I am able to use the C# API to connect to our Splunk server and to perform searches and retrieve the results. If I just let the program end without calling LogOffAsync, all is good and the process ends. If I try and be a good client citizen and call LogOffAsync before terminating the program, the LogOff call is resulting in an Exception with the following exception detail:
System.AggregateException was unhandled
HResult=-2146233088
Message=One or more errors occurred.
Source=mscorlib
StackTrace:
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at System.Threading.Tasks.Task.Wait()
at RestClient.Program.Main(String[] args) in c:\source\sandbox\SplunkHelloWorld\SplunkHelloWorld\Program.cs:line 29
at System.AppDomain._nExecuteAssembly(RuntimeAssembly assembly, String[] args)
at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence assemblySecurity, String[] args)
at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()
InnerException: Splunk.Client.UnauthorizedAccessException
HResult=-2146233088
Message=403: Forbidden
Error:
In handler 'httpauth-tokens': You (user=[my splunk user]) do not have permission to perform this operation (requires capability: edit_httpauths).
Source=Splunk.Client
StackTrace:
at Splunk.Client.Response.<ThrowRequestExceptionAsync>d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable.ConfiguredTaskAwaiter.GetResult()
at Splunk.Client.Response.<EnsureStatusCodeAsync>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable.ConfiguredTaskAwaiter.GetResult()
at Splunk.Client.Service.<LogOffAsync>d__36.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at RestClient.Program.<ConnectSplunkSdk>d__16.MoveNext() in
my program
It doesn't seem reasonable that I would have to have edit_httpauths permission just to LogOff. Am I missing something? Why would it be excepting?
In handler 'httpauth-tokens': You (user=[my splunk user]) do not have permission to perform this operation (requires capability: edit_httpauths)
So what happens if you give your role the "edit_httpauths" capability?
It's perfectly reasonable in my opinion. It's obvious the call to service.LogOffAsync requires this capability/privilege. It probably resets the users auth token or something more that you're not thinking it does. I have never pressed a "logout" button in Splunk. Have you? It's not required IMHO and I think you're going above and beyond and creating trouble for yourself.
If you want Splunk support, submitt a ticket.
Bump - no Splunk support want to weigh in?