Getting Data In

How to change saved search permissions via python SDK?

dorilevy
Path Finder

Hey,

I am looking for a way to change permissions to a saved search via splunk python SDK.

I tried using the splunklib.client post method:

import splunklib.client as client
app = "app_name"
cred = {"user": "admin", "password": "changeme", "port": 8089, "host": "localhost","owner":"admin"}

service = client.connect(app=app,**cred)
service.post('saved/searches/report_name/acl', sharing="app" )

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 238, in wrapper
    return request_fun(self, *args, **kwargs)
  File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 62, in new_f
    val = f(*args, **kwargs)
  File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 657, in post
    response = self.http.post(path, all_headers, **query)
  File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 1089, in post
    return self.request(url, message)
  File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 1109, in request
    raise HTTPError(response)
splunklib.binding.HTTPError: HTTP 404 Not Found -- 
 In handler 'savedsearch': Could not find object id=report_name

When i try using curl i get no problem:
curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/app_name/saved/searches/report_name/acl -d sharing=app

Maybe i am doing something wrong? Or maybe there is other way to do it and i am missing it?

Regards,
Dori

0 Karma
1 Solution

dorilevy
Path Finder

I didn't find a way to do with the splunklib.client object, but i was able to pass it using the answer to this question (see @flynt answer):

http://answers.splunk.com/answers/144000/modifying-acl-saved-search-permissions-through-rest-api-usi...

Note - Flynt answer is working but the URL there is wrong (or apply to older splunk version). See my comments there.

View solution in original post

elewis1
Explorer

You had the right idea to post to /acl, but you need to urlencode the parameters.

The following creates a new EventType then changes the permissions afterwards. There does not appear to be a way to assign the roles with the initial create method. The "/acl" link can be derived from links in the returned Stanza object.

from urllib.parse import urlencode

newperms = { "perms.read": "role name 1,role name 2, role name 3", 
                     "perms.write": "role name 1, role name 2",
                    "sharing": "app", "owner": "nobody" 
           }
newet = sdk.confs["eventtypes"].create("test_event_type",sharing="app",app="custom_app")
sdk.post("%s/%s" % (newet.links["alternate"], "acl"), body=urlencode(newperms))

 

0 Karma

dorilevy
Path Finder

I didn't find a way to do with the splunklib.client object, but i was able to pass it using the answer to this question (see @flynt answer):

http://answers.splunk.com/answers/144000/modifying-acl-saved-search-permissions-through-rest-api-usi...

Note - Flynt answer is working but the URL there is wrong (or apply to older splunk version). See my comments there.

Flynt
Splunk Employee
Splunk Employee

Thank you for your comment @dorilevy, however that example does indeed include the correct URL.

"https://localhost:8089/servicesNS/%s/search/saved/searches/%s/acl" % ("admin", ss)
request = urllib2.Request( url )

It's important to remember the app context the saved search resides in otherwise you will run into an issue where the saved search is not found. For example if I had an app named "MYAPP" and a saved search named "MYSEARCH" the url should reflect that.

https://localhost:8089/servicesNS/admin/MYAPP/saved/searches/MYSEARCH/acl

dorilevy
Path Finder

Hey @flynt,

You are correct. i missed the app context (my app is not search, that is why i thought it is mistake). Sorry about it, and again - thanks for the solution.

Dori

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...