Add new Cluster Configuration Reader role (#23248)

* add new Cluster Configuration Reader role

* cl

---------

Co-authored-by: Tomas Dvorak <[email protected]>

Author: moesterheld

UPGRADING.md

@@ -17,7 +17,11 @@ can only talk to Kafka brokers with version 2.1 or newer.
 
 ## Default Configuration Changes
 
-- tbd
+- The permission to view the "Cluster Configuration" page was removed from the `Reader` role. This permission is now
+  available with the `Cluster Configuration Reader` role. There is an automatic one-time migration to add this role to
+  all existing users with the `Reader` role to ensure backwards compatibility. New users that will be created in the
+  future need to be explicitly assigned to the `Cluster Configuration Reader` role if they should be able to access the
+  page.
 
 ## Java API Changes
 

changelog/unreleased/pr-23248.toml

@@ -0,0 +1,5 @@
+type = "a"
+message = "Change default visibility of Cluster Configuration page to users with new role Cluster Configuration Reader."
+
+issues = ["graylog-plugin-enterprise#10605"]
+pulls = ["23248"]

graylog2-server/src/main/java/org/graylog2/migrations/MigrationsModule.java

@@ -75,5 +75,6 @@ protected void configure() {
         addMigration(V20250206105400_TokenManagementConfiguration.class);
         addMigration(V20250219134200_DefaultTTLForNewTokens.class);
         addMigration(V20250506090000_AddInputTypesPermissions.class);
+        addMigration(V20250721090000_AddClusterConfigurationPermission.class);
     }
 }

graylog2-server/src/main/java/org/graylog2/migrations/V20250721090000_AddClusterConfigurationPermission.java

@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog2.migrations;
+
+import jakarta.inject.Inject;
+import org.graylog2.database.NotFoundException;
+import org.graylog2.plugin.cluster.ClusterConfigService;
+import org.graylog2.plugin.database.ValidationException;
+import org.graylog2.shared.users.Role;
+import org.graylog2.shared.users.UserService;
+import org.graylog2.users.RoleService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.time.ZonedDateTime;
+import java.util.Set;
+
+public class V20250721090000_AddClusterConfigurationPermission extends Migration {
+
+    private static final Logger LOG = LoggerFactory.getLogger(V20250721090000_AddClusterConfigurationPermission.class);
+
+    static final String CLUSTER_CONFIGURATION_READER_ROLE = "Cluster Configuration Reader";
+
+    private final ClusterConfigService clusterConfigService;
+    private final RoleService roleService;
+    private final UserService userService;
+
+    @Inject
+    public V20250721090000_AddClusterConfigurationPermission(final ClusterConfigService clusterConfigService,
+                                                             RoleService roleService, UserService userService) {
+        this.clusterConfigService = clusterConfigService;
+        this.roleService = roleService;
+        this.userService = userService;
+    }
+
+    @Override
+    public ZonedDateTime createdAt() {
+        return ZonedDateTime.parse("2025-07-21T09:00:00Z");
+    }
+
+    @Override
+    public void upgrade() {
+        if (clusterConfigService.get(V20250721090000_AddClusterConfigurationPermission.MigrationCompleted.class) != null) {
+            LOG.debug("Migration already completed.");
+            return;
+        }
+        LOG.debug("Starting migration to add cluster configuration reader role to users with reader role.");
+
+        try {
+            Role readerRole = roleService.loadById(roleService.getReaderRoleObjectId());
+            Role clusterConfigurationReaderRole = roleService.load(CLUSTER_CONFIGURATION_READER_ROLE);
+
+            userService.loadAllForRole(readerRole).stream()
+                    .peek(user -> {
+                        Set<String> roleIds = user.getRoleIds();
+                        roleIds.add(clusterConfigurationReaderRole.getId());
+                        user.setRoleIds(roleIds);
+                    }).forEach(user -> {
+                        LOG.debug("Updating user {} with new cluster configuration reader role", user.getName());
+                        try {
+                            userService.save(user);
+                        } catch (ValidationException e) {
+                            LOG.error("Error updating user.", e);
+                        }
+                    });
+
+
+        } catch (NotFoundException e) {
+            LOG.error("Built-in role not found. Cannot add cluster configuration role to users with reader role: {}", e.getMessage());
+        } finally {
+            clusterConfigService.write(new V20250721090000_AddClusterConfigurationPermission.MigrationCompleted());
+        }
+
+    }
+
+    public record MigrationCompleted() {
+    }
+}

