All Apps and Add-ons

Lookup File Editor App for Splunk Enterprise: Can a user create a collection from the lookup editor?

dsmc_adv
Path Finder

I can create a new lookup with the admin user and thus create a new collection. When I try to use another user which has permissions to write to the app I get a "You do not have permission to make a KV store collection" message.

I just tried to add rest_get and rest_set capabilities but does not work.

Update:

I've been performing some tests. When you create the lookup from the admin user it creates the collection under $SPLUNK_HOME/etc/apps/appsname/local/collections.conf and under the local.meta it sets the owner to admin user. I have not seen how to change the owner through the UI, so this collection is not usable by any user othen than admin.

The api is more specific and tells you need the admin_all_objects capability (aka an admin user)

$ curl -k -u poweruser:password     -d name=mycollection      https://localhost:8089/servicesNS/nobody/myapp/storage/collections/config
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">You (user=poweruser) do not have permission to perform this operation (requires capability: admin_all_objects).</msg>
  </messages>
</response>

What's the point to create a collection from the UI if only admin user can use it and you need to modify the files directly to change this behaviour?

0 Karma
1 Solution

LukeMurphey
Champion

I'm investigating this so that I can figure out a way around this issue. It will be researched under this ticket: https://lukemurphey.net/issues/1713

Update:

Version 2.6 of the Lookup Editor now gives you the ability to change the permissions of the lookup from the lookup list page. This way, you can change the sharing options such that other users can view or edit the collection.

View solution in original post

0 Karma

LukeMurphey
Champion

I'm investigating this so that I can figure out a way around this issue. It will be researched under this ticket: https://lukemurphey.net/issues/1713

Update:

Version 2.6 of the Lookup Editor now gives you the ability to change the permissions of the lookup from the lookup list page. This way, you can change the sharing options such that other users can view or edit the collection.

View solution in original post

0 Karma

sk314
Builder

@LukeMurphey - I do not see any way to edit permissions on the list page. I am on v2.7.1 of the Lookuop Editor. I am running this app on an Enterprise Security search head with Splunk v6.5.1 - screenshot - https://imgur.com/a/AR5pv

alt text

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.