All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Lookup File Editor App for Splunk Enterprise: Can a user create a collection from the lookup editor?

dsmc_adv
Path Finder
‎01-30-2017 04:34 AM

I can create a new lookup with the admin user and thus create a new collection. When I try to use another user which has permissions to write to the app I get a "You do not have permission to make a KV store collection" message.

I just tried to add rest_get and rest_set capabilities but does not work.

Update:

I've been performing some tests. When you create the lookup from the admin user it creates the collection under $SPLUNK_HOME/etc/apps/appsname/local/collections.conf and under the local.meta it sets the owner to admin user. I have not seen how to change the owner through the UI, so this collection is not usable by any user othen than admin.

The api is more specific and tells you need the admin_all_objects capability (aka an admin user)

$ curl -k -u poweruser:password     -d name=mycollection      https://localhost:8089/servicesNS/nobody/myapp/storage/collections/config
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">You (user=poweruser) do not have permission to perform this operation (requires capability: admin_all_objects).</msg>
  </messages>
</response>

What's the point to create a collection from the UI if only admin user can use it and you need to modify the files directly to change this behaviour?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎02-01-2017 01:00 PM

I'm investigating this so that I can figure out a way around this issue. It will be researched under this ticket: https://lukemurphey.net/issues/1713

Update:

Version 2.6 of the Lookup Editor now gives you the ability to change the permissions of the lookup from the lookup list page. This way, you can change the sharing options such that other users can view or edit the collection.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎02-01-2017 01:00 PM

I'm investigating this so that I can figure out a way around this issue. It will be researched under this ticket: https://lukemurphey.net/issues/1713

Update:

Version 2.6 of the Lookup Editor now gives you the ability to change the permissions of the lookup from the lookup list page. This way, you can change the sharing options such that other users can view or edit the collection.

0 Karma
Reply
Solved! Jump to solution

sk314
Builder
‎11-10-2017 01:44 PM

@LukeMurphey - I do not see any way to edit permissions on the list page. I am on v2.7.1 of the Lookuop Editor. I am running this app on an Enterprise Security search head with Splunk v6.5.1 - screenshot - https://imgur.com/a/AR5pv

alt text

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...