graylog-groups/README.md

graylog-groups
===============

A program that controls Graylog roles and privileges over objects using LDAP
groups.

**Note** My apologies, this is my first actual program in Go, so it must be a
terrible example of worst practices. Sorry.

Why?
-----

The community edition of [Graylog](https://graylog.org) had the ability to use
LDAP group in order to control user access to the various objects (streams and
dashboards).

In a somewhat ethically questionable move this capability was removed in version
4.0 and replaced with an enterprise-only feature called teams.

This program is meant to emulate the pre-4.0 LDAP group functionality.

How?
-----

This program is meant to be executed on a regular basis through e.g. `cron`. It
will read its configuration file, and from there :

* get the list of users on the Graylog side,
* read the list of members for all LDAP groups that have a mapping defined in
  the configuration file,
* compute the roles and object privileges to grant for each Graylog user,
* optionally delete users that no longer have any privileges according to the
  mapping and LDAP group membership,
* set the users' permissions on the various Graylog objects,
* add or remove Graylog roles from user accounts.

Installing
-----------

- Download and build the program :
```
git clone https://github.com/tseeker/graylog-groups
cd graylog-groups
go build
```
- Copy the resulting binary to whatever box will run it.
- Create a configuration file based in the example from
  `graylog-groups.yml.example`.
- Set up a cron job or whatever it is you use to schedule tasks to run the
  synchronization binary on a regular basis.

To Do
------

* Proper logging, work in progress:
  * Add logs to the privilege computations and related API calls.
  * Sending logs to... well, Graylog... through CLI switches.
  * Writing logs to a file.
* Document command line flags.
* Cache LDAP username lookups
* Add TLS options (skip checks / specify CA) for the Graylog API.
* Read object ownership using `grn_permissions` to preserve privileges on users'
  own objects
* Support granting ownership on objects
* Use goroutines ? Maybe.
Documentation and license 2021-02-07 18:42:17 +01:00			`graylog-groups`
			`===============`

			`A program that controls Graylog roles and privileges over objects using LDAP`
			`groups.`

			`Note My apologies, this is my first actual program in Go, so it must be a`
			`terrible example of worst practices. Sorry.`

			`Why?`
			`-----`

			`The community edition of [Graylog](https://graylog.org) had the ability to use`
			`LDAP group in order to control user access to the various objects (streams and`
			`dashboards).`

			`In a somewhat ethically questionable move this capability was removed in version`
			`4.0 and replaced with an enterprise-only feature called teams.`

			`This program is meant to emulate the pre-4.0 LDAP group functionality.`

			`How?`
			`-----`

			This program is meant to be executed on a regular basis through e.g. `cron`. It
			`will read its configuration file, and from there :`

			`* get the list of users on the Graylog side,`
			`* read the list of members for all LDAP groups that have a mapping defined in`
			`the configuration file,`
			`* compute the roles and object privileges to grant for each Graylog user,`
			`* optionally delete users that no longer have any privileges according to the`
			`mapping and LDAP group membership,`
			`* set the users' permissions on the various Graylog objects,`
			`* add or remove Graylog roles from user accounts.`

			`Installing`
			`-----------`

			`- Download and build the program :`
			```
			`git clone https://github.com/tseeker/graylog-groups`
			`cd graylog-groups`
			`go build`
			```
			`- Copy the resulting binary to whatever box will run it.`
			`- Create a configuration file based in the example from`
			`graylog-groups.yml.example`.
			`- Set up a cron job or whatever it is you use to schedule tasks to run the`
			`synchronization binary on a regular basis.`

			`To Do`
			`------`

Improved logging * Added dependency on logrus. * Command line flags are parsed in order to obtain the name of the configuration file, the log level and the instance identifier. * Logging in various places : configuration loader, API, data access. Privilege computations and subsequent actions do not write proper logs yet. 2021-02-10 23:58:14 +01:00			`* Proper logging, work in progress:`
			`* Add logs to the privilege computations and related API calls.`
			`* Sending logs to... well, Graylog... through CLI switches.`
			`* Writing logs to a file.`
			`* Document command line flags.`
			`* Cache LDAP username lookups`
TLS controls for the LDAP connection The LDAP connection now supports using a custom CA certificate chain or skipping all TLS certificate checks. 2021-02-08 23:23:16 +01:00			`* Add TLS options (skip checks / specify CA) for the Graylog API.`
Documentation and license 2021-02-07 18:42:17 +01:00			* Read object ownership using `grn_permissions` to preserve privileges on users'
			`own objects`
			`* Support granting ownership on objects`
			`* Use goroutines ? Maybe.`