Skip to content

Enforce clusterconfiguration:read permission on Cluster Configuration endpoints (7.1)#25881

Open
graylog-internal-actions-access[bot] wants to merge 1 commit into7.1from
backport-7.1/fix/cluster-config-permission-enforcement
Open

Enforce clusterconfiguration:read permission on Cluster Configuration endpoints (7.1)#25881
graylog-internal-actions-access[bot] wants to merge 1 commit into7.1from
backport-7.1/fix/cluster-config-permission-enforcement

Conversation

@graylog-internal-actions-access
Copy link
Copy Markdown

@graylog-internal-actions-access graylog-internal-actions-access Bot commented May 4, 2026

Note: This is a backport of #25754 to 7.1.

Relates to Graylog2/glc-bd-documents#85

Description

After the upgrade from 6.3 to 7.0, the "Cluster Configuration Reader" role was introduced in #23248 to restrict access to the Cluster Configuration page. However, the clusterconfiguration:read permission was only enforced on the navigation menu item — the ClusterResource REST endpoints had no permission checks, allowing any authenticated user to access /system/cluster data directly.

This PR adds @RequiresPermissions(RestPermissions.CLUSTER_CONFIGURATION_READ) to these ClusterResource GET endpoints:

  • GET /system/cluster/nodes/paginated
  • GET /system/cluster/node
  • GET /system/cluster/nodes/{nodeId}

We do not restrict GET /system/cluster/nodes since the UI is unusable without it. It only exposes basic information about nodes, unlike the more detailed paginated endpoint.

The PR also adds a frontend route guard on ClusterConfigurationPage to redirect users without clusterconfiguration:read to a 404.

How Tested

  • Manual: log in as a user without the "Cluster Configuration Reader" role and call /api/system/cluster/nodes — should now return 403

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Refactoring (non-breaking change)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have requested a documentation update.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.

@patrickmann @claude
@todvora @github-actions
Enforce clusterconfiguration:read permission on Cluster Configuration…
fa63085 
… endpoints (#25754)

* Enforce clusterconfiguration:read permission on ClusterResource endpoints

The Cluster Configuration page was accessible via direct URL even for users
without the "Cluster Configuration Reader" role because the backend endpoints
had no permission checks — only the nav menu item was gated.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add changelog entry for PR #25754

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add permission guard to ClusterConfigurationPage

Redirect users without clusterconfiguration:read to the Not Found page
when they navigate directly to the Cluster Configuration URL.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* allow /nodes since UI needs it

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Tomas Dvorak <tomas.dvorak@graylog.com>
(cherry picked from commit 56bcada)
@patrickmann patrickmann marked this pull request as ready for review May 5, 2026 07:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@todvora todvora Awaiting requested review from todvora

@ousmaneo ousmaneo Awaiting requested review from ousmaneo

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@patrickmann