Added traces to privilege computations and Graylog API calls
This commit is contained in:
parent
c84f52b012
commit
31cb613822
2 changed files with 28 additions and 8 deletions
|
@ -53,7 +53,6 @@ To Do
|
|||
------
|
||||
|
||||
* Proper logging, work in progress:
|
||||
* Add logs to the privilege computations and related API calls.
|
||||
* Sending logs to... well, Graylog... through CLI switches.
|
||||
* Writing logs to a file.
|
||||
* Document command line flags.
|
||||
|
|
35
graylog.go
35
graylog.go
|
@ -184,7 +184,7 @@ func deleteAccount(cfg GraylogConfig, user string) {
|
|||
log.WithFields(logrus.Fields{
|
||||
"status": code,
|
||||
"body": string(body),
|
||||
}).Fatal("Could not delete user")
|
||||
}).Error("Could not delete user")
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -208,33 +208,50 @@ func getDifference(a []string, b []string) (diff []string) {
|
|||
|
||||
// Set an account's roles and grant it access to Graylog objects
|
||||
func setUserPrivileges(cfg GraylogConfig, user GraylogUser, roles []string, privileges []string) {
|
||||
log := log.WithField("user", user.Username)
|
||||
|
||||
type perms struct {
|
||||
Permissions []string `json:"permissions"`
|
||||
}
|
||||
p := perms{Permissions: privileges}
|
||||
data, err := json.Marshal(p)
|
||||
if err != nil {
|
||||
log.Fatalf("unable to generate permissions JSON for %s: %v", user, err)
|
||||
log.WithField("error", err).Fatal("Unable to generate permissions JSON")
|
||||
}
|
||||
|
||||
code, body := executeApiCall(cfg, "PUT", fmt.Sprintf("users/%s/permissions", user.Username), bytes.NewBuffer(data))
|
||||
log.WithField("privileges", privileges).Info("Setting permissions")
|
||||
code, body := executeApiCall(cfg, "PUT",
|
||||
fmt.Sprintf("users/%s/permissions", user.Username),
|
||||
bytes.NewBuffer(data))
|
||||
if code != 204 {
|
||||
log.Fatalf("could not set permissions for %s: code %d, body '%s'", user.Username, code, string(body))
|
||||
log.WithFields(logrus.Fields{
|
||||
"status": code,
|
||||
"body": string(body),
|
||||
}).Error("Could not set permissions")
|
||||
}
|
||||
|
||||
placeholder := bytes.NewBuffer([]byte("{}"))
|
||||
for _, role := range getDifference(roles, user.Roles) {
|
||||
ep := fmt.Sprintf("roles/%s/members/%s", role, user.Username)
|
||||
log.WithField("role", role).Info("Adding role")
|
||||
code, body := executeApiCall(cfg, "PUT", ep, placeholder)
|
||||
if code != 204 {
|
||||
log.Fatalf("could not add role %s to %s: code %d, body '%s'", role, user.Username, code, string(body))
|
||||
log.WithFields(logrus.Fields{
|
||||
"status": code,
|
||||
"body": string(body),
|
||||
"role": role,
|
||||
}).Error("Could not add role")
|
||||
}
|
||||
}
|
||||
for _, role := range getDifference(user.Roles, roles) {
|
||||
ep := fmt.Sprintf("roles/%s/members/%s", role, user.Username)
|
||||
log.WithField("role", role).Info("Removing role")
|
||||
code, body := executeApiCall(cfg, "DELETE", ep, nil)
|
||||
if code != 204 {
|
||||
log.Fatalf("could not remove role %s from %s: code %d, body '%s'", role, user.Username, code, string(body))
|
||||
log.WithFields(logrus.Fields{
|
||||
"status": code,
|
||||
"body": string(body),
|
||||
"role": role,
|
||||
}).Error("Could not remove role")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -242,9 +259,13 @@ func setUserPrivileges(cfg GraylogConfig, user GraylogUser, roles []string, priv
|
|||
// Apply privilege mappings to the external Graylog users
|
||||
func applyMapping(cfg Configuration, users []GraylogUser, groups GroupMembers) {
|
||||
for _, user := range users {
|
||||
log := log.WithField("user", user.Username)
|
||||
membership := getUserGroups(user.Username, groups)
|
||||
log.WithField("groups", membership).Trace("Computed group membership")
|
||||
roles := computeRoles(cfg.Mapping, membership)
|
||||
log.WithField("roles", roles).Trace("Computed roles")
|
||||
privileges := computePrivileges(cfg.Mapping, membership)
|
||||
log.WithField("privileges", privileges).Trace("Computed privileges")
|
||||
if cfg.Graylog.DeleteAccounts && len(roles) == 0 && len(privileges) == 0 {
|
||||
deleteAccount(cfg.Graylog, user.Username)
|
||||
} else {
|
||||
|
|
Loading…
Reference in a new issue