Custom default Reader role

[malinkinsa]

At this moment, user with default Reader role can watch input info and other information about clusters.

On input page, for example in kafka custom config, they can found sensitive data

It would be nice to be able to remove the ability to access a number of pages for a role Reader.

Reader permissions scope:

"clusterconfigentry:read",
"indexercluster:read",
"messagecount:read",
"journal:read",
"messages:analyze",
"inputs:read",
"metrics:read",
"fieldnames:read",
"buffers:read",
"system:read",
"jvmstats:read",
"decorators:read",
"throughput:read",
"messages:read"

Your Environment

• Graylog Version: 4.3.5
• Elasticsearch Version: 7.10
• MongoDB Version: 4

[thll]

@malinkinsa thanks for the report!

Just to clarify the issue you are reporting: on the inputs page, the configuration for the Kafka input will show sensitive information for the custom_properties field like so:

@malinkinsa, did you see any other places where sensitive information could be revealed to a Reader?

Usually, sensitive information on the inputs page is replaced with asterisks (********). For the custom_properties, this has not been implemented. Rather than providing means to customize the Reader role, I think we should change how the custom_properties for the Kafka input are displayed and/or stored.

[malinkinsa]

@thll ,

Rather than providing means to customize the Reader role, I think we should change how the custom_properties for the Kafka input are displayed and/or stored.

Yep, this a great solution.

did you see any other places where sensitive information could be revealed to a Reader

Once again checked my setup through the user with Reader role and only in kafka config is it possible.