Solved: Re: Bug in Latest DB Connect App

linu1988 · ‎12-25-2013

Hello All,
I have updated the Splunk App for DB connect(V1.1.1). I was testing with few of the options before giving access to the end users.

The DB is configured with read-only option but when i run the update query it is able to update the table.

More over there is a security leakage also i have observed. When i form a query with proper DB name, schema, table name, i can see the content and update the same as the account has access to the other DB as well. We are using SQL Server.

SELECT *  FROM [msdb].[dbo].[table_name]

I understand that the user can be modified to have only read permission, if this is the only option why is there a READ-ONLY option on configuration page? Please guide me if i am doing something wrong.

Thanks

jcoates_splunk · ‎12-31-2013

Hi,

there's some subtlety to properly configuring secure access -- you may find this blog post and the docs helpful.

View solution in original post

jcoates_splunk · ‎12-31-2013

Hi,

there's some subtlety to properly configuring secure access -- you may find this blog post and the docs helpful.

linu1988 · ‎02-22-2014

Thank you team, Seems like this bug is fixed in version 1.1.3 version now. Very happy to get this just before i make everything live 🙂

linu1988 · ‎01-09-2014

That i have already made, as the enduser may try different things. i came across this thing while testing it myself.

aelliott · ‎01-09-2014

I would recommend making the SQL user have read only permissions

linu1988 · ‎01-09-2014

Important Update:
When you use |dboutput on a read-only option in DB connect it does work and show that it is readonly database.

But in the dbqyery view if you write it in the query window it doesn't and updates the table.

linu1988 · ‎01-01-2014

Yes 1.1.11 , jre7. both tested on jdbc 3 and 4 driver for sql server

jcoates_splunk · ‎01-01-2014

DB Connect is 1.1.11, correct? What's the JRE you're using? Also, is this MS's JDBC driver?

linu1988 · ‎01-01-2014

If i use the update command on db query view e.g. update table set field=1 where value='x' it shows me some error but it updates the table. Exact error i dont remember but it's something like "Statement should return result set..". i am using sql server 2008 r2. i will make the user read only from DB level now as a work around.

jcoates_splunk · ‎01-01-2014

well, as the documentation and the setup page say, that feature relies on the JDBC driver's implementation. Some are better than others. What's the database and update command you're using?

linu1988 · ‎01-01-2014

I do understand splunk object level read-only permissions and DB read-only permissions. But the statement in setup page is

Allows execution of non-modifying queries only. This relies on the JDBC driver's implementation of "read-only" mode.

which is misleading. However i think the loophole needs to be addressed. Keep me posted please if there are any solution to this. I am quite regular here and splunk sites.

jcoates_splunk · ‎12-31-2013

Hi, the significance is that there are different "read-only" options with different meanings offered by Splunk, JDBC, and the database. To be secure, you must understand all of them. The read only option in the database connection setup screen is referring to the JDBC config option.

If these mapped cleanly, we would have already done it... We are working on a better solution though.

linu1988 · ‎12-31-2013

The concern i have is the read-only property which is given during the database connection setup. If it does depend on the role of the DB user what is the significance of the option given in the set up? Splunk objects we could control the access, but in business environment there are many factors where creating new users just to read a DB is difficult.

Bug in Latest DB Connect App

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!