projects/graylog-groups
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
graylog-groups/README.md
Emmanuel BENOîT dcd3f920c9 Improved logging 
* Added dependency on logrus.
* Command line flags are parsed in order to obtain the name of the
  configuration file, the log level and the instance identifier.
* Logging in various places : configuration loader, API, data access.
  Privilege computations and subsequent actions do not write proper logs
  yet.
2021-02-10 23:58:14 +01:00

65 lines
2.1 KiB
Markdown
Raw Blame History

graylog-groups
===============
A program that controls Graylog roles and privileges over objects using LDAP
groups.
**Note** My apologies, this is my first actual program in Go, so it must be a
terrible example of worst practices. Sorry.
Why?
-----
The community edition of [Graylog](https://graylog.org) had the ability to use
LDAP group in order to control user access to the various objects (streams and
dashboards).
In a somewhat ethically questionable move this capability was removed in version
4.0 and replaced with an enterprise-only feature called teams.
This program is meant to emulate the pre-4.0 LDAP group functionality.
How?
-----
This program is meant to be executed on a regular basis through e.g. `cron`. It
will read its configuration file, and from there :
* get the list of users on the Graylog side,
* read the list of members for all LDAP groups that have a mapping defined in
the configuration file,
* compute the roles and object privileges to grant for each Graylog user,
* optionally delete users that no longer have any privileges according to the
mapping and LDAP group membership,
* set the users' permissions on the various Graylog objects,
* add or remove Graylog roles from user accounts.
Installing
-----------
- Download and build the program :
```
git clone https://github.com/tseeker/graylog-groups
cd graylog-groups
go build
```
- Copy the resulting binary to whatever box will run it.
- Create a configuration file based in the example from
`graylog-groups.yml.example`.
- Set up a cron job or whatever it is you use to schedule tasks to run the
synchronization binary on a regular basis.
To Do
------
* Proper logging, work in progress:
* Add logs to the privilege computations and related API calls.
* Sending logs to... well, Graylog... through CLI switches.
* Writing logs to a file.
* Document command line flags.
* Cache LDAP username lookups
* Add TLS options (skip checks / specify CA) for the Graylog API.
* Read object ownership using `grn_permissions` to preserve privileges on users'
own objects
* Support granting ownership on objects
* Use goroutines ? Maybe.
Reference in a new issue View git blame Copy permalink