Splunk Dev

I've created a custom Splunk App that has passwords.conf file for external API credentials. How can I get a non-admin user to pull the credentials out of passwords.conf?

kywinter
Engager

I am building a custom Splunk application. The app leverages custom python scripts to query an external API and present data in a dashboard directly in the Splunk UI. Using the setup.xml, I am able to successfully store the external API credentials in a passwords.conf file.

When I invoke the scripts and API calls with the admin user, everything works perfectly without any issues. However, when I try to do the same with a non-admin user, I get the following error:

Error: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/my-app/admin/passwords

How can I successfully pull out the credentials from passwords.conf with a user that isn't an admin?

My getCredentials() method is as follows:

def getCredentials(sessionKey, targetUsername, logger):
    try:
        # list all credentials
        entities = entity.getEntities(['admin', 'passwords'], namespace=myapp, owner='nobody', sessionKey=sessionKey)
    except Exception, e:
        logger.error("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))
        raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))
    credentials = []
    # return credentials
    for i, c in entities.items():
        if c['username'] == targetUsername:
            credentials.append((c['username'], c['clear_password']))
    return credentials
    logger.error("No credentials have been found")
    raise Exception("No credentials have been found") 

My password.conf file looks like this (encrypted password string obfuscated):

[credential::api_user:]
password = $1234abcd=

starcher
SplunkTrust
SplunkTrust

Anyone you needs to hit the endpoint for stored creds needs to have the role capability 'list_storage_passwords' in v6.5+. Prior to 6.5 it has to be 'admin_all_objects'.

gjanders
SplunkTrust
SplunkTrust

Interesting, however would not list_storage_passwords allow the REST API to be used to obtain the clear text password if the user had the knowledge and the ability (rest_properties_get) to use the REST API?

Wouldn't this then potentially allow the user to see the real password (assuming they had access to port 8089, had the required authorize.conf setting and found the passwords endpoint)...

gavsdavs_GR
Path Finder

Gareth, how do you reverse engineer the password from the crypt. Do you not also need the splunk.secret ? (and that means splunk host access) ?

0 Karma

gjanders
SplunkTrust
SplunkTrust

Try https://mysplunkserver:8089/servicesNS/nobody/storage/passwords in a browser, as per Storing Encrypted Credentials or Splunk Alert Scripts

Where using a default app such as search you may see the passwords from every other application, if you have many you may need to append ?count=-1 to the URL.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...