Getting Data In

Using Ansible uri module to add users to splunk via REST API

brent_weaver
Builder

So I want to elist Ansible to help me manage splunk users across 100's of Splunk servers around the world. I know how to add a splunk user via REST thats easy, but how could i load a user from a json structure with all the necessary elements in it, username, password, roles, emal etc... I believe that roles need to be a disctionary and not a string variable, am I incorrect on this?

Any advice is much appreciated!

Tags (2)
0 Karma

noysherer
Explorer

I had the same problem and this worked for me:

- name: Create a hec token
uri:
url: https://localhost:8089/servicesNS/nobody/your_app/data/inputs/http?output_mode=json
user: admin
password: your_password
method: POST
body_format: form-urlencoded
body:
- [ name, token_name ]
- [ index, your_index ]
- [ sourcetype, your_sourcetype ]

0 Karma

farside41
Explorer

So I was trying to do this for automating the creation of an LDAP strategy and LDAP Groups.

My solution to their Rest API not supporting json body was to put all the settings into a dict and then use this task to convery the JSON to a format the Rest API will understand:

  • name: Build body variable for creating LDAP Strategy set_fact: ldap_strategy_body: "{{ldap_strategy_body|default('')}}{{ldap_setting.value.setting_name}}={{ldap_strategy.ldap_strategy_settings[ldap_setting.key]|default(ldap_setting.value.setting_value)}}&" with_dict: "{{default_ldap_settings}}" loop_control: loop_var: ldap_setting label: "Setting {{ldap_setting.key}}"
0 Karma

tmuth_splunk
Splunk Employee
Splunk Employee

You might need to send the body as a file. I did this for DBX using the following (bash function):

function create_input {
  for i in `seq 1 ${RETRY_MAX}`;
  do
    response=$(curl -k -u ${SPLUNK_USERNAME}:${SPLUNK_PASS} -H "Content-Type: application/json" -X POST -d @/config/${1} https://${SPLUNK_HOST}/servicesNS/nobody/splunk_app_db_connect/db_connect/dbxproxy/inputs | grep -o "There was an error")
    if [ "$response" != 'There was an error' ]; then
      echo "Database is up"
      break
    fi
    printf '.'
    sleep 2
    if [ "$i" -gt "$RETRY_MAX" ]; then
      echo "Database is not up"
      exit 1
    fi
  done
}

So the argument to curl in ..."@/config/${1}"... is actually a json file that contains what I want to send as the body.

Hope this helps,
Tyler

0 Karma

brent_weaver
Builder

So I must be missing something here:

local[~/tmp/service_now] $ curl -k -u admin:password -H "Content-Type: application/json" -X POST -d @users.json https://splunk:8089/services/authentication/users 
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Cannot perform action "POST" without a target name to act on.</msg>
  </messages>
</response>
local[~/tmp/service_now] $ curl -k -u admin:jonesville -H "Content-Type: application/json" -X POST -d @users.json https://splunk:8089/services/authentication/users 
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Cannot perform action "POST" without a target name to act on.</msg>
  </messages>
</response>
local[~/tmp/service_now] $ cat users.json 
{ "name": "brent", "roles": ["admin"], "password": "cvftrsdsalle" }

This is not working.

0 Karma

brent_weaver
Builder

Tyler,

Thank you for the response. I will do some testing and let you know. Thanks!

0 Karma

farside41
Explorer

Trying to do the exact same thing right now, you are using the uri module?

I can run API commands that doesn't take any input no problem, but I am having trouble passing the body...

0 Karma

brent_weaver
Builder

My playbook is as follows:

---
    - hosts: splunk
      tasks:
        - uri:
            url: https://localhost:8089/services/authentication/users
            follow_redirects: all
            method: POST
            return_content: yes
            timeout: 5
            status_code: 400,404,500,-1
            body_format: json
            body: "{{ lookup('file','user.json') }}"
            user: admin
            validate_certs: no
            password: NotMyPassword
          register: X

        - debug: msg="{{ X.status }}"

With supporting users file being:

{ "user": "brent", "password": "nowayposted", "roles": [ "admin","user" ] }

When I run it I get the following:

local[~/git/splunk-build] $ ansible-playbook -i "splunk," -u root post.yml

PLAY [splunk] ***************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ******************************************************************************************************************************************************************************************************************************
ok: [splunk]

TASK [uri] ******************************************************************************************************************************************************************************************************************************************
ok: [splunk]

TASK [debug] ****************************************************************************************************************************************************************************************************************************************
ok: [splunk] => {
    "msg": {
        "cache_control": "no-store, no-cache, must-revalidate, max-age=0",
        "changed": false,
        "connection": "Close",
        "content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<response>\n  <messages>\n    <msg type=\"ERROR\">Cannot perform action \"POST\" without a target name to act on.</msg>\n  </messages>\n</response>\n",
        "content_length": "179",
        "content_type": "text/xml; charset=UTF-8",
        "date": "Sat, 21 Apr 2018 00:02:22 GMT",
        "expires": "Thu, 26 Oct 1978 00:00:00 GMT",
        "failed": false,
        "msg": "HTTP Error 400: Bad Request",
        "redirected": false,
        "server": "Splunkd",
        "status": 400,
        "url": "https://localhost:8089/services/authentication/users",
        "vary": "Cookie, Authorization",
        "x_content_type_options": "nosniff",
        "x_frame_options": "SAMEORIGIN"
    }
}

PLAY RECAP ******************************************************************************************************************************************************************************************************************************************
splunk                     : ok=3    changed=0    unreachable=0    failed=0

I also approched it by going to the REST API directly and it does not seem to accept JSON as body input. So until I can get that to work I doubt Ansible will be able to do this.

There is a whole other way to just use the command ansible module and call curl... Not for the purist though but it works like a charm.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...