Allow Sidecar Manager role to manage sidecar tokens (#24526)

xd4rker · web-flow · commit b0843857bb6e · 2025-12-12T11:46:43.000+01:00
* Allow Sidecar Manager role to create user tokens

* Add changelog

* Add USERS_EDIT permission to Sidecar Manager role
diff --git a/changelog/unreleased/issue-24470.toml b/changelog/unreleased/issue-24470.toml
@@ -0,0 +1,5 @@
+type = "f"
+message = "Allow Sidecar Manager role to manage sidecar tokens."
+
+issues = ["24470"]
+pulls = ["24526"]
diff --git a/graylog2-server/src/main/java/org/graylog/plugins/sidecar/migrations/V20230502164900_AddSidecarManagerAndReaderRole.java b/graylog2-server/src/main/java/org/graylog/plugins/sidecar/migrations/V20230502164900_AddSidecarManagerAndReaderRole.java
@@ -17,21 +17,28 @@
 package org.graylog.plugins.sidecar.migrations;
 
 import com.google.common.collect.ImmutableSet;
+import org.graylog.plugins.sidecar.common.SidecarPluginConfiguration;
 import org.graylog.plugins.sidecar.permissions.SidecarRestPermissions;
 import org.graylog2.migrations.Migration;
 import org.graylog2.migrations.MigrationHelpers;
 
 import jakarta.inject.Inject;
+import org.graylog2.shared.security.RestPermissions;
 
 import java.time.ZonedDateTime;
 
 public class V20230502164900_AddSidecarManagerAndReaderRole extends Migration {
 
     private final MigrationHelpers helpers;
+    private final String sidecarUser;
 
     @Inject
-    public V20230502164900_AddSidecarManagerAndReaderRole(MigrationHelpers migrationHelpers) {
+    public V20230502164900_AddSidecarManagerAndReaderRole(
+            MigrationHelpers migrationHelpers,
+            SidecarPluginConfiguration sidecarPluginConfiguration
+    ) {
         this.helpers = migrationHelpers;
+        sidecarUser = sidecarPluginConfiguration.getUser();
     }
 
     @Override
@@ -45,6 +52,11 @@ public void upgrade() {
                 "Sidecar Manager",
                 "Grants access to read, register and pull configurations for Sidecars (built-in)",
                 ImmutableSet.of(
+                        permissionForUser(RestPermissions.USERS_READ, sidecarUser),
+                        permissionForUser(RestPermissions.USERS_EDIT, sidecarUser),
+                        permissionForUser(RestPermissions.USERS_TOKENCREATE, sidecarUser),
+                        permissionForUser(RestPermissions.USERS_TOKENLIST, sidecarUser),
+                        permissionForUser(RestPermissions.USERS_TOKENREMOVE, sidecarUser),
                         SidecarRestPermissions.COLLECTORS_READ,
                         SidecarRestPermissions.COLLECTORS_CREATE,
                         SidecarRestPermissions.COLLECTORS_UPDATE,
@@ -66,4 +78,8 @@ public void upgrade() {
                         SidecarRestPermissions.SIDECARS_READ));
 
     }
+
+    private String permissionForUser(String permission, String user) {
+        return permission + ":" + user;
+    }
 }
