topic Re: Why are Search Filters not being applied in scripted authentication? in Getting Data In

Why are Search Filters not being applied in scripted authentication?

lyndac — Tue, 29 Sep 2020 12:22:35 GMT

Using Splunk Enterprise 6.4.1. I am attempting to use scripted authentication to apply search filters to my users. I can see that the script is being initiated and I can see calls being made to the getUsers and getUserInfo functions, however, I never see a call to the getSearchFilter function. When I do the search, I can tell that no filters are being applied. I just can't figure out why.

I created the authentication script. The getSearchFilter method of said script returns results like:
--status=success --search_filter=foo=1234 --search_filter=foo=3432 --search_filter=foo=8742

With the above searchFilter, I expect to only see results where foo=1234 OR foo=3432 OR foo=8742. But I am seeing many more values that that. I set my authentication.conf up like this:

    [authentication]
    authType = Scripted
    authSettings = script

    [script]
    scriptPath = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/share/splunk/authScriptSamples/abactest.py"
    scriptSearchFilters = 1

    [cacheTiming]
    userLoginTTL    = 10s
    getUserInfoTTL  = 1min
    getUsersTTL     = 2mins

I turned on debug for the AuthenticationManagerScripted, and see the following in the log file so I know the script is being run:

Initializing scripted auth with script path '"/opt/splunk/bin/python" "/opt/splunk/share/splunk/authScriptSamples/abactest.py"'
Scripted search filters: turned on
Calling script '"/opt/splunk/bin/python" "/opt/splunk/share/splunk/authScriptSamples/abactest.py"' getUsers' with arguments''
...
Found return key 'userInfo' with value 'lcarey;lcarey;l carey;admin:user'

What am I missing?

Re: Why are Search Filters not being applied in scripted authentication?

lyndac — Mon, 30 Jan 2017 21:15:30 GMT

I figured out why the search filters are not being applied. It was because the user had a role of 'admin' and the 'admin' role overrides searchFilters applied to the user.

Other things I found while working on this:

If you have a local splunk user with the same name as a scripted auth user, the local user takes precedence. So, in my case, I removed the admin role from the user and still wasn't seeing the search filter be applied. Turns out that I had a local splunk user with the same name that did NOT have search filters specified and that user has precedence.
User search filters are NOT applied to tstats searches!

Re: Why are Search Filters not being applied in scripted authentication?

mattness — Thu, 02 Feb 2017 21:49:57 GMT

You're partially correct about role-based search filters not being applied to tstats searches. By default they are applied to tstats searches of ordinary indexed data. But they are not applied to tstats searches of accelerated data models and accelerated data model objects. There is a tstats setting that you can use in limits.conf to change this default.

This is discussed in the documentation of the tstats command:

http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Tstats#Selecting_data

Re: Why are Search Filters not being applied in scripted authentication?

lyndac — Fri, 03 Feb 2017 15:05:45 GMT

Actually, user-based search Filters is what I was talking about. The role-based ones work as advertised.

I am trying to use scripted authentication to apply a search filter per USER. In that instance, the search filter is NOT applied to a tstats search even on ordinary indexed data.

Re: Why are Search Filters not being applied in scripted authentication?

mattness — Fri, 03 Feb 2017 18:30:59 GMT

Ok. The same restriction applies to user-based search filters, unfortunately. The plain truth is that no search filters whatsoever can be applied to accelerated data models or their objects. I'll update the documentation to reflect this.

The fact that the filter isn't working for ordinary indexed data is puzzling, however, and I don't have any immediate suggestions to resolve it. If I do, I'll respond here.

Re: Why are Search Filters not being applied in scripted authentication?

aaraneta_splunk — Tue, 14 Feb 2017 00:48:46 GMT

Hi @lyndac - Did your answer above provide a solution to your question? If yes, don't forget to click "Accept" to close out your question. Thank you.