Using Splunk Enterprise 6.4.1. I am attempting to use scripted authentication to apply search filters to my users. I can see that the script is being initiated and I can see calls being made to the getUsers and getUserInfo functions, however, I never see a call to the getSearchFilter function. When I do the search, I can tell that no filters are being applied. I just can't figure out why.
I created the authentication script. The getSearchFilter method of said script returns results like:
--status=success --search_filter=foo=1234 --search_filter=foo=3432 --search_filter=foo=8742
With the above searchFilter, I expect to only see results where foo=1234 OR foo=3432 OR foo=8742. But I am seeing many more values that that. I set my authentication.conf up like this:
[authentication]
authType = Scripted
authSettings = script
[script]
scriptPath = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/share/splunk/authScriptSamples/abactest.py"
scriptSearchFilters = 1
[cacheTiming]
userLoginTTL = 10s
getUserInfoTTL = 1min
getUsersTTL = 2mins
I turned on debug for the AuthenticationManagerScripted, and see the following in the log file so I know the script is being run:
Initializing scripted auth with script path '"/opt/splunk/bin/python" "/opt/splunk/share/splunk/authScriptSamples/abactest.py"'
Scripted search filters: turned on
Calling script '"/opt/splunk/bin/python" "/opt/splunk/share/splunk/authScriptSamples/abactest.py"' getUsers' with arguments''
...
Found return key 'userInfo' with value 'lcarey;lcarey;l carey;admin:user'
What am I missing?
I figured out why the search filters are not being applied. It was because the user had a role of 'admin' and the 'admin' role overrides searchFilters applied to the user.
Other things I found while working on this:
I figured out why the search filters are not being applied. It was because the user had a role of 'admin' and the 'admin' role overrides searchFilters applied to the user.
Other things I found while working on this:
Hi @lyndac - Did your answer above provide a solution to your question? If yes, don't forget to click "Accept" to close out your question. Thank you.
You're partially correct about role-based search filters not being applied to tstats searches. By default they are applied to tstats searches of ordinary indexed data. But they are not applied to tstats searches of accelerated data models and accelerated data model objects. There is a tstats
setting that you can use in limits.conf
to change this default.
This is discussed in the documentation of the tstats command:
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Tstats#Selecting_data
Actually, user-based search Filters is what I was talking about. The role-based ones work as advertised.
I am trying to use scripted authentication to apply a search filter per USER. In that instance, the search filter is NOT applied to a tstats search even on ordinary indexed data.
Ok. The same restriction applies to user-based search filters, unfortunately. The plain truth is that no search filters whatsoever can be applied to accelerated data models or their objects. I'll update the documentation to reflect this.
The fact that the filter isn't working for ordinary indexed data is puzzling, however, and I don't have any immediate suggestions to resolve it. If I do, I'll respond here.