Dashboards & Visualizations

Can I have a splunk link be externally accessed by clicking the link and have the username and password passed to it?

HattrickNZ
Motivator

Below is a link in a webpage. I am looking at having a link that the user will need a username and password to access. I plan to use a generic u/n and p/w as the security won't be an issue at this stage.

So the user will click the link and somehow the u/n and p/w will be passed and entered into the website and the user brought to the required page.

How do I go about achieving this? can I somehow include the un and pw in the html? do I need to use php or some other method?

<!DOCTYPE html>
<html>
<body>

<p><a href="https://splunk:8000/en-GB/app/app_name/dashboard1">dashboard1 </a></p>

</body>
</html>
0 Karma

HattrickNZ
Motivator

Apologies if this is too much detail but this is just for my reference....

I have installed splunk on my PC and created this simple dashboard located here:

http://localhost:8000/en-GB/app/search/gaugeexample [1]

If i click on the url above it will bring me to this url [2], where I put in my un and pw and it works

http://localhost:8000/en-GB/account/login?return_to=%2Fen-GB%2Fapp%2Fsearch%2Fgaugeexample [2]

*That is fine but what I want now is when I click on the link it automatically does the login for me. *

so what I done was put this file web.conf in the local directory(see below)

I then tried using a different link 3
http://localhost:8000/en-GB/account/insecurelogin?username=admin&password=admin*return_to=%2Fen-GB%2... [3]

I get this displayed
{"success":false,"offset":0,"count":0,"total":0,"messages":[{"type":"ERROR","time":"2015-06-12T11:38:44","message":"Login failed"}],"data":null}
and it is at this url [4]
http://localhost:8000/en-GB/account/insecurelogin?username=admin&password=admin*return_to=%2Fen-GB%2... [4]

Based on what you provided I have tried to get url [3] right above, but I may be slightly off.

Can you advise if I am close?

**web.conf file put in this directory C:\Program Files\Splunk\etc\system\local

#   Version 6.2.3
[default]
[settings]
#ks added this 
# Toggle the insecure login endpoint
# enable_insecure_login = False   ## setting it to true as want to be able to access links/dashboards externally 
enable_insecure_login = True   

acharlieh
Influencer

Assuming that it wasn't simply lost when you went to anonymize your admin password (which I hope you didn't post your admin password on a public website), it looks like you're missing an ampersand. You have:

http://localhost:8000/en-GB/account/insecurelogin?username=admin&password=admin*return_to=%2Fen-GB%2Fapp%2Fsearch%2Fgaugeexample

whereas you probably want:

http://localhost:8000/en-GB/account/insecurelogin?username=admin&password=admin*&return_to=%2Fen-GB%2Fapp%2Fsearch%2Fgaugeexample

Without separating the key-value pairs of the query string, the former is attempting a much longer password than the latter. Of course you need to be supplying the correct password. Additionally, I'm not sure, but you might need to urlencode the password as well.

This all said, enable_insecure_login is a bad idea. Know the risks that you're getting into before leaving it enabled.

lucasfryer
Engager

This format worked for me! Here's a skeleton:

/account/insecurelogin?username=&password=&return_to=%2F

...which eventually looks something like this once you plug in your values...

https://splunk.local:8000/en-US/account/insecurelogin?username=username&password=password&return_to=...

0 Karma

HattrickNZ
Motivator

tks, but could not get that to work, it says page not found but is close I feel as it looks like a response from splunk.

how do I check if enable_insecure_login = True is actuually working?

just as an example, I would have thought urlencoding admin would be admin?

0 Karma

acharlieh
Influencer

There are a few options here. Personally if you're on a new enough version of Splunk (v6.2.x) the answer by @adauria_splunk is by far the best option in which you Embed a scheduled report in other sites.

A second option (still secure-ish, if you trust your network, but takes some finagling) is where you setup a proxy server to sit in front of Splunk and configure SplunkSSO. Basically here a user requests a page through the proxy, the proxy forwards the request to Splunk with headers of "I'm splunk username X" and you configure Splunk to trust only such assertions coming from the proxy, and Splunk assumes that user's permissions when interacting. It's been a while since I've dug into SplunkSSO, but I think there was an option to have everything work normally when you don't go through the proxy. You can even configure the proxy to only make very specific requests if you need to lock visitors to specific views or workflows.

@stephanefotso presents the third option, which is falling back on the normal authentication workflow, which of course would be a bit of a disconnected workflow... Rumor has it, SAML is under development as an authentication/authorization mechanism for the future, in which case maybe it'd be somewhat seamless to the user. (But that of course is something that is yet to be seen how development falls out).

