Developing for Splunk Enterprise

getting storage passwords using python sdk

Path Finder

Hi There,

We are getting reports that the Mimecast for Splunk app is failing to return our credentials from splunk secure storage using Splunk version 6.5.1. The app uses the Splunk Python SDK for this function.

The exception that we are getting is:

<class 'xml.etree.ElementTree.ParseError'>

Here is a sample of the code we use here:

    try:
        import splunklib.client as client

        service = client.connect(token=params["session_key"], app="mimecast_for_splunk", owner="nobody")
        storage_passwords = service.storage_passwords
        for storage_password in storage_passwords:
            if storage_password.realm == "mimecast_for_splunk":
                 -----truncated------
   except:
       # code to add the exception to a log file on disk

Any help or guidance on this would be greatly appreciated.

0 Karma

SplunkTrust
SplunkTrust

Just to recap.

Make sure you are getting the valid session key. Print it out. You could also test your code by substituting a connect by a static username/password combo temporarily

You might try changing your sessions to the following. Since you are getting the storage password list, app is going to be irrelvant.

service = client.connect(token=session_key)

Confirm what user context the knowledge object is running under (input/alert etc), I suspect that nobody or your session key is causing you the issue.
http://dev.splunk.com/view/python-sdk/SP-CAAAEJ6#currentuser

Ensure that user has the liststoragepasswords capability.

Use something like this to grab just the credential that matches the desired realm and username

 retrievedCredential = [k for k in storage_passwords if k.content.get('realm')==realm and k.content.get('username')==username][0]
0 Karma

SplunkTrust
SplunkTrust

Looks like some xml parsing issues... do you parse xml in the code? Are there any other errors?

0 Karma

Path Finder

Thank you for your reply. I don;t do any parsing myself, I leave that to SDK. I'm expecting an array back from:

storagepasswords = service.storagepasswords

What do you think?

0 Karma

SplunkTrust
SplunkTrust

does service even work?

curious how you're getting the session key, if youre passing auth in commands.conf or not.

0 Karma

Path Finder

It does, we are only seeing this with 1 or 2 customers.

The script runs as a modular input so I get the session key from std in on script startup.

0 Karma

SplunkTrust
SplunkTrust

Does the user firing the alert have the capability: liststoragepasswords ?

0 Karma

Path Finder

Thanks for that, wouldn't Modular Inputs run as the user running the splunk service?

How would we check what user context this is being run under and if they have that permission?

0 Karma

SplunkTrust
SplunkTrust

It runs as whomever (splunk user) owns the search that fired. That is not the same thing as what splunkd runs as. You are confusing OS vs Application users.

0 Karma

Path Finder

OK, I would understand that if this was triggered by a search but this is triggered as a Data Input.

Apologies if I am misunderstanding.

0 Karma

SplunkTrust
SplunkTrust

All knowledge objects still have owners. The session key is going to auth as whomever that is. That will determine the permissions/capability by role.

This shows you how in your code to tell which user you are.
http://dev.splunk.com/view/python-sdk/SP-CAAAEJ6#currentuser

0 Karma

SplunkTrust
SplunkTrust

You might also want to do something more like the following to get a specific credential matching the desired realm and username. just a little more compact that the typical for loop structure.

retrievedCredential = [k for k in storage_passwords if k.content.get('realm')==realm and k.content.get('username')==username][0]
0 Karma