All Apps and Add-ons

AWS GuardDuty Add-on for Splunk: Why is local.meta not taking precedence over default.meta?

jordanfosterpau
Engager

Using AWS GuardDuty app and users unable to share report as it errors with:

User 'testuser' with roles { guard duty dashboard share, testuser, power, user } cannot write: /nobody/TA-aws_guardduty/views/testdashboard { read : [ * ], write : [ admin ] }, export: global, removable: no, modtime: 1518558159.740556000

The stanza in $SPLUNK_HOME/apps/TA-aws_guardduty/metadata/local.meta has:

[] 
access = read : [ * ], write : [ admin, aws_gaurdduty, guard duty dashboard share, power ] 
export = system 
version = 7.0.1 
modtime = 1518558159.740556000

Stanza (default.meta):

[]
access = read : [ * ], write : [ admin ]
export = system

So it should be taking precedence over default.meta but as shown in the error, only admin is set to write although local.meta shows other roles.
Other apps seem to be working. Tested/Compared to Search & Reporting and Splunk App for AWS (5.1.0)

Steps to Reproduce

As a user without 'admin' role, create a new dashboard in GuardDuty add-on. (no need to create panels)
Go to Save as on the dashboard, choose Shared in App, click Create Dashboard, and the error appears with incomplete roles in write permissions.
Go to manage apps and choose Permissions for GuardDuty add-on and verify other roles selected beside just admin.

So, why does it appear that local.meta is not taking precedence?

0 Karma
1 Solution

jordanfosterpau
Engager

I found a work around.
I should have included the other stanza in default.meta to my OP.

[views]
access = read : [ * ], write : [ admin ]
export = system

I tried adding a [views] stanza into local.meta to see if it would take precedence and did. However, I was not able to use the webgui to make permission changes. I looked at some other apps and the system default and did not see a [views] stanza in those meta files, so I removed the [views] from local.meta and commented it out in default.meta.
Now I can alter permissions in the webgui and see those propagated to the dashboard permissions. Now users, with the proper role, can share their dashboards as expected.

View solution in original post

0 Karma

jordanfosterpau
Engager

I found a work around.
I should have included the other stanza in default.meta to my OP.

[views]
access = read : [ * ], write : [ admin ]
export = system

I tried adding a [views] stanza into local.meta to see if it would take precedence and did. However, I was not able to use the webgui to make permission changes. I looked at some other apps and the system default and did not see a [views] stanza in those meta files, so I removed the [views] from local.meta and commented it out in default.meta.
Now I can alter permissions in the webgui and see those propagated to the dashboard permissions. Now users, with the proper role, can share their dashboards as expected.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...