I installed the input add-on (3.0.6) and on the /Application Configuration /Credentials tab, ALL of the credentials of ALL apps installed on the machine are listed. Why is the app listing credentials that don't belong to it? (I almost began deleting some before I realized what the app was doing.)
The app should only be showing credentials that belong to it.
Moreover, where can these credentials be used? The input configuration asks for a username and password, not a credential entry. When I enter a username and password, no credential is created. So, why does the app have a credential tab, other than to show us credentials for other apps?
The credentials are automatically handled when the modular input is configured. The username and password are stored in the credential store. If you refresh the page, you'll see the credential on the tab (see note below). It uses a guid to associate the credential with the input. You shouldn't have to manually work with credentials.
After further review and a check of the code, the IA-Code42ForSplunk
app does indeed query only within it's own namespace and not an ALL call to the endpoint. Check the developer panel of the browser that is in use. The other credentials on your system appear to have been shared globally, which is then included within the namespace IA-Code42ForSplunk
. I checked on a dev instance, and a search/local
created app only export credential DID NOT SHOW in the Credential Tab. I modified the credential metadata to system and there it was, exactly as working within the namespace would predict.
This can be corrected with JavaScript filtering, but there is no "native" solution to pull only an app's config, it's related to namespace and permissions. /services/storage/passwords
is also not a valid endpoint, since the call is filtered to include all of the credentials the user has access to. The limit of 30 is a default configuration for the REST endpoint call.
http://localhost:8027/en-US/splunkd/__raw/servicesNS/nobody/IA-Code42ForSplunk/storage/passwords?out...
From what I can tell, and after code review, everything is lining up exactly as native Splunk is intended to work. I'll enter an ER for the filtering option client side.
https://docs.splunk.com/Documentation/Splunk/7.2.3/RESTUM/RESTusing#Namespace
I'm not sure why anyone would want "a holistic view" of the credentials on the instance when they have nothing to do with the app in question. This was an poorly conceived requirement, in that case.
I can confirm that a newly created credential DOES NOT appear on the credential tab. I see THIRTY credentials on the credentials tab and exactly the same number after I add a new one. The new one is not in the list. This begets a new question: Is there a limit of 30 credentials on that page and does the uninformed decision to just list everything now prevent new credentials from appearing? There is no "next page" offered, so as far as I can tell, there is simply no credential created.
Other apps require the creation of a credential and then an input, which is associated with the pre-existing credential. (Those apps, by the way, don't show every other app's credentials. Just say'n.)
Because there is but only a single capability to grant access to all secrets stored on the system and it traverses system wide. Splunk really needs to work on their permissions structure.
Other apps on the same instance have credentials. They display only the credentials created in the context of their app, not all the credentials on the instance. It seems, therefore, that it is the responsibility of the app designer to filter those credentials. That is not being done for the Code42 app.