From ff27f05df902acce68554c96d2ef930850738a79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emmanuel=20BENO=C3=8ET?= Date: Tue, 11 May 2021 13:44:45 +0200 Subject: [PATCH] Support for saved searches The "search" type has been added to support granting permissions on saved searches. This should solve GitHub issue #1. --- README.md | 4 ++-- graylog-groups.yml.example | 12 ++++++------ graylog.go | 3 +++ 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 44e9a26..379f1d8 100644 --- a/README.md +++ b/README.md @@ -11,8 +11,8 @@ Why? ----- The community edition of [Graylog](https://graylog.org) had the ability to use -LDAP group in order to control user access to the various objects (streams and -dashboards). +LDAP group in order to control user access to the various objects (searches, +streams and dashboards). In a somewhat ethically questionable move this capability was removed in version 4.0 and replaced with an enterprise-only feature called teams. diff --git a/graylog-groups.yml.example b/graylog-groups.yml.example index 5c7d549..741148d 100644 --- a/graylog-groups.yml.example +++ b/graylog-groups.yml.example @@ -74,12 +74,12 @@ mapping: # Privileges on various Graylog objects. This is a list of records. privileges: - # Each privilege record includes a type of object (either "dashboard" or - # "stream"), an identifier (which is generated by Graylog, and must be - # extracted from the pages' URLs or from the API) and a level, which may - # be either "read" or "write", the latter implying the former. Should an - # user be a member of groups that grant both privilege levels, the highest - # level will be kept. + # Each privilege record includes a type of object ("dashboard", "search" + # or "stream"), an identifier (which is generated by Graylog, and must + # be extracted from the pages' URLs or from the API) and a level, which + # may be either "read" or "write", the latter implying the former. Should + # an user be a member of groups that grant both privilege levels, the + # highest level will be kept. - type: dashboard id: 12345 level: read diff --git a/graylog.go b/graylog.go index d0fef39..55ff989 100644 --- a/graylog.go +++ b/graylog.go @@ -46,6 +46,7 @@ var ( // Graylog items on which privileges may be set graylogItems = map[string]bool{ "dashboard": true, + "search": true, "stream": true, } @@ -53,6 +54,8 @@ var ( graylogPriv = map[string][]string{ "dashboard:read": {"dashboards:read:%s", "view:read:%s"}, "dashboard:write": {"dashboards:read:%s", "dashboards:edit:%s", "view:read:%s", "view:edit:%s"}, + "search:read": {"view:read:%s"}, + "search:write": {"view:read:%s", "view:edit:%s"}, "stream:read": {"streams:read:%s"}, "stream:write": {"streams:read:%s", "streams:edit:%s", "streams:changestate:%s"}, }