logsniffer icon indicating copy to clipboard operation
logsniffer copied to clipboard

Published 20 hours ago verified publisher icon mbok

Support for simple authentication and authorisation

Open logsniffer opened this issue 9 years ago • 8 comments

logsniffer avatar Jul 11 '15 08:07 logsniffer

I evaluated different log management tools and found logsniffer to be the best.

We want to view the log like it originally was in the file, which logsniffer supports. Really digging it.

Please consider implementing authentication and authorisation support earlier than currently planned, since that is the only thing hindering us from using it.

JohannStahl avatar Feb 08 '16 15:02 JohannStahl

Thanks for the very positive feedback! I've rescheduled the feature for the minor release 0.7 after next. Could you please provide me some hints which use cases you are primary interested in? Authentication:

  • Authentication by user/password based on registered users managed by logsniffer itself
  • Authentication against external directories like LDAP
  • ...

Authorization:

  • Restrict access to special actions like creating, updating, deleting and configuring log resources
  • Restrict access to special resources like logs, events etc.
  • Roles concept . ...

mbok avatar Feb 08 '16 20:02 mbok

Thanks for clarifying. Actually, after having thought about it some more, I feel our use case is the following: we need security Authentication:

  • managed by logsniffer would be good
  • support for LDAP would be nice, but is not important
  • simply giving username/password-hash combinations as a startup option would be sufficient

Authorization:

  • Restricting anything based on roles is not important to us instead, what we need is:

HTTPS

  • support https with a startup flag, or
  • make a normal .war file available, so we can manage https from our application server

To us, log files are highly critical. An attacker gaining access to them is a worst case scenario. Therefore, transmitting them to the browser in a http session is a no-go.

JohannStahl avatar Feb 09 '16 11:02 JohannStahl

@JohannStahl your needs regarding HTTPS can be achieved easily by setting up an Apache web server in front of logsniffer. I've written this wiki chapter which describes a setup for operating logsniffer in a secure way behind Apache with HTTPS.

As long as logsniffer doesn't support authentication (user/password) by itself you can also use Apache for this purpose. For the same use case I've already used the basic auth module. It can be simply combined with the SSL settings figured out in the wiki. Give it a try.

Thanks a lot for sharing your ideas and use cases.

mbok avatar Feb 17 '16 21:02 mbok

@mbok I found this the best tool to have the tail feature. How ever if I am to implement this to production I would want to have an admin user and a normal real only user for the dashboard, is this possible to implement in a upcoming release?

what im currently hoping to do is to have 2 users setup for basic auth

  1. <IP>/c/system
  2. <IP>/c/source

response on the feedback would be highly appreciated :)

shehanster avatar Aug 31 '16 12:08 shehanster

Thanks for feedback and sharing your ideas. I think a simple solution would be able to address in the next version 0.6.x.

mbok avatar Sep 01 '16 21:09 mbok

I started to have a look into this, what I am currently puzzled about is that it appears as if there were 2 different versions of AngularJS in place, am I correct about this?

I found

  • 1.3.15 - https://github.com/logsniffer/logsniffer/tree/master/logsniffer-web/src/main/webapp/static/angular/1.3.15
  • 1.5.3 - https://github.com/logsniffer/logsniffer/tree/master/logsniffer-web/src/main/webapp/static/angular/1.5.3

chriseverty avatar Feb 20 '17 09:02 chriseverty

The 1.5.3 version is the used one. The older version is only bundled due to historical reasons but not used and could be deleted without worries.

mbok avatar Feb 21 '17 22:02 mbok