graylog-groups/graylog-groups.yml.example

# graylog-groups configuration example / documentation
# =====================================================

# LDAP server configuration
# --------------------------
ldap:

  # The LDAP server's host name or IP address. REQUIRED.
  host: ldap.example.org

  # Port number - usually 389 for clear/starttls or 636 for TLS. Defaults to
  # 389.
  port: 636

  # TLS mode. This must be either "yes" for the non-standard, pure TLS mode,
  # "starttls" for TLS over a clear connection, or "no" to use a clear
  # connection. Defaults to "no".
  tls: yes

  # Skip server certificate check. Defaults to false.
  tls_skip_verify: false

  # CA certificate chain. Can be omitted if the systems' trusted CAs must be
  # used, or if no TLS is being used.
  cachain: /path/to/ca/chain.pem

  # LDAP user (as a DN) and password to bind with. Both fields may be omitted
  # if anonymous binding is to be used.
  bind_user: cn=graylog,ou=automation,dc=example,dc=org
  bind_password: drowssap

  # LDAP attributes which may contain either the UIDs or the DNs of the groups'
  # members. If the fields contain the DN, the first element will be extracted
  # and used as the username. REQUIRED.
  member_fields:
    - member
    - uniqueMember
    - memberUid

  # Username attribute. This is used when group member fields contain the '='
  # ',' character, in which case the value will be considered a DN and looked up
  # in the LDAP. The field specified by this configuration value will be read
  # and used as the login name. If this configuration value is not set, the
  # first element in the DN will be extracted and used as the username.
  username_attribute: uid

# Graylog server info
# --------------------
graylog:

  # API base URL. REQUIRED.
  api_base: https://graylog.example.org/api

  # Username and password to use to authenticate to the API. REQUIRED
  username: admin
  password: drowssap

  # Should accounts be deleted when they no longer have any privileges? Warning,
  # this option is rather dangerous. Can be omitted, defaults to false.
  delete_accounts: false

# Group -> privileges mappings
# -----------------------------
mapping:

  # Each entry in this table must use a LDAP group name as its key.
  cn=g1,ou=groups,dc=example,dc=org:

    # List of Graylog roles that users in this group should have. The names
    # must match the ones in the Graylog administration section.
    roles:
      - Reader

    # Privileges on various Graylog objects. This is a list of records.
    privileges:

      # Each privilege record includes a type of object ("dashboard", "search"
      # or "stream"), an identifier (which is generated by Graylog, and must
      # be extracted from the pages' URLs or from the API) and a level, which
      # may be either "read" or "write", the latter implying the former. Should
      # an user be a member of groups that grant both privilege levels, the
      # highest level will be kept.
      - type: dashboard
        id: 12345
        level: read

      - type: stream
        id: 12345
        level: read

  cn=g2,ou=groups,dc=example,dc=org:
    roles:
      - Event Definition Creator
      - Event Notification Creator
    privileges:
      - type: dashboard
        id: 12345
        level: write
Documentation and license 2021-02-07 18:42:17 +01:00			`# graylog-groups configuration example / documentation`
			`# =====================================================`

			`# LDAP server configuration`
			`# --------------------------`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`ldap:`
Documentation and license 2021-02-07 18:42:17 +01:00
			`# The LDAP server's host name or IP address. REQUIRED.`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`host: ldap.example.org`
Documentation and license 2021-02-07 18:42:17 +01:00
			`# Port number - usually 389 for clear/starttls or 636 for TLS. Defaults to`
			`# 389.`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`port: 636`
Documentation and license 2021-02-07 18:42:17 +01:00
			`# TLS mode. This must be either "yes" for the non-standard, pure TLS mode,`
			`# "starttls" for TLS over a clear connection, or "no" to use a clear`
			`# connection. Defaults to "no".`
			`tls: yes`

TLS controls for the LDAP connection The LDAP connection now supports using a custom CA certificate chain or skipping all TLS certificate checks. 2021-02-08 23:23:16 +01:00			`# Skip server certificate check. Defaults to false.`
			`tls_skip_verify: false`

