topic Re: Restrict a user's ability to write to indexes in Security

Restrict a user's ability to write to indexes

w531t4 — Wed, 26 Mar 2014 01:33:20 GMT

All - A user brought an issue to my attention today that i can't find a solution to. This user currently has the need to search through hypothetical index=a and index=b. He showed me that he could use the following command to write results to index=a or index=b:

index=b whateverfilter=true | head 2 | collect index=a marker="report=testing123" testmode=false

I have confirmed his write to the index to be successful. Although i'm able to easily identify the events he wrote to the index by searching for sourcetype=stash, the fact that he can write to the index is a pretty big no-no for us.

One post (http://answers.splunk.com/answers/7565/summary-index-question) suggested using local.meta to limit read's/write's to the index, however it doesn't appear to work.

Does anyone know how i can restrict a user's ability to write events to an index??

update: The user who brought this to my attention has the equivalent permissions to the default 'User' role.
update2: I'm running Splunk Enterprise 5.0.6

Re: Restrict a user's ability to write to indexes

yannK — Wed, 26 Mar 2014 14:59:35 GMT

They are 2 methods to write in a summary index :

search with the " | collect" command
- quick method to disable the collect : change the permissions on the the "collect" command, to allow only power or admin roles to use it, [EDIT] first method not working
scheduled search with the option "summary"
- For scheduled summary populating searches, they are already limited to power users (regular users cannot schedule a search by default), you may want to verify the the role capabilities see "schedule_search" http://docs.splunk.com/Documentation/Splunk/6.0.2/Security/Rolesandcapabilities

Re: Restrict a user's ability to write to indexes

w531t4 — Wed, 26 Mar 2014 15:49:52 GMT

I like your comment about disabling collect.. how is this done?

Re: Restrict a user's ability to write to indexes

yannK — Wed, 26 Mar 2014 17:11:16 GMT

in the UI go to settings > Advanced search > Search commands
filter for the search app, and search for "collect"
then change permissions based on role.

Re: Restrict a user's ability to write to indexes

w531t4 — Fri, 04 Apr 2014 19:19:36 GMT

'collect' is not listed as a search command in the search app. There's pycollect and pystash. I've made those read/write admin only and i'm still able to use the collect command as a under-priveldged user

Re: Restrict a user's ability to write to indexes

yannK — Fri, 04 Apr 2014 20:28:47 GMT

I confirm, I tested and the permissions change on[commands/pycollect] or [commands/collect] are not preventing an user to use the command.
Adding an option to Disable this command will be a new feature request.

Re: Restrict a user's ability to write to indexes

splunkIT — Fri, 16 Mar 2018 22:47:15 GMT

There is currently an outstanding ER for it:
SPL-133287: ability to specify an index as read-only

Re: Restrict a user's ability to write to indexes

alanden_splunk — Mon, 04 Jun 2018 16:01:28 GMT

Do not give the [capability::indexes_edit] permission in authorize.conf

Re: Restrict a user's ability to write to indexes

sbrant_splunk — Mon, 04 Jun 2018 16:45:21 GMT

"indexes_edit" is for the ability to modify the properties of the index. It doesn't change the ability to write data to an index.

from the docs at http://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Rolesandcapabilities

"indexes_edit Lets the user change any index settings such as file size and memory limits. "

Re: Restrict a user's ability to write to indexes

alanden_splunk — Mon, 04 Jun 2018 20:23:37 GMT

Normally, that is my instinct as well, but I can tell you that only a few hours ago I saw a user account for a customer denied permission to use the collect command until after the customer reported giving the indexes_edit capability. After which time, the collect command worked perfectly. So I can report that after the customer reported giving that capability and doing nothing else, I saw the collect command become functional for the user. I will verify that I understood their report correctly, but I am 99% sure at this point.