supported way to create roles that allow editing pipelines without being admin, so I agree this isn't a backport.
@kroepke Thanks 👍
We are working on the related issue of introducing a role for pipeline management, which we plan to add in 5.0: https://github.com/Graylog2/graylog2-server/issues/13251