projects/graylog-groups
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
A program that controls Graylog privileges based on LDAP groups.
24 commits 1 branch 0 tags 71 KiB
Go 100%
Find a file
Emmanuel BENOîT 484323c943 Note about permissions not being visible in the UI
2021-05-11 13:44:45 +02:00
.gitignore Initial version 2021-02-07 15:05:35 +01:00
config.go Minor stylistic changes 2021-02-13 18:26:37 +01:00
COPYING Documentation and license 2021-02-07 18:42:17 +01:00
go.mod Command line - Parse using golf 2021-02-14 10:38:30 +01:00
graylog-groups.yml.example Support for saved searches 2021-05-11 13:44:45 +02:00
graylog.go Support for saved searches 2021-05-11 13:44:45 +02:00
ldap.go Minor stylistic changes 2021-02-13 18:26:37 +01:00
main.go Command line - Lower-case default for -L 2021-02-14 10:44:28 +01:00
README.md Note about permissions not being visible in the UI 2021-05-11 13:44:45 +02:00

README.md

graylog-groups

A program that controls Graylog roles and privileges over objects using LDAP groups.

Note My apologies, this is my first actual program in Go, so it must be a terrible example of worst practices. Sorry.

Why?

The community edition of Graylog had the ability to use LDAP group in order to control user access to the various objects (searches, streams and dashboards).

In a somewhat ethically questionable move this capability was removed in version 4.0 and replaced with an enterprise-only feature called teams.

This program is meant to emulate the pre-4.0 LDAP group functionality.

How?

This program is meant to be executed on a regular basis through e.g. cron. It will read its configuration file, and from there :

  • get the list of users on the Graylog side,
  • read the list of members for all LDAP groups that have a mapping defined in the configuration file,
  • compute the roles and object privileges to grant for each Graylog user,
  • optionally delete users that no longer have any privileges according to the mapping and LDAP group membership,
  • set the users' permissions on the various Graylog objects,
  • add or remove Graylog roles from user accounts.

It should be noted that permissions set by this tool to not appear anywhere on the Graylog 4 UI. They can be queried back using the API, using the /user/{login} endpoint.

Installing

  • Download and build the program :
git clone https://github.com/tseeker/graylog-groups
cd graylog-groups
go build
  • Copy the resulting binary to whatever box will run it.
  • Create a configuration file based in the example from graylog-groups.yml.example.
  • Set up a cron job or whatever it is you use to schedule tasks to run the synchronization binary on a regular basis.

Usage

The program accepts the following command line arguments :

  • -h / --help: displays usage information then exits.
  • -q / --quiet: quiet mode. This will disable logging to stderr.
  • -c <file> / --config <file>: specifies the configuration file. If this option is not present, the program will try to load a file named graylog-groups.yml from the current working directory.
  • -i <name> / --instance <name>: specifies an instance name that will be added to logs as a field named instance.
  • -L <level> / --level <level>: specifies the log level. It must be one of the following: trace, debug, info (the default), warn, error, fatal, panic.
  • -f <file> / --log-file <file>: appends logs to the specified file.
  • -g <host>:<port> / --log-graylog <host>:<port>: sends logs to the specified Graylog server using GELF over UDP.

To Do

  • Add TLS options (skip checks / specify CA) for the Graylog API.
  • Read object ownership using grn_permissions to preserve privileges on users' own objects
  • Support granting ownership on objects
  • Use goroutines ? Maybe.
  • Custom log file/terminal output