Hello All,
I have updated the Splunk App for DB connect(V1.1.1). I was testing with few of the options before giving access to the end users.
The DB is configured with read-only option but when i run the update query it is able to update the table.
More over there is a security leakage also i have observed. When i form a query with proper DB name, schema, table name, i can see the content and update the same as the account has access to the other DB as well. We are using SQL Server.
SELECT * FROM [msdb].[dbo].[table_name]
I understand that the user can be modified to have only read permission, if this is the only option why is there a READ-ONLY option on configuration page? Please guide me if i am doing something wrong.
Thanks
Hi,
there's some subtlety to properly configuring secure access -- you may find this blog post and the docs helpful.
Hi,
there's some subtlety to properly configuring secure access -- you may find this blog post and the docs helpful.
Thank you team, Seems like this bug is fixed in version 1.1.3 version now. Very happy to get this just before i make everything live 🙂
That i have already made, as the enduser may try different things. i came across this thing while testing it myself.
I would recommend making the SQL user have read only permissions
Important Update:
When you use |dboutput on a read-only option in DB connect it does work and show that it is readonly database.
But in the dbqyery view if you write it in the query window it doesn't and updates the table.
Yes 1.1.11 , jre7. both tested on jdbc 3 and 4 driver for sql server
DB Connect is 1.1.11, correct? What's the JRE you're using? Also, is this MS's JDBC driver?
If i use the update command on db query view e.g. update table set field=1 where value='x' it shows me some error but it updates the table. Exact error i dont remember but it's something like "Statement should return result set..". i am using sql server 2008 r2. i will make the user read only from DB level now as a work around.
well, as the documentation and the setup page say, that feature relies on the JDBC driver's implementation. Some are better than others. What's the database and update command you're using?
I do understand splunk object level read-only permissions and DB read-only permissions. But the statement in setup page is
Allows execution of non-modifying queries only. This relies on the JDBC driver's implementation of "read-only" mode.
which is misleading. However i think the loophole needs to be addressed. Keep me posted please if there are any solution to this. I am quite regular here and splunk sites.
Hi, the significance is that there are different "read-only" options with different meanings offered by Splunk, JDBC, and the database. To be secure, you must understand all of them. The read only option in the database connection setup screen is referring to the JDBC config option.
If these mapped cleanly, we would have already done it... We are working on a better solution though.
The concern i have is the read-only property which is given during the database connection setup. If it does depend on the role of the DB user what is the significance of the option given in the set up? Splunk objects we could control the access, but in business environment there are many factors where creating new users just to read a DB is difficult.