User Authentication
Graylog API Security supports several methods of user authentication so that you can control access to the system. This article details the necessary commands to set up authentication for individual users and multiple users as well as how to enable multiple authentication methods.
Hint: You must configure DNS resolution and enable TLS before you can enable authentication.
Set Up Basic Authentication
Use the following command to enable basic authentication for a single user:
helm upgrade resurface resurfaceio/resurface -n resurface --set auth.enabled=true --set auth.basic.enabled=true --set auth.basic.credentials[0].username=rob --set auth.basic.credentials[0].password=blah1234 --reuse-values
Hint: On some systems, you might need to add noglob to the start of the shell command.
To enable basic authentication for multiple users, it is more efficient to create an auth.yaml file that includes credentials for each user. Here's an example auth.yaml file that defines three users:
auth:
enabled: true
basic:
enabled: true
credentials:
- username: rob
password: blah1234
- username: jsmith
password: hunter2
- username: admin
password: irtRUqUp7fkfLLoad the auth.yaml file with the following command:
helm upgrade resurface resurfaceio/resurface -n resurface auth.yaml --reuse-values
auth.yaml file from your local machine after you upload it since it contains usernames and passwords. Graylog API Security stores this information securely encrypted.
Hint: At this time, Graylog API Security does not support password resets from the login page. The only way to change user passwords is through Helm.
Set Up OAuth
If you use OAuth authentication in your environment, you can enable it for Graylog API Security with an auth.yaml file such as the following:
auth:
enabled: true
oauth2:
enabled: true
issuer: https://accounts.google.com
authurl: https://accounts.google.com/o/oauth2/v2/auth
tokenurl: https://oauth2.googleapis.com/token
jwksurl: https://www.googleapis.com/oauth2/v3/certs
userinfourl: https://openidconnect.googleapis.com/v1/userinfo
clientid: sampleid123.apps.googleusercontent.com
clientsecret: samplesecret456Load the auth.yaml file with the following command:
helm upgrade resurface resurfaceio/resurface -n resurface auth.yaml --reuse-values
auth.yaml file from your local machine after you upload it since it contains usernames and passwords. Graylog API Security stores this information securely encrypted.
Set Up JWT
If you use JSON Web Token (JWT) authentication in your environment, you can enable it for Graylog API Security with an auth.yaml file such as the following:
auth:
enabled: true
jwt:
enabled: true
jwksurl: <Your JWKS URL>Load the auth.yaml file with the following command:
helm upgrade resurface resurfaceio/resurface -n resurface auth.yaml --reuse-values
auth.yaml file from your local machine after you upload it since it contains usernames and passwords. Graylog API Security stores this information securely encrypted.
Set Up Multiple Methods
If you use multiple authentication methods in your environment, you can enable them for Graylog API Security with an auth.yaml file such as the following:
auth:
enabled: true
basic:
enabled: true
credentials:
- username: rob
password: blah1234
- username: jsmith
password: hunter2
- username: admin
password: irtRUqUp7fkfL
oauth2:
enabled: true
issuer: https://accounts.google.com
authurl: https://accounts.google.com/o/oauth2/v2/auth
tokenurl: https://oauth2.googleapis.com/token
jwksurl: https://www.googleapis.com/oauth2/v3/certs
userinfourl: https://openidconnect.googleapis.com/v1/userinfo
clientid: sampleid123.apps.googleusercontent.com
clientsecret: samplesecret456Load the auth.yaml file with the following command:
helm upgrade resurface resurfaceio/resurface -n resurface auth.yaml --reuse-values
auth.yaml file from your local machine after you upload it since it contains usernames and passwords. Graylog API Security stores this information securely encrypted.
