Pandalog is a bundle of independent, executable scripts to bridge gaps in the new Graylog permission model.
The executable scripts are modularized and highly extensible, so future use-cases can be easily integrated into the application.
The following use-cases are currently supported:
- create/retrieve an STS token (requires user password)
- share one or multiple streams with one or multiple teams
- share all streams with one or multiple teams
- "unshare" one or multiple streams with one or multiple teams
- "unshare" all streams with one or multiple teams
At the time of this writing, we're not enforcing PKI infrastructure; for this reason Pandalog does not install CA root certificates to establish trust, thus HTTPS requests skip verification.
Usage: pandalog [OPTIONS] COMMAND [ARGS]...
Pandalog - Bitpanda Graylog Python Wrapper
Example Usage:
$ export GRAYLOG_HOST=graylog.example.bitpanda
$ export GRAYLOG_TOKEN=$(pandalog-auth get-sts-token -u ${USER} -p ${PASS})
$ pandalog get-teams
ID NAME
6197...da84503ac69a8c8 All Pandas
6197...5da84503ac69a8c9 External
6197...c69a8c1asddfedd No Pandas
... TRUNCATED ...
$ pandalog get-streams
ID TITLE
614da...2ff22df8b0 Stream1
5e37f...50e84c5320 Stream2
5e380...9019784440 Stream3
5f7df...10d972d620 Admin-PY
... TRUNCATED ...
$ pandalog to-stream --all "All Pandas,Some Pandas"
$ pandalog from-stream --streams "API,ACME" "staging-developer"
Options:
--version Show the version and exit.
--help Show this message and exit.
Commands:
from-stream unshare stream(s) with team(s)
get-streams list streams
get-teams list teams
to-stream share stream(s) with team(s)
Pre-requisites:
- Docker OR
- Python3
There are three ways to install pandalog:
- Build the Dockerfile
- Run the installation script inside a virtual environment
- Pull the image from ECR registry (in roadmap, not available yet)
To build the Dockerfile locally:
# clone repo and go to the project root directory
$ git clone ssh://git@git.github.com/bitpanda-labs/pandalog.git && cd pandalog
# build the docker image
$ DOCKER_BUILDKIT=1 docker build -t ${image}:${tag} -f ci/docker/Dockerfile .
To install it in a virtual environment:
# install venv package
$ python3 -m pip install virtualenv
# clone repo and go to the project root directory
$ git clone ssh://git@git.github.com/bitpanda-labs/pandalog.git && cd pandalog
# create a virtualenv inside the directory
$ python3 -m venv env
# activate the virtualenv
$ source env/bin/activate
# install pandalog inside the virtualenv
(env)$ python3 setup.py install
Before you are able to interact with Graylog API, you should obtain a temporary session token.
To create or retrieve an existing token, you can use pandalog-auth
. Of course, to create that token, you will need to provide your password the first time around.
Pandalog supports three different ways of providing/storing the password:
GRAYLOG_PASS
environment variable-p/--password
optional command-line argument- if none of the above is specified, pandalog will prompt you for the password (safest option)
For instance:
$ pandalog-auth get-sts-token -u ${USER}
Password: <- provide your password
edc9df021...truncated... <- copy the token and store it somewhere safe
Once you get a hold of the token, you can authenticate your requests by passing it along with the -t/--token
flag, or by storing it in a GRAYLOG_TOKEN
environment variable. The token expires within 24 hours.
- Graylog API does not include a
PATCH
method for adding/removing shares, i.e. everyPOST
request must contain in the JSON body all the existing grants +/- the grants being updated) - Due to the limitation above, additional API calls are made to merge grants, taking anywhere between 5-10 seconds to fulfill a request end-to-end
- As already mentioned, HTTPS requests are not verified due to lack of a PKI infrastructure for self-signed certificates
- Write unit tests
- Add logging capabilities
- Extend functionality to enable sharing at user-level
- Extend functionality by accepting files instead of command-line arguments