https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199569#M23650 <P>I'm trying to set up db connections with role-based access restrictions. As an example, Splunk role A shall be able to run <CODE>dbquery</CODE> using database connection dbA and Splunk role B shall do the same with dbB. Neither can run queries on the other database.</P> <P>According to <A href="http://docs.splunk.com/Documentation/DBX/1.1.1/DeployDBX/Setupuserpermissions#Set_up_user_access_to_a_specific_database">http://docs.splunk.com/Documentation/DBX/1.1.1/DeployDBX/Setupuserpermissions#Set_up_user_access_to_a_specific_database</A> the permissions for a db connection object should provide this level of access control. However, I can't get that to work. Regardless of how restricted I set the permissions for a database connection, a non-privileged user (role B) can still access that database (dbA) through <CODE>dbquery</CODE> - even if that database connection is set as private rather than app- or global-shared.</P> <P>Is anyone able to reproduce this or am I missing something?</P> Fri, 10 Jan 2014 14:33:38 GMT martin_mueller 2014-01-10T14:33:38Z https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199569#M23650 <P>I'm trying to set up db connections with role-based access restrictions. As an example, Splunk role A shall be able to run <CODE>dbquery</CODE> using database connection dbA and Splunk role B shall do the same with dbB. Neither can run queries on the other database.</P> <P>According to <A href="http://docs.splunk.com/Documentation/DBX/1.1.1/DeployDBX/Setupuserpermissions#Set_up_user_access_to_a_specific_database">http://docs.splunk.com/Documentation/DBX/1.1.1/DeployDBX/Setupuserpermissions#Set_up_user_access_to_a_specific_database</A> the permissions for a db connection object should provide this level of access control. However, I can't get that to work. Regardless of how restricted I set the permissions for a database connection, a non-privileged user (role B) can still access that database (dbA) through <CODE>dbquery</CODE> - even if that database connection is set as private rather than app- or global-shared.</P> <P>Is anyone able to reproduce this or am I missing something?</P> Fri, 10 Jan 2014 14:33:38 GMT https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199569#M23650 martin_mueller 2014-01-10T14:33:38Z https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199570#M23651 <P>Martin, </P> <P>The dev team has opened a ticket on this issue and is currently investigating. Looks like it might be a bug. </P> Fri, 10 Jan 2014 23:25:07 GMT https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199570#M23651 sroback_splunk 2014-01-10T23:25:07Z https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199571#M23652 <P>i had reported similar concerns..</P> Sat, 11 Jan 2014 05:20:11 GMT https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199571#M23652 linu1988 2014-01-11T05:20:11Z https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199572#M23653 <P>Great, thanks!</P> Sat, 11 Jan 2014 09:17:26 GMT https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199572#M23653 martin_mueller 2014-01-11T09:17:26Z https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199573#M23654 <P>I have found something.. </P> <P>While doing | dboutput type=sql database=test table=minimom "update .."</P> <P>Irrespective of the update success/failure it always says no modification done!!!</P> <P>Is that a miss in the return statement from database query or something?</P> Sat, 11 Jan 2014 21:59:22 GMT https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199573#M23654 linu1988 2014-01-11T21:59:22Z https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199574#M23655 <P>I see this has been addressed in 1.1.2, thanks!</P> <P>However, I fear the fix may have added a new bug. See line 14 of dbquery.py:</P> <PRE><CODE>ent = en.getEntity(["dbx", "databases"], entityName=dbn, namespace="dbx", owner="nobody", sessionKey=sessionKey) </CODE></PRE> <P>That loads the REST endpoint using the namespace <CODE>/servicesNS/nobody/dbx/...</CODE>, which works well for app- or global-shared objects. Sadly this breaks privately held DB connection objects. In order to fix that, replace with these two lines (next comment):</P> Thu, 03 Apr 2014 08:35:46 GMT https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199574#M23655 martin_mueller 2014-04-03T08:35:46Z https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199575#M23656 <P>...</P> <PRE><CODE>currentUser = settings['owner'] ent = en.getEntity(["dbx", "databases"], entityName=dbn, namespace="dbx", owner=currentUser, sessionKey=sessionKey) </CODE></PRE> Thu, 03 Apr 2014 08:35:54 GMT https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199575#M23656 martin_mueller 2014-04-03T08:35:54Z https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199576#M23657 <P>Yes, the current implementation is sub-optimal, but it was too risky to try to fix that issue comprehensively.</P> Thu, 03 Apr 2014 16:39:57 GMT https://community.splunk.com/t5/Deployment-Architecture/DB-Connect-access-restrictions-to-database-connections-not/m-p/199576#M23657 araitz 2014-04-03T16:39:57Z