All Apps and Add-ons

Lookup File Editor App for Splunk Enterprise: Can a user create a collection from the lookup editor?

dsmc_adv
Path Finder

I can create a new lookup with the admin user and thus create a new collection. When I try to use another user which has permissions to write to the app I get a "You do not have permission to make a KV store collection" message.

I just tried to add rest_get and rest_set capabilities but does not work.

Update:

I've been performing some tests. When you create the lookup from the admin user it creates the collection under $SPLUNK_HOME/etc/apps/appsname/local/collections.conf and under the local.meta it sets the owner to admin user. I have not seen how to change the owner through the UI, so this collection is not usable by any user othen than admin.

The api is more specific and tells you need the admin_all_objects capability (aka an admin user)

$ curl -k -u poweruser:password     -d name=mycollection      https://localhost:8089/servicesNS/nobody/myapp/storage/collections/config
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">You (user=poweruser) do not have permission to perform this operation (requires capability: admin_all_objects).</msg>
  </messages>
</response>

What's the point to create a collection from the UI if only admin user can use it and you need to modify the files directly to change this behaviour?

0 Karma
1 Solution

LukeMurphey
Champion

I'm investigating this so that I can figure out a way around this issue. It will be researched under this ticket: https://lukemurphey.net/issues/1713

Update:

Version 2.6 of the Lookup Editor now gives you the ability to change the permissions of the lookup from the lookup list page. This way, you can change the sharing options such that other users can view or edit the collection.

View solution in original post

0 Karma

LukeMurphey
Champion

I'm investigating this so that I can figure out a way around this issue. It will be researched under this ticket: https://lukemurphey.net/issues/1713

Update:

Version 2.6 of the Lookup Editor now gives you the ability to change the permissions of the lookup from the lookup list page. This way, you can change the sharing options such that other users can view or edit the collection.

0 Karma

sk314
Builder

@LukeMurphey - I do not see any way to edit permissions on the list page. I am on v2.7.1 of the Lookuop Editor. I am running this app on an Enterprise Security search head with Splunk v6.5.1 - screenshot - https://imgur.com/a/AR5pv

alt text

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...