2021-02-07 18:42:17 +01:00
|
|
|
graylog-groups
|
|
|
|
===============
|
|
|
|
|
|
|
|
A program that controls Graylog roles and privileges over objects using LDAP
|
|
|
|
groups.
|
|
|
|
|
|
|
|
**Note** My apologies, this is my first actual program in Go, so it must be a
|
|
|
|
terrible example of worst practices. Sorry.
|
|
|
|
|
|
|
|
Why?
|
|
|
|
-----
|
|
|
|
|
|
|
|
The community edition of [Graylog](https://graylog.org) had the ability to use
|
|
|
|
LDAP group in order to control user access to the various objects (streams and
|
|
|
|
dashboards).
|
|
|
|
|
|
|
|
In a somewhat ethically questionable move this capability was removed in version
|
|
|
|
4.0 and replaced with an enterprise-only feature called teams.
|
|
|
|
|
|
|
|
This program is meant to emulate the pre-4.0 LDAP group functionality.
|
|
|
|
|
|
|
|
How?
|
|
|
|
-----
|
|
|
|
|
|
|
|
This program is meant to be executed on a regular basis through e.g. `cron`. It
|
|
|
|
will read its configuration file, and from there :
|
|
|
|
|
|
|
|
* get the list of users on the Graylog side,
|
|
|
|
* read the list of members for all LDAP groups that have a mapping defined in
|
|
|
|
the configuration file,
|
|
|
|
* compute the roles and object privileges to grant for each Graylog user,
|
|
|
|
* optionally delete users that no longer have any privileges according to the
|
|
|
|
mapping and LDAP group membership,
|
|
|
|
* set the users' permissions on the various Graylog objects,
|
|
|
|
* add or remove Graylog roles from user accounts.
|
|
|
|
|
|
|
|
Installing
|
|
|
|
-----------
|
|
|
|
|
|
|
|
- Download and build the program :
|
|
|
|
```
|
|
|
|
git clone https://github.com/tseeker/graylog-groups
|
|
|
|
cd graylog-groups
|
|
|
|
go build
|
|
|
|
```
|
|
|
|
- Copy the resulting binary to whatever box will run it.
|
|
|
|
- Create a configuration file based in the example from
|
|
|
|
`graylog-groups.yml.example`.
|
|
|
|
- Set up a cron job or whatever it is you use to schedule tasks to run the
|
|
|
|
synchronization binary on a regular basis.
|
|
|
|
|
|
|
|
To Do
|
|
|
|
------
|
|
|
|
|
2021-02-10 23:58:14 +01:00
|
|
|
* Document command line flags.
|
2021-02-08 23:23:16 +01:00
|
|
|
* Add TLS options (skip checks / specify CA) for the Graylog API.
|
2021-02-07 18:42:17 +01:00
|
|
|
* Read object ownership using `grn_permissions` to preserve privileges on users'
|
|
|
|
own objects
|
|
|
|
* Support granting ownership on objects
|
|
|
|
* Use goroutines ? Maybe.
|
2021-02-13 23:09:26 +01:00
|
|
|
* Custom log file/terminal output
|