Solved: How to enable debug refresh for all users in Add-o...

thol · ‎04-02-2018

Is there a way we can enable this for all or certain group of users? Currently, only admin users can use this add-on.

MuS · ‎04-02-2018

Hi thol,

there is no point in granting users access to the refresh command because only the admin role can actually perform the _reload on REST endpoints.
BTW, you should not use this command in a production environment for reasons 😉

Hope this helps ...

cheers, MuS

View solution in original post

chaker · ‎04-04-2018

I did not test this with the App, but you can provide non admin access to the /debug/refresh endpoint with the following role:

MyRole:
Inherits from user

Selected Capabilities:
refresh_application_license
web_debug

MuS · ‎04-04-2018

While you can do such a thing, I would really recommend against it - there are reasons why this URI or the REST endpoints are not available to the users 😉

cheers, MuS

mmccul_fe · ‎08-21-2019

Dev search head, power users will be doing many updates, and the admin cannot get in the way of updates. Since even the Splunk admins are not full admin role, to prevent them from editing certain things in the GUI, and forcing use of git for changes, not documenting this clearly is a Bad Idea(tm)

MuS · ‎08-21-2019

The original answer states you should not use it in prod environments 😉
Dev SH are best run with this settings in web.conf

[settings]
 js_no_cache = true
 cacheBytesLimit = 0
 cacheEntriesLimit = 0
 max_view_cache_size = 0
 auto_refresh_views = 1

Regarding the not documentation , you can find everything in the docs here https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTaccess#Usage_details every REST entity with a _reload endpoint will be reloaded by either using /debug/refresh or the | refresh command.

cheers, MuS

MuS · ‎04-02-2018

Hi thol,

there is no point in granting users access to the refresh command because only the admin role can actually perform the _reload on REST endpoints.
BTW, you should not use this command in a production environment for reasons 😉

Hope this helps ...

cheers, MuS

MuS · ‎08-17-2018

Update:

there will be soon an update to the app released which works on Splunk 7.1.x. It also features the option to only reload one specific entity, and can now be used in production environment because it excludes by default certain entities.

Link to the app: https://splunkbase.splunk.com/app/1871/#/details

cheers, MuS

chaker · ‎04-02-2018

You can use the App's sharing permissions to control it, but there is no control on who can paste "en-US/debug/refresh" into their Splunk session.

MuS · ‎04-02-2018

Sorry to say, but this is twice wrong:

changing the app permission will not grant the user capabilities to reload a REST endpoint
you are right that anyone can access the URI /debug/refresh but without the capabilities to actually reload the REST endpoint you will get this error:

This XML file does not appear to have any style information associated with it. The document tree is shown below.

Forbidden

cheers, MuS

chaker · ‎04-02-2018

Neat, I recall having a different experience on an earlier version.

So would a simpler answer be to use the rest_properties_get and rest_properties_set capabilities to control access by role?

Or is that thrice wrong? XD

MuS · ‎04-02-2018

HeHE, yep, the third wrong 😄 those two capabilities are already assigned to the user role by default. The easiest way to get the exact capability needed is try them one by one. I cannot be of much help since I don't have the time to test it right now ...

How to enable debug refresh for all users in Add-on Debug Refresh?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?