Do I get it right that after the successful setup of the Splunk DB Connect every Splunk user can access the configured databases?
This is not acceptable for almost every environment. I wonder how to implement access control at least per external database on a role basis. It would be nice, if Splunk would implement this feature. You should be able to choose the Roles which are allowed to use an external database, don't you think?
The settings in apps/search/metadata/local.meta are respected half way. You can add an access-line within the stanza for an external database connection
access = read : [ admin, db_admin ]
At least Splunk respects the read permissions while you edit the settings. E.g. if a user has no read access, he does not see the configured connection underneath External Databases
A lack of read permissions does not stop the user from using the external database within dbquery, though.
I played with the app and found some interesting results:
The permissions defined in etc/apps/dbx/metadata/default.meta overule the settings in etc/apps/dbx/metadata/local.meta. Therefore you can not use the WebGUI to adjust the access rights. E.g. only the role admin can use the dbquery command per default.
I changed all role settings within the default file to "*" and now it works as expected.
Can't you just set the permissions for the DB Connect application itself to only allow certain roles to access it? That's what I do and only the admin role can access the Splunk DB Connect interface, views, commands.
I haven't set up lookups yet but I have set up multiple monitoring inputs that push data to different indexes. Indexes have their own permissions settings.
These seem like obvious settings so I'm concerned that I'm missing something on my end and users can access the databases. Can you tell me specifically how all users access the configured db?
Not only do we run numerous database but I also want to implement separate entries using different users for the same database. Hereby I could use the database restrictions to adjust the capabilities for my Splunk users. I consider a separate instance for every access profile not even as workaround -- who knows about side effects and the waste of resources caused by this approach.
The DB Connect application is from 2005 and does not support a proper rights management. Do we really talk about an enterprise solution?
How many databases do you access? Another solution could be to have multiple versions of the db connect app installed but renamed for their different purposes. Of course this is a bit of a hack, plus it would break any automatic updates.
To limit the access for the whole application to certain roles is of course no solution. The entitlement for a specific database is user dependent. I can not name a role with access to all databases. Application wide permissions render the DB Connect useless.
I would like to grant the users e.g. R/O access to "their" databases so they can use "dbquery" and "lookup" within searches.