I have updated the Splunk App for DB connect(V1.1.1). I was testing with few of the options before giving access to the end users.
The DB is configured with read-only option but when i run the update query it is able to update the table.
More over there is a security leakage also i have observed. When i form a query with proper DB name, schema, table name, i can see the content and update the same as the account has access to the other DB as well. We are using SQL Server.
SELECT * FROM [msdb].[dbo].[table_name]
I understand that the user can be modified to have only read permission, if this is the only option why is there a READ-ONLY option on configuration page? Please guide me if i am doing something wrong.
When you use |dboutput on a read-only option in DB connect it does work and show that it is readonly database.
But in the dbqyery view if you write it in the query window it doesn't and updates the table.
If i use the update command on db query view e.g. update table set field=1 where value='x' it shows me some error but it updates the table. Exact error i dont remember but it's something like "Statement should return result set..". i am using sql server 2008 r2. i will make the user read only from DB level now as a work around.
well, as the documentation and the setup page say, that feature relies on the JDBC driver's implementation. Some are better than others. What's the database and update command you're using?
I do understand splunk object level read-only permissions and DB read-only permissions. But the statement in setup page is
Allows execution of non-modifying queries only. This relies on the JDBC driver's implementation of "read-only" mode.
which is misleading. However i think the loophole needs to be addressed. Keep me posted please if there are any solution to this. I am quite regular here and splunk sites.
Hi, the significance is that there are different "read-only" options with different meanings offered by Splunk, JDBC, and the database. To be secure, you must understand all of them. The read only option in the database connection setup screen is referring to the JDBC config option.
If these mapped cleanly, we would have already done it... We are working on a better solution though.
The concern i have is the read-only property which is given during the database connection setup. If it does depend on the role of the DB user what is the significance of the option given in the set up? Splunk objects we could control the access, but in business environment there are many factors where creating new users just to read a DB is difficult.