Getting Data In

How to change saved search permissions via python SDK?

Path Finder

Hey,

I am looking for a way to change permissions to a saved search via splunk python SDK.

I tried using the splunklib.client post method:

import splunklib.client as client
app = "app_name"
cred = {"user": "admin", "password": "changeme", "port": 8089, "host": "localhost","owner":"admin"}

service = client.connect(app=app,**cred)
service.post('saved/searches/report_name/acl', sharing="app" )

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 238, in wrapper
    return request_fun(self, *args, **kwargs)
  File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 62, in new_f
    val = f(*args, **kwargs)
  File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 657, in post
    response = self.http.post(path, all_headers, **query)
  File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 1089, in post
    return self.request(url, message)
  File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 1109, in request
    raise HTTPError(response)
splunklib.binding.HTTPError: HTTP 404 Not Found -- 
 In handler 'savedsearch': Could not find object id=report_name

When i try using curl i get no problem:
curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/app_name/saved/searches/report_name/acl -d sharing=app

Maybe i am doing something wrong? Or maybe there is other way to do it and i am missing it?

Regards,
Dori

0 Karma
1 Solution

Path Finder

I didn't find a way to do with the splunklib.client object, but i was able to pass it using the answer to this question (see @flynt answer):

http://answers.splunk.com/answers/144000/modifying-acl-saved-search-permissions-through-rest-api-usi...

Note - Flynt answer is working but the URL there is wrong (or apply to older splunk version). See my comments there.

View solution in original post

Explorer

You had the right idea to post to /acl, but you need to urlencode the parameters.

The following creates a new EventType then changes the permissions afterwards. There does not appear to be a way to assign the roles with the initial create method. The "/acl" link can be derived from links in the returned Stanza object.

from urllib.parse import urlencode

newperms = { "perms.read": "role name 1,role name 2, role name 3", 
                     "perms.write": "role name 1, role name 2",
                    "sharing": "app", "owner": "nobody" 
           }
newet = sdk.confs["eventtypes"].create("test_event_type",sharing="app",app="custom_app")
sdk.post("%s/%s" % (newet.links["alternate"], "acl"), body=urlencode(newperms))

 

0 Karma

Path Finder

I didn't find a way to do with the splunklib.client object, but i was able to pass it using the answer to this question (see @flynt answer):

http://answers.splunk.com/answers/144000/modifying-acl-saved-search-permissions-through-rest-api-usi...

Note - Flynt answer is working but the URL there is wrong (or apply to older splunk version). See my comments there.

View solution in original post

Splunk Employee
Splunk Employee

Thank you for your comment @dorilevy, however that example does indeed include the correct URL.

"https://localhost:8089/servicesNS/%s/search/saved/searches/%s/acl" % ("admin", ss)
request = urllib2.Request( url )

It's important to remember the app context the saved search resides in otherwise you will run into an issue where the saved search is not found. For example if I had an app named "MYAPP" and a saved search named "MYSEARCH" the url should reflect that.

https://localhost:8089/servicesNS/admin/MYAPP/saved/searches/MYSEARCH/acl

Path Finder

Hey @flynt,

You are correct. i missed the app context (my app is not search, that is why i thought it is mistake). Sorry about it, and again - thanks for the solution.

Dori

0 Karma