graylog-groups/README.md

graylog-groups
===============

A program that controls Graylog roles and privileges over objects using LDAP
groups.

**Note** My apologies, this is my first actual program in Go, so it must be a
terrible example of worst practices. Sorry.

Why?
-----

The community edition of [Graylog](https://graylog.org) had the ability to use
LDAP group in order to control user access to the various objects (streams and
dashboards).

In a somewhat ethically questionable move this capability was removed in version
4.0 and replaced with an enterprise-only feature called teams.

This program is meant to emulate the pre-4.0 LDAP group functionality.

How?
-----

This program is meant to be executed on a regular basis through e.g. `cron`. It
will read its configuration file, and from there :

* get the list of users on the Graylog side,
* read the list of members for all LDAP groups that have a mapping defined in
  the configuration file,
* compute the roles and object privileges to grant for each Graylog user,
* optionally delete users that no longer have any privileges according to the
  mapping and LDAP group membership,
* set the users' permissions on the various Graylog objects,
* add or remove Graylog roles from user accounts.

Installing
-----------

- Download and build the program :
```
git clone https://github.com/tseeker/graylog-groups
cd graylog-groups
go build
```
- Copy the resulting binary to whatever box will run it.
- Create a configuration file based in the example from
  `graylog-groups.yml.example`.
- Set up a cron job or whatever it is you use to schedule tasks to run the
  synchronization binary on a regular basis.

To Do
------

* Allow unchecked TLS
* Actually make the CA certificate option work
* Read object ownership using `grn_permissions` to preserve privileges on users'
  own objects
* Read group member records from the LDAP server and extract their username
  from an attribute.
* Support granting ownership on objects
* Cleaner CLI
* Use goroutines ? Maybe.
Documentation and license 2021-02-07 18:42:17 +01:00			`graylog-groups`
			`===============`

			`A program that controls Graylog roles and privileges over objects using LDAP`
			`groups.`

			`Note My apologies, this is my first actual program in Go, so it must be a`
			`terrible example of worst practices. Sorry.`

			`Why?`
			`-----`

			`The community edition of [Graylog](https://graylog.org) had the ability to use`
			`LDAP group in order to control user access to the various objects (streams and`
			`dashboards).`

			`In a somewhat ethically questionable move this capability was removed in version`
			`4.0 and replaced with an enterprise-only feature called teams.`

			`This program is meant to emulate the pre-4.0 LDAP group functionality.`

			`How?`
			`-----`

			This program is meant to be executed on a regular basis through e.g. `cron`. It
			`will read its configuration file, and from there :`

			`* get the list of users on the Graylog side,`
			`* read the list of members for all LDAP groups that have a mapping defined in`
			`the configuration file,`
			`* compute the roles and object privileges to grant for each Graylog user,`
			`* optionally delete users that no longer have any privileges according to the`
			`mapping and LDAP group membership,`
			`* set the users' permissions on the various Graylog objects,`
			`* add or remove Graylog roles from user accounts.`

			`Installing`
			`-----------`

			`- Download and build the program :`
			```
			`git clone https://github.com/tseeker/graylog-groups`
			`cd graylog-groups`
			`go build`
			```
			`- Copy the resulting binary to whatever box will run it.`
			`- Create a configuration file based in the example from`
			`graylog-groups.yml.example`.
			`- Set up a cron job or whatever it is you use to schedule tasks to run the`
			`synchronization binary on a regular basis.`

			`To Do`
			`------`

			`* Allow unchecked TLS`
			`* Actually make the CA certificate option work`
			* Read object ownership using `grn_permissions` to preserve privileges on users'
			`own objects`
			`* Read group member records from the LDAP server and extract their username`
			`from an attribute.`
			`* Support granting ownership on objects`
			`* Cleaner CLI`
			`* Use goroutines ? Maybe.`