How to grant a user access to collection logs but not config

dcook 2019-08-14 23:55:35 UTC #1

I want to grant a user access to browse and read log files like update-*.log and crawl.log.
But I don't want them to change config like collection.cfg. This is on version 15.12.

Allowing "View collection reports" doesn't enable the "Browse Log Files" button in the admin interface. "Manage collections" does.

So perhaps it can be done with advanced editing of the user's ini file?

dcook 2019-08-15 00:03:44 UTC #2

The best I can come up with so far is an ini file like this. Here's some of the settings which I think might have been relevant:

sec.file.manager = no # this allows access to browse log files, but also to browse and edit collection config
sec.file.manager.edit = no
sec.administer.read = yes
sec.administer.system = no
user_type = normal

It seems impossible to allow browsing of files without allowing editing, so I'm going to have to provide direct links to the file viewer, eg:

https://hostname:8443/search/admin/show-file.cgi?collection=study_monash&f=crawl.log&dir=offline-logs

Can the file manager be used to restrict access to config files? I wasn't able to get it to work, though I know I've used it in the past.

LukeButters 2019-08-15 01:28:08 UTC #3

15.22 has far better support for this.

plevan 2019-08-15 03:24:37 UTC #4

You need to change the user_type to custom for all the custom settings to take effect.

If you want to change view/edit permissions in the file manager you'll need to override the file manager rules.

https://community.funnelback.com/knowledge-base/system-adminstration/funnelback-configuration-And-settings/customise-the-admin-ui gives some background. Easiest way generally is to grab the [file-manager::main-rules] section from /opt/funnelback/conf/file-manager.ini.dist and put that into your user's ini file. you can then change the permission levels for each of the file types there.