Re: getting storage passwords using python sdk

alevy · ‎02-15-2017

Hi There,

We are getting reports that the Mimecast for Splunk app is failing to return our credentials from splunk secure storage using Splunk version 6.5.1. The app uses the Splunk Python SDK for this function.

The exception that we are getting is:

<class 'xml.etree.ElementTree.ParseError'>

Here is a sample of the code we use here:

    try:
        import splunklib.client as client

        service = client.connect(token=params["session_key"], app="mimecast_for_splunk", owner="nobody")
        storage_passwords = service.storage_passwords
        for storage_password in storage_passwords:
            if storage_password.realm == "mimecast_for_splunk":
                 -----truncated------
   except:
       # code to add the exception to a log file on disk

Any help or guidance on this would be greatly appreciated.

starcher · ‎02-15-2017

Just to recap.

Make sure you are getting the valid session key. Print it out. You could also test your code by substituting a connect by a static username/password combo temporarily

You might try changing your sessions to the following. Since you are getting the storage password list, app is going to be irrelvant.

service = client.connect(token=session_key)

Confirm what user context the knowledge object is running under (input/alert etc), I suspect that nobody or your session key is causing you the issue.
http://dev.splunk.com/view/python-sdk/SP-CAAAEJ6#currentuser

Ensure that user has the list_storage_passwords capability.

Use something like this to grab just the credential that matches the desired realm and username

 retrievedCredential = [k for k in storage_passwords if k.content.get('realm')==realm and k.content.get('username')==username][0]

jkat54 · ‎02-15-2017

Looks like some xml parsing issues... do you parse xml in the code? Are there any other errors?

alevy · ‎02-15-2017

Thank you for your reply. I don;t do any parsing myself, I leave that to SDK. I'm expecting an array back from:

storage_passwords = service.storage_passwords

What do you think?

jkat54 · ‎02-15-2017

does service even work?

curious how you're getting the session key, if youre passing auth in commands.conf or not.

alevy · ‎02-15-2017

It does, we are only seeing this with 1 or 2 customers.

The script runs as a modular input so I get the session key from std in on script startup.

starcher · ‎02-15-2017

Does the user firing the alert have the capability: list_storage_passwords ?

alevy · ‎02-15-2017

Thanks for that, wouldn't Modular Inputs run as the user running the splunk service?

How would we check what user context this is being run under and if they have that permission?

starcher · ‎02-15-2017

It runs as whomever (splunk user) owns the search that fired. That is not the same thing as what splunkd runs as. You are confusing OS vs Application users.

alevy · ‎02-15-2017

OK, I would understand that if this was triggered by a search but this is triggered as a Data Input.

Apologies if I am misunderstanding.

starcher · ‎02-15-2017

All knowledge objects still have owners. The session key is going to auth as whomever that is. That will determine the permissions/capability by role.

This shows you how in your code to tell which user you are.
http://dev.splunk.com/view/python-sdk/SP-CAAAEJ6#currentuser

starcher · ‎02-15-2017

You might also want to do something more like the following to get a specific credential matching the desired realm and username. just a little more compact that the typical for loop structure.

retrievedCredential = [k for k in storage_passwords if k.content.get('realm')==realm and k.content.get('username')==username][0]

getting storage passwords using python sdk

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life