Documentation and license 2021-02-07 18:42:17 +01:00			`# CA certificate chain. Can be omitted if the systems' trusted CAs must be`
			`# used, or if no TLS is being used.`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`cachain: /path/to/ca/chain.pem`
Documentation and license 2021-02-07 18:42:17 +01:00
			`# LDAP user (as a DN) and password to bind with. Both fields may be omitted`
			`# if anonymous binding is to be used.`
			`bind_user: cn=graylog,ou=automation,dc=example,dc=org`
			`bind_password: drowssap`

			`# LDAP attributes which may contain either the UIDs or the DNs of the groups'`
			`# members. If the fields contain the DN, the first element will be extracted`
			`# and used as the username. REQUIRED.`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`member_fields:`
			`- member`
			`- uniqueMember`
			`- memberUid`
Documentation and license 2021-02-07 18:42:17 +01:00
Read username from referenced LDAP record * The `username_attribute` configuration value was added to the `ldap` section. When this value is set, the program will not try to extract the username from DNs; instead, it will look them up and extract the username from the referenced record, using the specified attribute. * The program will no longer exit in error when a group listed in the mapping doesn't exist. 2021-02-09 23:15:24 +01:00			`# Username attribute. This is used when group member fields contain the '='`
			`# ',' character, in which case the value will be considered a DN and looked up`
			`# in the LDAP. The field specified by this configuration value will be read`
			`# and used as the login name. If this configuration value is not set, the`
			`# first element in the DN will be extracted and used as the username.`
			`username_attribute: uid`

Documentation and license 2021-02-07 18:42:17 +01:00			`# Graylog server info`
			`# --------------------`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`graylog:`
Documentation and license 2021-02-07 18:42:17 +01:00
			`# API base URL. REQUIRED.`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`api_base: https://graylog.example.org/api`
Documentation and license 2021-02-07 18:42:17 +01:00
			`# Username and password to use to authenticate to the API. REQUIRED`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`username: admin`
			`password: drowssap`
Documentation and license 2021-02-07 18:42:17 +01:00
			`# Should accounts be deleted when they no longer have any privileges? Warning,`
			`# this option is rather dangerous. Can be omitted, defaults to false.`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`delete_accounts: false`
Documentation and license 2021-02-07 18:42:17 +01:00
			`# Group -> privileges mappings`
			`# -----------------------------`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`mapping:`
Documentation and license 2021-02-07 18:42:17 +01:00
			`# Each entry in this table must use a LDAP group name as its key.`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`cn=g1,ou=groups,dc=example,dc=org:`
Documentation and license 2021-02-07 18:42:17 +01:00
			`# List of Graylog roles that users in this group should have. The names`
			`# must match the ones in the Graylog administration section.`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`roles:`
			`- Reader`
Documentation and license 2021-02-07 18:42:17 +01:00
			`# Privileges on various Graylog objects. This is a list of records.`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`privileges:`
Documentation and license 2021-02-07 18:42:17 +01:00
Support for saved searches The "search" type has been added to support granting permissions on saved searches. This should solve GitHub issue #1. 2021-05-11 13:44:45 +02:00			`# Each privilege record includes a type of object ("dashboard", "search"`
			`# or "stream"), an identifier (which is generated by Graylog, and must`
			`# be extracted from the pages' URLs or from the API) and a level, which`
			`# may be either "read" or "write", the latter implying the former. Should`
			`# an user be a member of groups that grant both privilege levels, the`
			`# highest level will be kept.`
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`- type: dashboard`
			`id: 12345`
			`level: read`
Documentation and license 2021-02-07 18:42:17 +01:00
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`- type: stream`
			`id: 12345`
			`level: read`
Documentation and license 2021-02-07 18:42:17 +01:00
Initial version This is a Go program which can synchronize Graylog 4 roles and access privileges to dashboards and streams from a LDAP directory, based on a YAML configuration file that maps LDAP groups to Graylog privileges. The code is rather ugly, some features are half-baked (LDAP TLS support, impossible to disable HTTP TLS checks, bad error handling...) and some documentation needs to be added but it's a start. 2021-02-07 15:05:35 +01:00			`cn=g2,ou=groups,dc=example,dc=org:`
			`roles:`
			`- Event Definition Creator`
			`- Event Notification Creator`
			`privileges:`
			`- type: dashboard`
			`id: 12345`
			`level: write`