topic Re: Python SDK: How to create a user that can only write to specific indexes? in Splunk Dev

Python SDK: How to create a user that can only write to specific indexes?

asherman — Tue, 02 Sep 2014 21:45:09 GMT

Hi,

I am working with code that sends data to Splunk indexes via the Python SDK (splunklib.client). I want to create a custom user for the purpose of this code. That is, a user who's privileges are strictly that of writing data into a small number of indexes and be otherwise restricted from writing elsewhere.

I currently have a user with just the capability 'edit_tcp' and the 4 indexes I want specified for search capability, but this does not seem to restrict the write capability when using the .send() python function.

Any help would be apreciated, thanks.

Re: Python SDK: How to create a user that can only write to specific indexes?

0verhaul — Thu, 06 Aug 2015 18:58:16 GMT

Hi,

I have a similar concern, I am building a Splunk app to capture user input and then POST it to an index. Users have edit_tcp capability and they can post data to any index irrespective of whether which they have read access to it or not.

Re: Python SDK: How to create a user that can only write to specific indexes?

lguinn2 — Sat, 08 Aug 2015 21:21:28 GMT

When you created your user, what role did you give it? Did this role Inherit from another role? If yes, then the user will be able to write into any indexes that were allowed for all the "parent" roles in the inheritance tree.

Re: Python SDK: How to create a user that can only write to specific indexes?

donaldson8 — Tue, 29 Sep 2020 09:43:21 GMT

We have a similar use case, and are running into the same problem, on 6.4.0. I have a user with a role that grants the below capabilities, but has no allowed indexes for search (only for testing, in real life, it would be able to search a subset of the available indexes):

change_own_password
edit_tcp
output_file
schedule_rtsearch
search

This role inherits from no other roles, and the user has no other roles.

When authenticated as this user, I get no search results, and cannot use the collect command to write into any index, as is expected (or, when I have indexes allowed for the associated role, I can only use collect to write into the indexes that I am permitted to search).

However, using the Splunk Python SDK (via clientInstance.index[<index_name>].submit()) or the REST API (via /services/receivers/{simple,streaming}), while authenticated as this user, I am able to write into any index, regardless of which indexes I am permitted to search.