Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap use

jemina
Loves-to-Learn Lots
‎04-17-2022 02:43 AM

Assistance/advice greatly appreciated;

I am able to login to splunk web with a Splunk Native user, but via a perl script I get an unauhorized response

Excerpt from perl script : 

$post = $ua->post(
"https://prod-forwardermanagement-splunk-vip.xxxx.uk:8089/servicesNS/$app/auth/login",
Content => "username=$username&password=$password"
);

This is the response:

<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Unauthorized</msg>
</messages>
</response>

Labels (1)
Labels
0 Karma
Reply

jemina
Loves-to-Learn Lots
‎04-18-2022 09:11 AM

Thanks for response,

I am actually testing using the following:

 

curl -k -u splunkuser:password https://prod-forwardermanagement-splunk.xxxxx.co.uk:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search sourcetype=dp_prod"

It always returns unauthorized for the  Splunk Native User (with admin role). No sessionkey is returned. If I try my Active Directory user, the results SID is returned.

 

Is there anything specific I need to do a Splunk Native user?

 

Thanks

0 Karma
Reply

mcmaster
Communicator
‎04-18-2022 10:35 AM

I'm able to use that same command with a Splunk local user on my test instance, so I don't know if that's the issue. I assume you're able to login as the local user and run the search interactively, right?

0 Karma
Reply

jemina
Loves-to-Learn Lots
‎04-18-2022 10:51 AM

Hi, 

Yes, I am able to login to my splunk instance using the same credentials. I just wondered if there might be an overarching config parameter which might preclude Splunk Native users from the admin role.

Thanks

 

0 Karma
Reply

mcmaster
Communicator
‎04-18-2022 11:04 AM

There's no restriction there but that was my next question - are you able to verify the permissions on the local user to ensure they have all the same permissions as the AD user? Also since you're passing the password in the curl command, make sure there aren't any special characters in the password that the shell might be interpreting. 

As a test, any user should be able to query this REST endpoint, so that would help you eliminate password issues:

curl -k -u user:temp1234 https://localhost:8089/services/authentication/current-context

If that command fails, there's an issue with the credentials you're providing.

0 Karma
Reply

jemina
Loves-to-Learn Lots
‎04-18-2022 12:09 PM

Hi again,

 

I also get an unauthorized  error message returned for https://......./services/authentication/current-context.

The credentials do not contain any special characters. 

I am definitely using correct user/password combination, so a little confused as the user works fine via the browser.

Please are you able to point me a splunk log file might help me understand this issue.

Thanks

 

0 Karma
Reply

mcmaster
Communicator
‎04-18-2022 12:22 PM

You can look for AuthenticationManagerSplunk in $SPLUNK_HOME/var/log/splunk/splunkd.log or you can search "index=_internal sourcetype=splunkd component=AuthenticationManagerSplunk". 

This is what those logs look like for me with an incorrect password:

04-18-2022 15:19:57.814 -0400 WARN AuthenticationManagerSplunk [315578 TcpChannelThread] - Login failed. Incorrect login for user: user
04-18-2022 15:19:57.816 -0400 WARN AuthenticationManagerSplunk [315578 TcpChannelThread] - Login: user user attempted login with incorrect password. Login attempt=1
0 Karma
Reply

jemina
Loves-to-Learn Lots
‎04-18-2022 12:54 PM

Thanks for that,

 

I can see the following errors when I the restapi call: (strange , this user is a splunk native user.)

1 -  ERROR UserManagerPro - LDAP Login failed, could not find a valid user="monitoruser" on any configured servers

 

2 - INFO AuthenticationManagerLDAP - Could not find user="monitoruser" with strategy="SplunkAdmin"

0 Karma
Reply

mcmaster
Communicator
‎04-18-2022 01:02 PM

That's normal, as Splunk will try any configured LDAP servers first before trying local users. Are there any other logs for that user?

0 Karma
Reply

mcmaster
Communicator
‎04-18-2022 08:47 AM

Hi @jemina,

To use the endpoints with /servicesNS/ you need to specify an app AND a user. For login, you can just use /services/auth/login but you could also try /servicesNS/$username/$app/auth/login or even /servicesNS/-/$app/auth/login.

Try those out and see if they work.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...