graylog2-server/src/main/java/org/graylog2/shared/security/RestPermissions.java

@@ -51,6 +51,7 @@ public class RestPermissions implements PluginPermissions {
     public static final String CLUSTER_CONFIG_ENTRY_EDIT = "clusterconfigentry:edit";
     public static final String CLUSTER_CONFIG_ENTRY_READ = "clusterconfigentry:read";
     public static final String CAPABILITIES_READ = "capabilities:read";
+    public static final String CLUSTER_CONFIGURATION_READ = "clusterconfiguration:read";
     public static final String CONTENT_PACK_CREATE = "contentpack:create";
     public static final String CONTENT_PACK_DELETE = "contentpack:delete";
     public static final String CONTENT_PACK_READ = "contentpack:read";
@@ -212,6 +213,7 @@ public class RestPermissions implements PluginPermissions {
             .add(create(CLUSTER_CONFIG_ENTRY_DELETE, ""))
             .add(create(CLUSTER_CONFIG_ENTRY_EDIT, ""))
             .add(create(CLUSTER_CONFIG_ENTRY_READ, ""))
+            .add(create(CLUSTER_CONFIGURATION_READ, ""))
             .add(create(DASHBOARDS_CREATE, ""))
             .add(create(DASHBOARDS_EDIT, "").withManageCapabilityFor(GRNTypes.DASHBOARD))
             .add(create(DASHBOARDS_READ, "").withViewCapabilityFor(GRNTypes.DASHBOARD))
@@ -378,6 +380,9 @@ public class RestPermissions implements PluginPermissions {
             )),
             BuiltinRole.create("User Inspector", "Allows listing all user accounts (built-in)", ImmutableSet.of(
                     RestPermissions.USERS_READ, RestPermissions.USERS_LIST
+            )),
+            BuiltinRole.create("Cluster Configuration Reader", "Allows viewing the Cluster Configuration page", ImmutableSet.of(
+                    RestPermissions.CLUSTER_CONFIGURATION_READ
             ))
     ).build();
 

graylog2-server/src/test/java/org/graylog2/migrations/V20250721090000_AddClusterConfigurationPermissionTest.java

