Developing for Splunk Enterprise

C# API: Getting 403 when calling service.LogOffAsync()

New Member

I am able to use the C# API to connect to our Splunk server and to perform searches and retrieve the results. If I just let the program end without calling LogOffAsync, all is good and the process ends. If I try and be a good client citizen and call LogOffAsync before terminating the program, the LogOff call is resulting in an Exception with the following exception detail:

System.AggregateException was unhandled
  HResult=-2146233088
  Message=One or more errors occurred.
  Source=mscorlib
  StackTrace:
       at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
       at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
       at System.Threading.Tasks.Task.Wait()
       at RestClient.Program.Main(String[] args) in c:\source\sandbox\SplunkHelloWorld\SplunkHelloWorld\Program.cs:line 29
       at System.AppDomain._nExecuteAssembly(RuntimeAssembly assembly, String[] args)
       at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence assemblySecurity, String[] args)
       at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
       at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Threading.ThreadHelper.ThreadStart()
  InnerException: Splunk.Client.UnauthorizedAccessException
       HResult=-2146233088
       Message=403: Forbidden
  Error: 
 In handler 'httpauth-tokens': You (user=[my splunk user]) do not have permission to perform this operation (requires capability: edit_httpauths).
       Source=Splunk.Client
       StackTrace:
            at Splunk.Client.Response.<ThrowRequestExceptionAsync>d__17.MoveNext()
         --- End of stack trace from previous location where exception was thrown ---
            at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
            at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
            at System.Runtime.CompilerServices.ConfiguredTaskAwaitable.ConfiguredTaskAwaiter.GetResult()
            at Splunk.Client.Response.<EnsureStatusCodeAsync>d__11.MoveNext()
         --- End of stack trace from previous location where exception was thrown ---
            at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
            at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
            at System.Runtime.CompilerServices.ConfiguredTaskAwaitable.ConfiguredTaskAwaiter.GetResult()
            at Splunk.Client.Service.<LogOffAsync>d__36.MoveNext()
         --- End of stack trace from previous location where exception was thrown ---
            at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
            at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
            at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
            at RestClient.Program.<ConnectSplunkSdk>d__16.MoveNext() in
my program

It doesn't seem reasonable that I would have to have edit_httpauths permission just to LogOff. Am I missing something? Why would it be excepting?

Tags (3)
0 Karma

SplunkTrust
SplunkTrust
  In handler 'httpauth-tokens': You (user=[my splunk user]) do not have permission to perform this operation (requires capability: edit_httpauths)

So what happens if you give your role the "edit_httpauths" capability?

It's perfectly reasonable in my opinion. It's obvious the call to service.LogOffAsync requires this capability/privilege. It probably resets the users auth token or something more that you're not thinking it does. I have never pressed a "logout" button in Splunk. Have you? It's not required IMHO and I think you're going above and beyond and creating trouble for yourself.

If you want Splunk support, submitt a ticket.

0 Karma

New Member

Bump - no Splunk support want to weigh in?

0 Karma