topic Re: Retrieve Credentials from Splunk for a Custom Alert Action - Client is not authenticated in Splunk Dev

Retrieve Credentials from Splunk for a Custom Alert Action - Client is not authenticated

celestekiyoko — Fri, 01 Dec 2017 21:46:58 GMT

Currently using Splunk 6.2.3

I have a python script that is being executed as part of a Custom Alert Action. This script retrieves credentials (for our internal tickets system) that are stored in a Splunk App I set up.

I have been following this blog post for the setup of my script: https://www.splunk.com/blog/2011/03/15/storing-encrypted-credentials.html

NOTE: I chose to have it send me an email with the error message instead of having to go check a log file, so the sendErrorEmail is something I defined.

However, when my script runs, i keep getting the error: "Could not get My_App credentials from splunk. Error: [HTTP 401] Client is not authenticated"

Below is my script code. Any idea what I'm doing wrong or if there is something I'm missing?

def getCredentials(sessionKey):
    myapp = 'My_App'

    #Trims off "sessionKey=" from readline
    #Even if I remove this line, my script doesn't work
    sessionKey = sessionKey[11:]

    try:
        # list all credentials
        entities = entity.getEntities(['admin', 'passwords'], namespace=myapp, owner='nobody', sessionKey=sessionKey) 
    except Exception, e:
        html = "sessionKey == " + sessionKey + "<br>&lt;br/&gt;Could not get %s credentials from splunk. Error: %s" % (myapp, str(e))
        text = "Could not get %s credentials from splunk. Error: %s" % (myapp, str(e))
        sendErrorEmail(html, text);
        raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))

    # return first set of credentials
    for i, c in entities.items(): 
        return c['username'], c['clear_password']
    html = "No credentials have been found"
    text = "No credentials have been found"
    sendErrorEmail(html, text);
    raise Exception("No credentials have been found")  

def main(): 
sessionKey = sys.stdin.readline().strip()
    if sessionKey == "":
        html = 'No sessionKey'
        text = 'No sessionKey'
        sendErrorEmail(html, text)

    username, password = getCredentials(sessionKey)
    credentials = [username, password]

Re: Retrieve Credentials from Splunk for a Custom Alert Action - Client is not authenticated

damien_chillet — Mon, 04 Dec 2017 10:59:24 GMT

That looks like the session key passed is not valid.

Could you print everything Splunk is passing to stdin?

Re: Retrieve Credentials from Splunk for a Custom Alert Action - Client is not authenticated

harsmarvania57 — Mon, 04 Dec 2017 11:30:17 GMT

Are you sure that Alert actions is showing under Settings in Splunk Web? Because as far as I know Custom Alert action introduced since Splunk 6.3 so it will not work in Splunk 6.2.3

If you are running Splunk 6.3 or higher then you will able to fetch session_key from payload. Please refer example script http://docs.splunk.com/Documentation/Splunk/6.6.3/AdvancedDev/ModAlertsBasicExample

Re: Retrieve Credentials from Splunk for a Custom Alert Action - Client is not authenticated

starcher — Mon, 04 Dec 2017 16:26:45 GMT

Here are some patterns depending on what you are doing.
http://www.georgestarcher.com/splunk-stored-encrypted-credentials/

Honestly though you are better off using the Add-On builder to make your alert actions so you get all the supporting code.

Re: Retrieve Credentials from Splunk for a Custom Alert Action - Client is not authenticated

celestekiyoko — Mon, 04 Dec 2017 18:36:37 GMT

The custom alert action is relatively new, but even in older versions of Splunk, "Run a script" has been an option for alerts. That's what I am using to execute my script.

Re: Retrieve Credentials from Splunk for a Custom Alert Action - Client is not authenticated

celestekiyoko — Mon, 04 Dec 2017 18:46:53 GMT

That was my guess too, but I can't figure out what it's not liking about my session key.

sys.stdin.readline().strip() gives the following:
sessionKey=JcAM%5EMTPFZxlMfZgKthwNjbsqneDpCyUYh4Tf_sM4BviMnfgPXV86NsdIKlpFNQqFQxakLQWC9EbkNPSZTPuioEcTg34EopEcsSn8dhjWIZHTZRcEUCh%5EDSectftoLS4FXcgDHo5bCMjKo

sessionKey = sessionKey[11:] makes it the following:
JcAM%5EMTPFZxlMfZgKthwNjbsqneDpCyUYh4Tf_sM4BviMnfgPXV86NsdIKlpFNQqFQxakLQWC9EbkNPSZTPuioEcTg34EopEcsSn8dhjWIZHTZRcEUCh%5EDSectftoLS4FXcgDHo5bCMjKo

I have tried passing it with the "sessionKey=" in the beginning and without it, and both times I still get the "could not authenticate" error.

Re: Retrieve Credentials from Splunk for a Custom Alert Action - Client is not authenticated

damien_chillet — Tue, 05 Dec 2017 11:36:18 GMT

Hi Celeste,

The blogpost you are basing your script on is quite old (2011), and in the current python SDK i'm using there is no splunk.entity module.
Which SDK version are you using?

Here is how I manage to retrieve credentials using Python SDK version 1.6.2:

service = client.Service(token=sessionKey)

# service.storage_passwords.create('test','damien','SPLUNK ANSWERS')

print service.storage_passwords.list(**{"search": "SPLUNK ANSWERS"})[0].content

For this example the output is as following:

{'username': 'damien', 'encr_password': '$1$gfY5DWk=', 'realm': 'SPLUNK ANSWERS', 'clear_password': 'test', 'password': '********'}

Hope that helps!

Re: Retrieve Credentials from Splunk for a Custom Alert Action - Client is not authenticated

dsommerville — Fri, 17 Aug 2018 15:40:11 GMT

Maybe a bit late on this one, but it looks like your session key needs to be URL decoded.

Re: Retrieve Credentials from Splunk for a Custom Alert Action - Client is not authenticated

BernardEAI — Mon, 16 Nov 2020 13:21:48 GMT

Hi @starcher

Thanks for this hint. I followed your directions at http://www.georgestarcher.com/splunk-stored-encrypted-credentials/

I'm getting the following result if I run:

import sys from splunklib.searchcommands import dispatch, GeneratingCommand, Configuration, Option, validators @Configuration(streaming=False, local=True, type='reporting') class GenerateAuthInfoCommand(GeneratingCommand): def generate(self): storage_passwords=self.service.storage_passwords for credential in storage_passwords: usercreds = {'username':credential.content.get('username'),'password':credential.content.get('clear_password')} yield usercreds dispatch(GenerateAuthInfoCommand, sys.argv, sys.stdin, sys.stdout, __name__)

None of these results look like something I can use as a username and password. I have tried authenticating with one of them, but no luck.