Here is an overview of our search authorization system, pointers, and an example
If you cannot find what you're looking for in the Adminstrator -> user/groups panel this may be helpful. We're in the process of adding a GUI-driven ABAC system to make this easier, but for now we've got a script-based system to restrict queries. If you can enumerate precisely which restrictions you'd like to implement, we should be able to put together a script for you with instructions on how to deploy it - please reach out to support@gravwell.io.
The rest of this article is an overview of our search authorization system, with an example and a few pointers on writing your own scripts if you're interested. There are a few examples of authorization scripts which you could try to tweak for your own uses if you like.
If I set this parameter in gravwell.conf:
Search-Control-Script=/opt/gravwell/etc/authscripts/syslog.grv
And then create /opt/gravwell/etc/authscripts/syslog.grv with the following contents:
var strings = import("strings")
func checkTag() {
for tag in tags {
if inGroup("syslog-users") && !strings.HasPrefix(tag, "syslog") {
deny("Users in the syslog-users group are only allowed to
access the syslog* tags")
return true
}
}
return false
}
var checks = [checkTag]
for c in checks {
if c() {
break
}
}
This will restrict users in the "syslog-users" group to only access tags which begin with "syslog". So they could access "syslog-webserver", "syslog_udp", or just plain "syslog", but not "netflow". Note that I can create as many files as I want and specify Search-Control-Script multiple times; all scripts will be run for every query launched.
We don't have detailed documentation on this because we're building a GUI-driven permission system coming soon and the process of developing a script can have a learning curve, so we prefer to write them for our customers if possible. However, if you'd like to take a crack at it yourself, the basic syntax of the scripting language is described at https://docs.gravwell.io/docs/#!scripting/scripting.md .
There are a few built-in functions and variables specifically for search authorization scripts which would be useful to you:
VARIABLES
* "username" is a variable containing the username running the query
* "groups" is a list of groups the user is in
* "tags" is the list of tags used in the search query
* "now" is the current time
* "start" is the start of the timespan for the query
* "end" is the end of the timespan for the query
* "duration" is essentially (end - start), you could use it like this: if duration > 60
* time.Minute
* "active" is the number of active queries the user has running
* "storage" is how many bytes of disk the user's other queries are consuming
FUNCTIONS
* deny(reason): Call deny when you have determined that the user should not be able to run the query, as shown above. reason is a string which will be displayed to the user.
* inGroup(groupname): Returns true if the executing user is in the group with the specfied name