We are using the Lookup File Editor App for Splunk Enterprise and when someone tries to open my csv via the app, they receive an error about not being able to load the details of the lookup file. I've set the permissions of the file to global and ensure the user had read/write access. When I set the file to be owned by nobody, they are able to open and edit. I did find the following in the log file.
2016-04-07 00:33:22,471 DEBUG [57060d42717f15c73b7bd0] _cplogging:55 - [07/Apr/2016:00:33:22] HTTP Traceback (most recent call last): File "/opt/splunk/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 606, in respond cherrypy.response.body = self.handler() File "/opt/splunk/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 25, in __call__ return self.callable(*self.args, **self.kwargs) File "", line 1, in File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 38, in rundecs return fn(*a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 118, in check return fn(self, *a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 167, in validate_ip return fn(self, *a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 335, in preform_sso_check return fn(self, *a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 387, in check_login return fn(self, *a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 407, in handle_exceptions return fn(self, *a, **kw) File "", line 148, in get_lookup_info File "", line 460, in resolve_lookup_filename File "/opt/splunk/lib/python2.7/site-packages/splunk/models/base.py", line 548, in get return SplunkRESTManager(cls, sessionKey=sessionKey).get(id) File "/opt/splunk/lib/python2.7/site-packages/splunk/models/base.py", line 528, in get entity = self._get_entity(id, host_path=host_path) File "/opt/splunk/lib/python2.7/site-packages/splunk/models/base.py", line 444, in _get_entity return self._fix_entity(splunk.entity.getEntity(self.model.resource, None, sessionKey=self.sessionKey, uri=id)) File "/opt/splunk/lib/python2.7/site-packages/splunk/entity.py", line 249, in getEntity serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True) File "/opt/splunk/lib/python2.7/site-packages/splunk/rest/__init__.py", line 514, in simpleRequest raise splunk.AuthorizationFailed(extendedMessages=uri) AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/myusername/search/data/lookup-table-files/mycsv.csv
This sounds like an issue with the role the users are assigned to. Is this a new role that was created (not a role provided "out of the box" or was this an existing role (user, power, admin) that was modified?
Go to Settings -> Access Controls -> Roles... Click on the role these users are assigned to. From here, go to the section titled "Inheritance".
- If this was a default role, the selected roles for Inheritance should be left alone. If any changes were made here previously, the defaults should be reset and saved.
- If this was a newly created role, you should likely assign inheritance from an existing role - such as the "user" or "power" role, based on their expected capabilities.
After this, look at the Capabilities section and review the Selected Capabilities - based on what I'm seeing in your log, this role should have "rest_apps_view", "rest_properties_get", and "rest_properties_set" capabilities selected. If not, find them under the Available Capabilities and click them to assign them to Selected.
Save whatever changes you make, possibly restart Splunk and see what happens after that.
Also, here is a previous answer that references the same error you're seeing, if you'd like to review this answer further: https://answers.splunk.com/answers/6547/authorization-failed-http-403-client-is-not-authorized-to-pe...
Hope this helps...
It appears that I'm having this issue as well. Anyone in the admin group seems to work fine but users with new roles can't seem to view or edit files despite granting them explicit read/write access to them. Any thoughts?
By going to etc/apps/the app that contains the lookup/metadata/local.meta
search for the csv file entry. should look something like this.
version = ###
owner = nobody
modtime = 1464798467.783966000
access = read : [ * ], write : [ admin ]
export = system
and set the owner to nobody. You can restart the splunk process or issue the refresh command by going to yoursplunk/en-US/debug/refresh
hope this helps
Hi, thank you for your response. I ensured that the role the user belongs to had all of the rest capabilities, but still continued to have the same issue. The exact error they are getting when opening the lookup file is "Information about the lookup file could not be obtained from the server." The work around is to set the file to nobody, so it would seem to be something tied with opening my files. That doesn't make sense since I made it global all permissions.
Thanks for checking that out...
I'd say it's a permissions issue somewhere... When the lookup table(s) were initially uploaded, were they given global permissions and the ability for users in this role to read and/or write to those lookup table(s)?
What about the Permissions of Lookup File Editor App? Go to Manage Apps and check permissions set for the app itself.
Finally, this could be a permissions issue within the file system where Splunk is installed... You may want to check out your file system and ensure the system level user that starts Splunk has write access to the directory/file(s) in which you're trying to access the lookup table(s).