A program that controls Graylog roles and privileges over objects using LDAP groups.
Note My apologies, this is my first actual program in Go, so it must be a terrible example of worst practices. Sorry.
The community edition of Graylog had the ability to use LDAP group in order to control user access to the various objects (searches, streams and dashboards).
In a somewhat ethically questionable move this capability was removed in version 4.0 and replaced with an enterprise-only feature called teams.
This program is meant to emulate the pre-4.0 LDAP group functionality.
This program is meant to be executed on a regular basis through e.g. cron
. It
will read its configuration file, and from there :
It should be noted that permissions set by this tool to not appear anywhere on
the Graylog 4 UI. They can be queried back using the API, using the
/user/{login}
endpoint.
git clone https://github.com/tseeker/graylog-groups
cd graylog-groups
go build
graylog-groups.yml.example
.The program accepts the following command line arguments :
-h
/ --help
: displays usage information then exits.-q
/ --quiet
: quiet mode. This will disable logging to stderr
.-c <file>
/ --config <file>
: specifies the configuration file. If this
option is not present, the program will try to load a file named
graylog-groups.yml
from the current working directory.-i <name>
/ --instance <name>
: specifies an instance name that will be
added to logs as a field named instance
.-L <level>
/ --level <level>
: specifies the log level. It must be one of
the following: trace
, debug
, info
(the default), warn
, error
,
fatal
, panic
.-f <file>
/ --log-file <file>
: appends logs to the specified file.-g <host>:<port>
/ --log-graylog <host>:<port>
: sends logs to the
specified Graylog server using GELF over UDP.grn_permissions
to preserve privileges on users'
own objects