Alerting

AuthorizationFailed: [HTTP 403] when clicking on the link in an alert email

fredbsplunk
Explorer

We are using scheduled saved searches with email links in them as a monitoring tool. The problem is that the majority of users that receive these email get the following error when clicking on the link. "AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; None". The user that created the saved search has the POWER role and the one user I am using for testing purposes has the POWER role as well. I have the ADMIN role and I have no difficulties opening the link and of course the creator has no problems opening the link either.
The splunk_web_access.log file shows the following:

2011-01-24 14:33:05,208 ERROR customlogmanager:22 - [24/Jan/2011:14:33:05] HTTP Traceback (most recent call last): File "/usr/concur/splunk/lib/python2.6/site-packages/cherrypy/_cprequest.py", line 606, in respond cherrypy.response.body = self.handler() File "/usr/concur/splunk/lib/python2.6/site-packages/cherrypy/_cpdispatch.py", line 25, in call return self.callable(*self.args, **self.kwargs) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/routes.py", line 307, in default return route.target(self, **kw) File "", line 1, in File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 28, in rundecs return fn(*a, **kw) File "", line 1, in File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 76, in check return fn(self, *a, **kw) File "", line 1, in File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 116, in check_login return fn(self, *a, **kw) File "", line 1, in File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 137, in handle_exceptions return fn(self, *a, **kw) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/view.py", line 1099, in render templateArgs = self.buildViewTemplate(app, view_id, action, q, sid, s, earliest, latest, remote_server_list) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/view.py", line 827, in buildViewTemplate appConfig = self.getAppConfig(app, view_id, build_nav) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/view.py", line 446, in getAppConfig savedSearchObject = splunk.saved.getSavedSearchFromSID(cherrypy.request.params.get('sid')) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/saved.py", line 207, in getSavedSearchFromSID ss = getSavedSearch(job.label, namespace=namespace, owner=owner, sessionKey=sessionKey) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/saved.py", line 95, in getSavedSearch return entity.getEntity(SAVED_SEARCHES_ENDPOINT_ENTITY_PATH, label, namespace=namespace, owner=owner, sessionKey=sessionKey) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/entity.py", line 205, in getEntity serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True) File "/usr/concur/splunk/lib/python2.6/site-packages/splunk/rest/init.py", line 387, in simpleRequest raise splunk.AuthorizationFailed AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; None

Does anybody have an idea where I could start troubleshooting this?

Thanks in advance.

Tags (2)

Ellen
Splunk Employee
Splunk Employee

This was a known issue (SPL-41061) reported under 4.2.1 and 4.2.2

It is targeted to be fixed in the next maintenance release.

jbsplunk
Splunk Employee
Splunk Employee

I ran into this and even with the saved search shared globally and read permission granted to the role which my user was assigned, I continued to get a 403. The only way I found to resolve this was by editing $SPLUNK_HOME/etc/apps//metadata/local.meta and changing the owner from the user who created the search to nobody. I validated the permissions of the saved search were set to allow my users role to read, then reloaded the saved searches via

http://mysplunkserver:port/en-US/debug/refresh?entity=admin/savedsearch

After that I was able to access the results.

gkanapathy
Splunk Employee
Splunk Employee

The results of the saved search should have the same access control as the saved search itself. By default, a saved search is not shared between users, but is marked "private". Is the saved search itself shared (either over an app or globally) and shared to the entire role?

fredbsplunk
Explorer

This is possibly a bug in the 4.0.9 release. we have a new system running 4.1.6 and the link in the email alert doesn't contain the name of the savedsearch owner and other users are able to view the report when they click on the link.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Another possibility is that either the app or the view for the search is not accessible to the other user. But it looks like the search is in the search app, and the normal view is the flashtimeline view.

0 Karma

fredbsplunk
Explorer

thanks for the response gkanapathy! When I go to Manager > Searches and Reports, App=Search, Sharing=Global. Drilling into Permissions, All Apps is selected and Read/Write checked for all roles. In addition, we are running 4.0.9 and are in the process of moving to 4.1.6

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...