@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+
+package org.graylog2.migrations;
+
+import org.graylog2.database.NotFoundException;
+import org.graylog2.plugin.cluster.ClusterConfigService;
+import org.graylog2.plugin.database.ValidationException;
+import org.graylog2.plugin.database.users.User;
+import org.graylog2.shared.users.Role;
+import org.graylog2.shared.users.UserService;
+import org.graylog2.users.RoleService;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.UUID;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.ignoreStubs;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+public class V20250721090000_AddClusterConfigurationPermissionTest {
+
+    @Mock
+    ClusterConfigService clusterConfigService;
+    @Mock
+    RoleService roleService;
+    @Mock
+    UserService userService;
+
+    V20250721090000_AddClusterConfigurationPermission migration;
+
+    @BeforeEach
+    public void setUp() {
+        when(clusterConfigService.get(V20250721090000_AddClusterConfigurationPermission.MigrationCompleted.class))
+                .thenReturn(null);
+        migration = new V20250721090000_AddClusterConfigurationPermission(clusterConfigService, roleService, userService);
+    }
+
+    @Test
+    public void nothingMigratedIfReaderRoleNotFound() throws NotFoundException {
+        String readerId = UUID.randomUUID().toString();
+        when(roleService.getReaderRoleObjectId()).thenReturn(readerId);
+        when(roleService.loadById(readerId)).thenThrow(NotFoundException.class);
+        migration.upgrade();
+        verifyNoInteractions(userService);
+        verify(clusterConfigService, times(1)).write(any());
+    }
+
+    @Test
+    public void nothingMigratedIfClusterConfigurationReaderRoleNotFound() throws NotFoundException {
+        String readerId = UUID.randomUUID().toString();
+        when(roleService.getReaderRoleObjectId()).thenReturn(readerId);
+        when(roleService.loadById(readerId)).thenReturn(mock(Role.class));
+        when(roleService.load(V20250721090000_AddClusterConfigurationPermission.CLUSTER_CONFIGURATION_READER_ROLE))
+                .thenThrow(NotFoundException.class);
+        migration.upgrade();
+        verifyNoInteractions(userService);
+        verify(clusterConfigService, times(1)).write(any());
+    }
+
+    @Test
+    public void roleAddedToAllUsersWithReaderRole() throws NotFoundException, ValidationException {
+        String readerId = UUID.randomUUID().toString();
+        String clusterConfigurationReaderRoleId = UUID.randomUUID().toString();
+        when(roleService.getReaderRoleObjectId()).thenReturn(readerId);
+        Role readerRole = mock(Role.class);
+        when(roleService.loadById(readerId)).thenReturn(readerRole);
+        Role clusterConfigurationReaderRole = mock(Role.class);
+        when(clusterConfigurationReaderRole.getId()).thenReturn(clusterConfigurationReaderRoleId);
+        when(roleService.load(V20250721090000_AddClusterConfigurationPermission.CLUSTER_CONFIGURATION_READER_ROLE))
+                .thenReturn(clusterConfigurationReaderRole);
+
+        User user1 = mock(User.class);
+        when(user1.getRoleIds()).thenReturn(new HashSet<>(List.of(readerId)));
+        User user2 = mock(User.class);
+        when(user2.getRoleIds()).thenReturn(new HashSet<>(List.of(readerId)));
+
+        when(userService.loadAllForRole(readerRole)).thenReturn(List.of(user1, user2));
+
+        migration.upgrade();
+
+        verify(user1, times(1)).setRoleIds(Set.of(readerId, clusterConfigurationReaderRoleId));
+        verify(user2, times(1)).setRoleIds(Set.of(readerId, clusterConfigurationReaderRoleId));
+        verify(userService, times(2)).save(any());
+        verify(clusterConfigService, times(1)).write(any());
+    }
+
+    @Test
+    public void migrationRunsOnlyOnce() {
+        when(clusterConfigService.get(V20250721090000_AddClusterConfigurationPermission.MigrationCompleted.class))
+                .thenReturn(new V20250721090000_AddClusterConfigurationPermission.MigrationCompleted());
+        migration.upgrade();
+        verifyNoMoreInteractions(ignoreStubs(clusterConfigService));
+        verifyNoInteractions(roleService, userService);
+    }
+
+}

graylog2-web-interface/src/components/navigation/bindings.ts

@@ -15,10 +15,10 @@
  * <http://www.mongodb.com/licensing/server-side-public-license>.
  */
 
-import type { PluginExports } from 'graylog-web-plugin/plugin';
+import type {PluginExports} from 'graylog-web-plugin/plugin';
 
 import Routes from 'routing/Routes';
-import filterMenuItems, { filterCloudMenuItems } from 'util/conditional/filterMenuItems';
+import filterMenuItems, {filterCloudMenuItems} from 'util/conditional/filterMenuItems';
 import AppConfig from 'util/AppConfig';
 
 export const SYSTEM_DROPDOWN_TITLE = 'System';
@@ -55,7 +55,11 @@ const navigationBindings: PluginExports = {
               description: 'Configurations',
               permissions: ['clusterconfigentry:read'],
             },
-            { path: Routes.SYSTEM.CLUSTER.NODES, description: 'Cluster Configuration', permissions: ['datanode:read'] },
+            {
+              path: Routes.SYSTEM.CLUSTER.NODES,
+              description: 'Cluster Configuration',
+              permissions: ['clusterconfiguration:read'],
+            },
             { path: Routes.SYSTEM.INPUTS, description: 'Inputs', permissions: ['inputs:read'] },
             { path: Routes.SYSTEM.OUTPUTS, description: 'Outputs', permissions: ['outputs:read'] },
             { path: Routes.SYSTEM.INDICES.LIST, description: 'Indices', permissions: ['indices:read'] },