topic Re: splunk add user non-interactive without logging in on command line in Security

splunk add user non-interactive without logging in on command line

tzhmaba2 — Thu, 23 Dec 2010 23:14:13 GMT

Hi,

I am writing some scripts to manage the users on our Splunk environment. The scripts should be invoke in non-interactive mode from within another tool used for managing users in our company.

The problem is that "splunk add user" or "splunk edit user" on command line require logging in with an existing user with admin privileges. They ask about username/password.

I know I could write something in "expect" or modify the splunk passwd file all by myself with the script but that's somehow too much overhead in my opinion.

Is there a way to make it non-iteractive or to save the credentials in some file or to allow "splunk..." commands without password from the command line of the same server??

Reagards, Bartosz

Re: splunk add user non-interactive without logging in on command line

ziegfried — Thu, 23 Dec 2010 23:34:29 GMT

This is how I managed to get a non-interactive way to work with splunk with the root user:

I've added a new user to Splunk called cli with a long random password.

Then I created a file /root/.splunk-cli-credentials with the password as content

echo "mySecretPassword " > /root/.splunk-cli-credentials
chmod 600 /root/.splunk-cli-credentials

and added the following entry to my /root/.bashrc:

alias xsplunk="splunk login -auth 'cli:$(cat /root/.splunk-cli-credentials)' && splunk"

This lets me use the xsplunk command without logging in each time:

xsplunk add user test -password bar -role user
xsplunk search "sourcetype=foo"

Re: splunk add user non-interactive without logging in on command line

freeti00 — Wed, 29 Dec 2010 07:02:13 GMT

I would of preferred not to use the alias approach, since I'd have to monkey with root bashrc stuff on a box that i don't directly have linux ownership of. But i could not get embedding 'cli:$(cat /root/.splunk-cli-credentials)' in the cron.monthly script to work. Some special alias magic that my bash skills are not up to figuring out

Re: splunk add user non-interactive without logging in on command line

araitz — Wed, 29 Dec 2010 07:31:33 GMT

I would recommend using a scripted input and the Splunk REST API. Scripted inputs, configured via inputs.conf, can be passed a valid authentication token via STDIN if the passAuth= option is included. This auth token can be used to authenticate to the REST API and perform tasks such as adding or editing users.

Re: splunk add user non-interactive without logging in on command line

freeti00 — Wed, 29 Dec 2010 07:34:24 GMT

I used shopts -s expand_aliases in the script and its working now.

Re: splunk add user non-interactive without logging in on command line

tzhmaba2 — Wed, 29 Dec 2010 20:51:22 GMT

The "cat file" works perfect for me. Just what I needed. However the password is still stored somewhere and accessible one way ot another.

Thanks!!

Re: splunk add user non-interactive without logging in on command line

tzhmaba2 — Wed, 29 Dec 2010 20:53:10 GMT

Sounds like magic to me at the moment. 😄 I would probably have to spend a week to learn the API first and stuff about some auth tokens to do a trivial task. The "cat file" sollution is fine for me ATM. Thanks anyway. Will probably have to struggle with API anyway later...

Re: splunk add user non-interactive without logging in on command line

ziegfried — Wed, 29 Dec 2010 21:57:19 GMT

Yes, but only for the root user.

Re: splunk add user non-interactive without logging in on command line

tzhmaba2 — Wed, 29 Dec 2010 23:20:02 GMT

Hi again,

I've got another problem now. My script is getting the password as an MD5 hash on input. As far as I understand the "splunk add user -password" expects cleartext password. So I am creating the user woth any password first and then I am editing the /opt/splunk/etc/passwd with a PERL script to put the MD5 hash in. But I have discovered that as soon as you edit the "passwd" file by other means than the splunk command you cannot log in (via "splunk login" or via web interface). It just says incorrect username. As if the "splunk" command did some hidden stuff which my PERL does not.

Re: splunk add user non-interactive without logging in on command line

tzhmaba2 — Wed, 29 Dec 2010 23:21:07 GMT

Has anyone any idea what am I missing? What does the "splunk" command do what my scripts don't? Or should I slowly start looking at the API? 😉

Thanks in advance for any clues.

Bartosz

Re: splunk add user non-interactive without logging in on command line

devs — Sat, 10 Aug 2013 00:51:53 GMT

I had this problem whilst using puppet to provision my servers. I found that Example42's puppet module for Splunk solved it for me.

Re: splunk add user non-interactive without logging in on command line

john_w_shields — Mon, 11 Feb 2019 23:43:33 GMT

Thanks for the tips. I played around with passing variables to Splunk CLI using the examples you had in this post and was able to change passwords w/o exposing the password on the screen or storing the password in a file.

'#!/bin/bash

    read -sp "Enter Current Password: " currPass
    echo
    read -sp "Enter New Password: " newPass

/opt/splunk/bin/splunk edit user john -password $(echo $newPass) -auth john:$(echo $currPass)'