Using Ansible uri module to add users to splunk vi...

brent_weaver · ‎04-19-2018

So I want to elist Ansible to help me manage splunk users across 100's of Splunk servers around the world. I know how to add a splunk user via REST thats easy, but how could i load a user from a json structure with all the necessary elements in it, username, password, roles, emal etc... I believe that roles need to be a disctionary and not a string variable, am I incorrect on this?

Any advice is much appreciated!

noysherer · ‎02-27-2020

I had the same problem and this worked for me:

- name: Create a hec token
uri:
url: https://localhost:8089/servicesNS/nobody/your_app/data/inputs/http?output_mode=json
user: admin
password: your_password
method: POST
body_format: form-urlencoded
body:
- [ name, token_name ]
- [ index, your_index ]
- [ sourcetype, your_sourcetype ]

farside41 · ‎04-25-2018

So I was trying to do this for automating the creation of an LDAP strategy and LDAP Groups.

My solution to their Rest API not supporting json body was to put all the settings into a dict and then use this task to convery the JSON to a format the Rest API will understand:

name: Build body variable for creating LDAP Strategy set_fact: ldap_strategy_body: "{{ldap_strategy_body|default('')}}{{ldap_setting.value.setting_name}}={{ldap_strategy.ldap_strategy_settings[ldap_setting.key]|default(ldap_setting.value.setting_value)}}&" with_dict: "{{default_ldap_settings}}" loop_control: loop_var: ldap_setting label: "Setting {{ldap_setting.key}}"

tmuth_splunk · ‎04-23-2018

You might need to send the body as a file. I did this for DBX using the following (bash function):

function create_input {
  for i in `seq 1 ${RETRY_MAX}`;
  do
    response=$(curl -k -u ${SPLUNK_USERNAME}:${SPLUNK_PASS} -H "Content-Type: application/json" -X POST -d @/config/${1} https://${SPLUNK_HOST}/servicesNS/nobody/splunk_app_db_connect/db_connect/dbxproxy/inputs | grep -o "There was an error")
    if [ "$response" != 'There was an error' ]; then
      echo "Database is up"
      break
    fi
    printf '.'
    sleep 2
    if [ "$i" -gt "$RETRY_MAX" ]; then
      echo "Database is not up"
      exit 1
    fi
  done
}

So the argument to curl in ..."@/config/${1}"... is actually a json file that contains what I want to send as the body.

Hope this helps,
Tyler

brent_weaver · ‎04-25-2018

So I must be missing something here:

local[~/tmp/service_now] $ curl -k -u admin:password -H "Content-Type: application/json" -X POST -d @users.json https://splunk:8089/services/authentication/users 
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Cannot perform action "POST" without a target name to act on.</msg>
  </messages>
</response>
local[~/tmp/service_now] $ curl -k -u admin:jonesville -H "Content-Type: application/json" -X POST -d @users.json https://splunk:8089/services/authentication/users 
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Cannot perform action "POST" without a target name to act on.</msg>
  </messages>
</response>
local[~/tmp/service_now] $ cat users.json 
{ "name": "brent", "roles": ["admin"], "password": "cvftrsdsalle" }

This is not working.

brent_weaver · ‎04-23-2018

Tyler,

Thank you for the response. I will do some testing and let you know. Thanks!

farside41 · ‎04-20-2018

Trying to do the exact same thing right now, you are using the uri module?

I can run API commands that doesn't take any input no problem, but I am having trouble passing the body...

brent_weaver · ‎04-20-2018

My playbook is as follows:

---
    - hosts: splunk
      tasks:
        - uri:
            url: https://localhost:8089/services/authentication/users
            follow_redirects: all
            method: POST
            return_content: yes
            timeout: 5
            status_code: 400,404,500,-1
            body_format: json
            body: "{{ lookup('file','user.json') }}"
            user: admin
            validate_certs: no
            password: NotMyPassword
          register: X

        - debug: msg="{{ X.status }}"

With supporting users file being:

{ "user": "brent", "password": "nowayposted", "roles": [ "admin","user" ] }

When I run it I get the following:

local[~/git/splunk-build] $ ansible-playbook -i "splunk," -u root post.yml

PLAY [splunk] ***************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ******************************************************************************************************************************************************************************************************************************
ok: [splunk]

TASK [uri] ******************************************************************************************************************************************************************************************************************************************
ok: [splunk]

TASK [debug] ****************************************************************************************************************************************************************************************************************************************
ok: [splunk] => {
    "msg": {
        "cache_control": "no-store, no-cache, must-revalidate, max-age=0",
        "changed": false,
        "connection": "Close",
        "content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<response>\n  <messages>\n    <msg type=\"ERROR\">Cannot perform action \"POST\" without a target name to act on.</msg>\n  </messages>\n</response>\n",
        "content_length": "179",
        "content_type": "text/xml; charset=UTF-8",
        "date": "Sat, 21 Apr 2018 00:02:22 GMT",
        "expires": "Thu, 26 Oct 1978 00:00:00 GMT",
        "failed": false,
        "msg": "HTTP Error 400: Bad Request",
        "redirected": false,
        "server": "Splunkd",
        "status": 400,
        "url": "https://localhost:8089/services/authentication/users",
        "vary": "Cookie, Authorization",
        "x_content_type_options": "nosniff",
        "x_frame_options": "SAMEORIGIN"
    }
}

PLAY RECAP ******************************************************************************************************************************************************************************************************************************************
splunk                     : ok=3    changed=0    unreachable=0    failed=0

I also approched it by going to the REST API directly and it does not seem to accept JSON as body input. So until I can get that to work I doubt Ansible will be able to do this.

There is a whole other way to just use the command ansible module and call curl... Not for the purist though but it works like a charm.

Using Ansible uri module to add users to splunk via REST API

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies