Hi,
We are using the Lookup File Editor App for Splunk Enterprise and when someone tries to open my csv via the app, they receive an error about not being able to load the details of the lookup file. I've set the permissions of the file to global and ensure the user had read/write access. When I set the file to be owned by nobody, they are able to open and edit. I did find the following in the log file.
2016-04-07 00:33:22,471 DEBUG [57060d42717f15c73b7bd0] _cplogging:55 - [07/Apr/2016:00:33:22] HTTP Traceback (most recent call last):
File "/opt/splunk/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 606, in respond
cherrypy.response.body = self.handler()
File "/opt/splunk/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 25, in __call__
return self.callable(*self.args, **self.kwargs)
File "", line 1, in
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 38, in rundecs
return fn(*a, **kw)
File "", line 1, in
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 118, in check
return fn(self, *a, **kw)
File "", line 1, in
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 167, in validate_ip
return fn(self, *a, **kw)
File "", line 1, in
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 335, in preform_sso_check
return fn(self, *a, **kw)
File "", line 1, in
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 387, in check_login
return fn(self, *a, **kw)
File "", line 1, in
File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 407, in handle_exceptions
return fn(self, *a, **kw)
File "", line 148, in get_lookup_info
File "", line 460, in resolve_lookup_filename
File "/opt/splunk/lib/python2.7/site-packages/splunk/models/base.py", line 548, in get
return SplunkRESTManager(cls, sessionKey=sessionKey).get(id)
File "/opt/splunk/lib/python2.7/site-packages/splunk/models/base.py", line 528, in get
entity = self._get_entity(id, host_path=host_path)
File "/opt/splunk/lib/python2.7/site-packages/splunk/models/base.py", line 444, in _get_entity
return self._fix_entity(splunk.entity.getEntity(self.model.resource, None, sessionKey=self.sessionKey, uri=id))
File "/opt/splunk/lib/python2.7/site-packages/splunk/entity.py", line 249, in getEntity
serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True)
File "/opt/splunk/lib/python2.7/site-packages/splunk/rest/__init__.py", line 514, in simpleRequest
raise splunk.AuthorizationFailed(extendedMessages=uri)
AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/myusername/search/data/lookup-table-files/mycsv.csv
Any suggestions?
Thank you,
Todd
This sounds like an issue with the role the users are assigned to. Is this a new role that was created (not a role provided "out of the box" or was this an existing role (user, power, admin) that was modified?
Go to Settings -> Access Controls -> Roles... Click on the role these users are assigned to. From here, go to the section titled "Inheritance".
- If this was a default role, the selected roles for Inheritance should be left alone. If any changes were made here previously, the defaults should be reset and saved.
- If this was a newly created role, you should likely assign inheritance from an existing role - such as the "user" or "power" role, based on their expected capabilities.
After this, look at the Capabilities section and review the Selected Capabilities - based on what I'm seeing in your log, this role should have "rest_apps_view", "rest_properties_get", and "rest_properties_set" capabilities selected. If not, find them under the Available Capabilities and click them to assign them to Selected.
Save whatever changes you make, possibly restart Splunk and see what happens after that.
Also, here is a previous answer that references the same error you're seeing, if you'd like to review this answer further: https://answers.splunk.com/answers/6547/authorization-failed-http-403-client-is-not-authorized-to-pe...
Hope this helps...
It appears that I'm having this issue as well. Anyone in the admin group seems to work fine but users with new roles can't seem to view or edit files despite granting them explicit read/write access to them. Any thoughts?
I had to set the owner of the lookup to nobody. Role access were applied as normal after that.
How'd you go about doing that?
By going to etc/apps/the app that contains the lookup/metadata/local.meta
search for the csv file entry. should look something like this.
[lookups/lookup_table.csv]
version = ###
owner = nobody
modtime = 1464798467.783966000
access = read : [ * ], write : [ admin ]
export = system
and set the owner to nobody. You can restart the splunk process or issue the refresh command by going to yoursplunk/en-US/debug/refresh
hope this helps
Thanks Mate.
Huge help!
Hi, thank you for your response. I ensured that the role the user belongs to had all of the rest capabilities, but still continued to have the same issue. The exact error they are getting when opening the lookup file is "Information about the lookup file could not be obtained from the server." The work around is to set the file to nobody, so it would seem to be something tied with opening my files. That doesn't make sense since I made it global all permissions.
Thanks for checking that out...
I'd say it's a permissions issue somewhere... When the lookup table(s) were initially uploaded, were they given global permissions and the ability for users in this role to read and/or write to those lookup table(s)?
What about the Permissions of Lookup File Editor App? Go to Manage Apps and check permissions set for the app itself.
Finally, this could be a permissions issue within the file system where Splunk is installed... You may want to check out your file system and ensure the system level user that starts Splunk has write access to the directory/file(s) in which you're trying to access the lookup table(s).