https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/21000#M685 <P>An update on this -- it turns out the problem is far worse than I thought as it applies to locally configured Splunk users too.</P> <UL> <LI>Configure a user on Splunk with a role that has restricted search terms. In our case a filter that restricts them to only seeing their company’s data.</LI> <LI>User logs in and views dashboard. Can only see their data. Great. </LI> <LI>User schedules PDF generation for dashboard using Splunk’s built in PDF reporting. At the appropriate time a PDF is generated and e-mailed to the user. </LI> <LI>When the PDF is generated the user’s search restrictions are not applied. The user gets e-mailed a report containing data from all companies.</LI> </UL> Wed, 08 May 2013 07:55:28 GMT MatMeredith 2013-05-08T07:55:28Z https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/20995#M680 <P>I think I've hit a Splunk "bug", and I wonder if anyone knows of any way to work around it?</P> <P>I'm using Splunk's scripted authentication. Specifically I have a python script that</P> <UL> <LI>authenticates users </LI> <LI>provides per user search filters.</LI> </UL> <P>This works fine up to a point. My users can log in to Splunk and run searches and they only see results that are compliant with their per user search filter.</P> <P>The problem is that such a user can then schedule PDF generation of a view and when the PDF is later scheduled...</P> <UL> <LI>the authentication script does not get invoked (to check that the user still has permission to access the system)</LI> <LI>(worse) the authentication script does not get invoked to provide the per user search filter, and so the search to generate the PDF is executed with no search filter, with the result that the user gets e-mailed a report containing all the data on the system, rather than just the subset they are permitted to see.</LI> </UL> Wed, 01 May 2013 08:45:26 GMT https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/20995#M680 MatMeredith 2013-05-01T08:45:26Z https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/20996#M681 <P>A couple of questions:</P> <P>What version of Splunk are you using?<BR /> How are you generating PDFs (through the native PDF support in 5.0+ or with the old PDF Report Server)?</P> <P>Let me know, I would like to get this reported immediately. Based on your answers, I might make a minimal repro so that this can get escalated quickly.</P> Wed, 01 May 2013 15:13:29 GMT https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/20996#M681 LukeMurphey 2013-05-01T15:13:29Z https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/20997#M682 <P>I'm using native PDF support in 5.0.2, build 149561. Thanks!</P> Wed, 01 May 2013 16:10:49 GMT https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/20997#M682 MatMeredith 2013-05-01T16:10:49Z https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/20998#M683 <P>Hi. Any news on this? Were you able to raise this? Thanks!</P> Tue, 07 May 2013 08:51:24 GMT https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/20998#M683 MatMeredith 2013-05-07T08:51:24Z https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/20999#M684 <P>According to your title, users are scheduling the search. I also have the impression it's not possible to make "scheduled" search run as another user than "system" which basically has all permissions.</P> <P>I've posted a somewhat related comment about savedsearches.conf - see <A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Savedsearchesconf">http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Savedsearchesconf</A>. I've received an answer but must admit it was not entirely satisfying and I didn't follow it up very closely. I should probably raise this issue with support.</P> Tue, 07 May 2013 21:15:01 GMT https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/20999#M684 yoho 2013-05-07T21:15:01Z https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/21000#M685 <P>An update on this -- it turns out the problem is far worse than I thought as it applies to locally configured Splunk users too.</P> <UL> <LI>Configure a user on Splunk with a role that has restricted search terms. In our case a filter that restricts them to only seeing their company’s data.</LI> <LI>User logs in and views dashboard. Can only see their data. Great. </LI> <LI>User schedules PDF generation for dashboard using Splunk’s built in PDF reporting. At the appropriate time a PDF is generated and e-mailed to the user. </LI> <LI>When the PDF is generated the user’s search restrictions are not applied. The user gets e-mailed a report containing data from all companies.</LI> </UL> Wed, 08 May 2013 07:55:28 GMT https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/21000#M685 MatMeredith 2013-05-08T07:55:28Z https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/21001#M686 <P>I believe part of the answer is in the link below. I'll have to make some tests.</P> <P><A href="http://splunk-base.splunk.com/answers/1438/how-to-specify-an-owner-for-pre-canned-saved-searches-for-app-packaging">http://splunk-base.splunk.com/answers/1438/how-to-specify-an-owner-for-pre-canned-saved-searches-for-app-packaging</A></P> Wed, 08 May 2013 08:22:33 GMT https://community.splunk.com/t5/Security/Scripted-Authentication-and-Scheduled-Searches/m-p/21001#M686 yoho 2013-05-08T08:22:33Z