We are using scheduled saved searches with email links in them as a monitoring tool. The problem is that the majority of users that receive these email get the following error when clicking on the link. "AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; None". The user that created the saved search has the POWER role and the one user I am using for testing purposes has the POWER role as well. I have the ADMIN role and I have no difficulties opening the link and of course the creator has no problems opening the link either.
The splunk_web_access.log file shows the following:
2011-01-24 14:33:05,208 ERROR customlogmanager:22 - [24/Jan/2011:14:33:05] HTTP Traceback (most recent call last): File "/usr/concur/splunk/lib/python2.6/site-packages/cherrypy/_cprequest.py", line 606, in respond cherrypy.response.body = self.handler() File "/usr/concur/splunk/lib/python2.6/site-packages/cherrypy/_cpdispatch.py", line 25, in call return self.callable(*self.args, **self.kwargs) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/routes.py", line 307, in default return route.target(self, **kw) File "", line 1, in File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 28, in rundecs return fn(*a, **kw) File "", line 1, in File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 76, in check return fn(self, *a, **kw) File "", line 1, in File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 116, in check_login return fn(self, *a, **kw) File "", line 1, in File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 137, in handle_exceptions return fn(self, *a, **kw) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/view.py", line 1099, in render templateArgs = self.buildViewTemplate(app, view_id, action, q, sid, s, earliest, latest, remote_server_list) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/view.py", line 827, in buildViewTemplate appConfig = self.getAppConfig(app, view_id, build_nav) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/view.py", line 446, in getAppConfig savedSearchObject = splunk.saved.getSavedSearchFromSID(cherrypy.request.params.get('sid')) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/saved.py", line 207, in getSavedSearchFromSID ss = getSavedSearch(job.label, namespace=namespace, owner=owner, sessionKey=sessionKey) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/saved.py", line 95, in getSavedSearch return entity.getEntity(SAVED_SEARCHES_ENDPOINT_ENTITY_PATH, label, namespace=namespace, owner=owner, sessionKey=sessionKey) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/entity.py", line 205, in getEntity serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/rest/init.py", line 387, in simpleRequest raise splunk.AuthorizationFailed AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; None
Does anybody have an idea where I could start troubleshooting this?
Thanks in advance.
This was a known issue (SPL-41061) reported under 4.2.1 and 4.2.2
It is targeted to be fixed in the next maintenance release.
I ran into this and even with the saved search shared globally and read permission granted to the role which my user was assigned, I continued to get a 403. The only way I found to resolve this was by editing $SPLUNK_HOME/etc/apps/
http://mysplunkserver:port/en-US/debug/refresh?entity=admin/savedsearch
After that I was able to access the results.
The results of the saved search should have the same access control as the saved search itself. By default, a saved search is not shared between users, but is marked "private". Is the saved search itself shared (either over an app or globally) and shared to the entire role?
This is possibly a bug in the 4.0.9 release. we have a new system running 4.1.6 and the link in the email alert doesn't contain the name of the savedsearch owner and other users are able to view the report when they click on the link.
Another possibility is that either the app or the view for the search is not accessible to the other user. But it looks like the search is in the search app, and the normal view is the flashtimeline view.
thanks for the response gkanapathy! When I go to Manager > Searches and Reports, App=Search, Sharing=Global. Drilling into Permissions, All Apps is selected and Read/Write checked for all roles. In addition, we are running 4.0.9 and are in the process of moving to 4.1.6