Finally the solution you asked for where you build a link with a username and password embedded within it, is in fact still an option. In web.conf there is a long existing feature called enable_insecure_login that might be enabled and leveraged. I have not done this personally since this is known as a really bad idea™ because requires extreme trust in everyone who is going to be able to access the page with the link on it (including their caches, and proxies, and everyone with access to the http logs) all of those people would then have a username and password that could be used on your Splunk server. If this user account comes from an external backing store such as LDAP or other means accessed with Scripted authentication, anything that username and password can be used to access is now open as well. Be careful with it and take this only as a last resort.

paramagurukarth
Builder

Yes, You can....
1.You have to implement a python script to give the user role/permission to splunk
2.Configure the splunk to ask that python file about the user details
Now launch your url.
Splunk will interact with that python method and user the user details returned

Please refer the below link
http://docs.splunk.com/Documentation/Splunk/6.2.2/Security/ConfigureSplunktousePAMorRADIUSauthentica...

0 Karma

HattrickNZ
Motivator

@paramagurukarthikeyan see my possible anser above. I am trying to get your advice to work. but unfortunately cannot post here!!

0 Karma

acharlieh
Influencer

Perhaps you could explain more of your thought process on how changing the source of truth of which users and roles are available to Splunk would enable a seamless transition from a 3rd party site to a dashboard within Splunk? (Knowing that there are already configured users who would likely need to maintain their permissions).

0 Karma

paramagurukarth
Builder

httP://....:8000/splunkApp/account/insecurelogin?username=USERNAME&password=PASSWD*return_to=%2Fdebug%2Frefresh

return_to -> Page/view that should be displayed

Above is the way to pass the userName and Password for a HTTP GET request in splunk. You have to enable enable_insecure_login option in web.conf refer Here

You can simply pass a valid username/password to that url and load it in a iFrame. But that will expose the user name and password. So i suggest the above "External Authentication stuff".......

0 Karma

acharlieh
Influencer

The solution that you're proposing that applies to the problem at hand therefore is enable_insecure_login. Where the username and password comes from isn't really part of the problem (you can easily make a user in whatever other backing store that you have, you will still expose the username and password for this user using the "enable_insecure_login" method, and this user and password would be valid for the web and as well as for the insecure login). But since you bring it up, know that enabling scripted authentication to create your faked user/password will only work if you're managing all real users as Splunk users (none of which have the same username as your scripted user). If you're using LDAP you have a problem because you cannot have both LDAP and Scripted auth active at the same time. If you're using Scripted already, you cannot use two scripts at the same time. It'd be easier to just create a stub user in Splunk and map that to the appropriate role(s) if you chose to go this route.

0 Karma

paramagurukarth
Builder

Yes I agree...

I thought the parent screen/App (i.e. the screen to which a splunk is going to be included) is having some authentication mechanism. So when you load the splunk page inside some page which is pre-authenticated .. You can implement your script to interact with that parent app for user validation...

i.e :
1. Authenticate your user within your app
2. Load the splunk inside you app's iframe
3. Implement the splunk's script to interact with your app's REST or some http endpoint to vaidate the user.
4. Validate the user details in your app. (User name maybe a dynamic value stored inside the session of the app)
5. If it is valid proceed...
or just leave it 🙂

0 Karma

acharlieh
Influencer

The functionality you're looking for in that case is SplunkSSO, where you have SplunkWeb assume a username asserted by a proxy. Again not scripted authentication.

0 Karma

paramagurukarth
Builder

I am not aware of that. Is there any url to read what and how about SplunkSSO.. Please share it

0 Karma

HattrickNZ
Motivator

sorry but could you elaborate on that more? I have tried reading all that and still do not fully get how it can be done.

0 Karma

paramagurukarth
Builder

Set up user authentication with external systems helps you to write your own authentication mechanism to splunk..
If you configured your authentication.conf for scripted authentication
[authentication]
authType = Scripted
authSettings = script

[script]
scriptPath = $SPLUNK_HOME/bin/python $SPLUNK_HOME/bin/

Splunk will not use its own authentication mechanism. Instead it will interact with your python file to authenticate a user and roles.

You must implement the following method in your python file...
userLogin
getUserInfo
getUsers
getSearchFilter

Check this page for sample script creation :
http://docs.splunk.com/Documentation/Splunk/6.2.2/Security/Createtheauthenticationscript

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

The other thing you might consider is saving your dashboard panels as scheduled reports in Splunk and sharing them as iframes, no additional authentication required if you embed them at that point.

stephanefotso
Motivator

Wao! What a good idea ! But for the moment, a user always need to provide credentials to access splunk Enterprise home.
alt text

What you can do, is to just put the link to the dashboard, and the user will be prompted to enter the username and the password in the screen above. Once informations entered, he will be directly directed to the dashboard.

 <!DOCTYPE html>
 <html>
 <body>

 <p><a http://45.61.16.70:8000/en-US/app/Alerts_application/Ticket_newPage_Drilldown">dashboard1 </a></p>

 </body>
 </html>
SGF
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...