Splunk Dev

Retrieve Credentials from Splunk for a Custom Alert Action - Client is not authenticated

celestekiyoko
Explorer

Currently using Splunk 6.2.3

I have a python script that is being executed as part of a Custom Alert Action. This script retrieves credentials (for our internal tickets system) that are stored in a Splunk App I set up.

I have been following this blog post for the setup of my script: https://www.splunk.com/blog/2011/03/15/storing-encrypted-credentials.html

NOTE: I chose to have it send me an email with the error message instead of having to go check a log file, so the sendErrorEmail is something I defined.

However, when my script runs, i keep getting the error: "Could not get My_App credentials from splunk. Error: [HTTP 401] Client is not authenticated"

Below is my script code. Any idea what I'm doing wrong or if there is something I'm missing?

def getCredentials(sessionKey):
    myapp = 'My_App'

    #Trims off "sessionKey=" from readline
    #Even if I remove this line, my script doesn't work
    sessionKey = sessionKey[11:]

    try:
        # list all credentials
        entities = entity.getEntities(['admin', 'passwords'], namespace=myapp, owner='nobody', sessionKey=sessionKey) 
    except Exception, e:
        html = "sessionKey == " + sessionKey + "<br>&lt;br/&gt;Could not get %s credentials from splunk. Error: %s" % (myapp, str(e))
        text = "Could not get %s credentials from splunk. Error: %s" % (myapp, str(e))
        sendErrorEmail(html, text);
        raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))

    # return first set of credentials
    for i, c in entities.items(): 
        return c['username'], c['clear_password']
    html = "No credentials have been found"
    text = "No credentials have been found"
    sendErrorEmail(html, text);
    raise Exception("No credentials have been found")  

def main(): 
sessionKey = sys.stdin.readline().strip()
    if sessionKey == "":
        html = 'No sessionKey'
        text = 'No sessionKey'
        sendErrorEmail(html, text)

    username, password = getCredentials(sessionKey)
    credentials = [username, password]
0 Karma

starcher
SplunkTrust
SplunkTrust

Here are some patterns depending on what you are doing.
http://www.georgestarcher.com/splunk-stored-encrypted-credentials/

Honestly though you are better off using the Add-On builder to make your alert actions so you get all the supporting code.

0 Karma

BernardEAI
Communicator

Hi @starcher 

Thanks for this hint. I followed your directions at http://www.georgestarcher.com/splunk-stored-encrypted-credentials/

I'm getting the following result if I run:

import sys
from splunklib.searchcommands import dispatch, GeneratingCommand, Configuration, Option, validators

@Configuration(streaming=False, local=True, type='reporting')
class GenerateAuthInfoCommand(GeneratingCommand):
    def generate(self):
        storage_passwords=self.service.storage_passwords
        for credential in storage_passwords:
            usercreds = {'username':credential.content.get('username'),'password':credential.content.get('clear_password')}
            yield usercreds
dispatch(GenerateAuthInfoCommand, sys.argv, sys.stdin, sys.stdout, __name__)

2020-11-16 15_19_45-Search _ Splunk 7.3.3.png

None of these results look like something I can use as a username and password. I have tried authenticating with one of them, but no luck.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Are you sure that Alert actions is showing under Settings in Splunk Web? Because as far as I know Custom Alert action introduced since Splunk 6.3 so it will not work in Splunk 6.2.3

If you are running Splunk 6.3 or higher then you will able to fetch session_key from payload. Please refer example script http://docs.splunk.com/Documentation/Splunk/6.6.3/AdvancedDev/ModAlertsBasicExample

0 Karma

celestekiyoko
Explorer

The custom alert action is relatively new, but even in older versions of Splunk, "Run a script" has been an option for alerts. That's what I am using to execute my script.

0 Karma

damien_chillet
Builder

That looks like the session key passed is not valid.

Could you print everything Splunk is passing to stdin?

0 Karma

celestekiyoko
Explorer

That was my guess too, but I can't figure out what it's not liking about my session key.

sys.stdin.readline().strip() gives the following:
sessionKey=JcAM%5EMTPFZxlMfZgKthwNjbsqneDpCyUYh4Tf_sM4BviMnfgPXV86NsdIKlpFNQqFQxakLQWC9EbkNPSZTPuioEcTg34EopEcsSn8dhjWIZHTZRcEUCh%5EDSectftoLS4FXcgDHo5bCMjKo

sessionKey = sessionKey[11:] makes it the following:
JcAM%5EMTPFZxlMfZgKthwNjbsqneDpCyUYh4Tf_sM4BviMnfgPXV86NsdIKlpFNQqFQxakLQWC9EbkNPSZTPuioEcTg34EopEcsSn8dhjWIZHTZRcEUCh%5EDSectftoLS4FXcgDHo5bCMjKo

I have tried passing it with the "sessionKey=" in the beginning and without it, and both times I still get the "could not authenticate" error.

0 Karma

dsommerville
New Member

Maybe a bit late on this one, but it looks like your session key needs to be URL decoded.

0 Karma

damien_chillet
Builder

Hi Celeste,

The blogpost you are basing your script on is quite old (2011), and in the current python SDK i'm using there is no splunk.entity module.
Which SDK version are you using?

Here is how I manage to retrieve credentials using Python SDK version 1.6.2:

service = client.Service(token=sessionKey)

# service.storage_passwords.create('test','damien','SPLUNK ANSWERS')

print service.storage_passwords.list(**{"search": "SPLUNK ANSWERS"})[0].content

For this example the output is as following:

{'username': 'damien', 'encr_password': '$1$gfY5DWk=', 'realm': 'SPLUNK ANSWERS', 'clear_password': 'test', 'password': '********'}

Hope that helps!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...