Reporting

How to get PDF server works with SSO?

hochit
Path Finder

I got problem of PDF generation by Splunk.

I received the schedule saved email like this, which supposed to have PDF attached.

An error occurred while generating a PDF of this report: Failed to contact appserver at http://$HOSTNAME:8000/en-US/report/: HTTP Error 401: Authorization Required

And I didn't see any PDF error from python.log. So my guess is because my Splunk is running in SSO. When it tried to create a PDF it would use loopback to my SSO Apache (port 8000) with without any user.

A hint is I got this from my Apache access.log 144.14.22.134 - - [04/Mar/2011:01:50:36 -0500] "GET /en-US/report/ HTTP/1.1" 401 401 -

Can I change the loopback port?

Tags (2)
3 Solutions

gareth
Splunk Employee
Splunk Employee

There's a couple of issues here. First there's a bug that causes the PDF app not to authenticate correctly with SSO unless you're running Splunk version 4.1.7 or later.

Secondly Splunk currently uses the "Link hostname" field in Manager -> System Settings -> Email Alert Settings to determine which hostname to connect to to generate the report to render. It needs to bypass the authentication checks your Apache user is making as it has no way of knowing what credentials it expects. Setting the link hostname to the explicit hostname:port or ip address of the search head will accomplish that, else you can add a rule to your Apache configuration to allow connections from the PDF server IP address to be forwarded directly to the search head.

View solution in original post

hochit
Path Finder

So I think I need to upgrade to 4.1.7 the first. I found this in the release note

SSO and PDF debug page in Splunk causes server to be unresponsive during pdf creation. (SPL-35962)

And probably my guess is wrong. I turned the debug on and found this.

2011-03-04 04:20:14,504 DEBUG pdfhandler:491 - FF stderr: LoadPlugin: failed to initialize shared library /d/d1/splunk/etc/apps/pdfserver/bin/firefox-x86_64/plugins/libflashplayer.so [/lib64/tls/libc.so.6: version GLIBC_2.4' not found (required by /d/d1/splunk/etc/apps/pdfserver/bin/firefox-x86_64/plugins/libflashplayer.so)] 2011-03-04 04:20:14,504 DEBUG FF stderr: LoadPlugin: failed to initialize shared library /d/d1/splunk/etc/apps/pdfserver/bin/firefox-x86_64/plugins/libflashplayer.so [/lib64/tls/libc.so.6: versionGLIBC_2.4' not found (required by /d/d1/splunk/etc/apps/pdfserver/bin/firefox-x86_64/plugins/libflashplayer.so)]

Anyone know how to fix the C lib error?

View solution in original post

0 Karma

hochit
Path Finder

I found a good way to make older glibc version possible is to enable this in pdf_server.conf

force_platform = i386

View solution in original post

0 Karma

hochit
Path Finder

I found a good way to make older glibc version possible is to enable this in pdf_server.conf

force_platform = i386

View solution in original post

0 Karma

hochit
Path Finder

So I think I need to upgrade to 4.1.7 the first. I found this in the release note

SSO and PDF debug page in Splunk causes server to be unresponsive during pdf creation. (SPL-35962)

And probably my guess is wrong. I turned the debug on and found this.

2011-03-04 04:20:14,504 DEBUG pdfhandler:491 - FF stderr: LoadPlugin: failed to initialize shared library /d/d1/splunk/etc/apps/pdfserver/bin/firefox-x86_64/plugins/libflashplayer.so [/lib64/tls/libc.so.6: version GLIBC_2.4' not found (required by /d/d1/splunk/etc/apps/pdfserver/bin/firefox-x86_64/plugins/libflashplayer.so)] 2011-03-04 04:20:14,504 DEBUG FF stderr: LoadPlugin: failed to initialize shared library /d/d1/splunk/etc/apps/pdfserver/bin/firefox-x86_64/plugins/libflashplayer.so [/lib64/tls/libc.so.6: versionGLIBC_2.4' not found (required by /d/d1/splunk/etc/apps/pdfserver/bin/firefox-x86_64/plugins/libflashplayer.so)]

Anyone know how to fix the C lib error?

View solution in original post

0 Karma

hochit
Path Finder

So it sounds no hope and dead end...
My server is 64bit running glibc2.3. I don't think it has much chance to replace

0 Karma

gareth
Splunk Employee
Splunk Employee

The SPL is indeed the issue I was referring too; that addresses the authentication issue when the PDF app is communicating directly with an SSO enabled search head.

The library error you're seeing implies that you're running an older 64 bit Linux distribution that has glib 2.3 or earlier. The 64 bit version of Flash requires glibc 2.4 or later. Your options are to either upgrade to glibc 2.4 if your distribution provides it, use an alternate, more up to date machine or possibly install 32 bit compatibility libraries (flash for 32 bit works with older versions of glibc)

0 Karma

gareth
Splunk Employee
Splunk Employee

There's a couple of issues here. First there's a bug that causes the PDF app not to authenticate correctly with SSO unless you're running Splunk version 4.1.7 or later.

Secondly Splunk currently uses the "Link hostname" field in Manager -> System Settings -> Email Alert Settings to determine which hostname to connect to to generate the report to render. It needs to bypass the authentication checks your Apache user is making as it has no way of knowing what credentials it expects. Setting the link hostname to the explicit hostname:port or ip address of the search head will accomplish that, else you can add a rule to your Apache configuration to allow connections from the PDF server IP address to be forwarded directly to the search head.

View solution in original post

hochit
Path Finder

I found the problem happened again after upgrade to 4.2/4.2.1 . As I remember, it should work in 4.1.7. But now when access to /en-US/report, it returns 405 (method not allowed).

Just see if you know anything about this.

0 Karma

gareth
Splunk Employee
Splunk Employee

Right - We are intending to add an extra field to address this issue in a future release. In the interim you can point it at Apache can configure Apache to pass through requests from the Splunk IP address to Splunk without requiring authentication - Splunk 4.1.7 should work correctly with that setup.

0 Karma

hochit
Path Finder

I feel rare that I should make change in "Link hostname". I would think that's the external facing address, which shows correct link in email, and now that's pointing to the SSO Apache.

If PDF server is making use of it, then it seems wrong.

Now I can make the PDF generation correct by leaving "Link Hostname" blank. It can have PDF attached in email but the direct link in email is wrong now, since it's not pointing to apache but the Splunk port indeed.

I would suggest another hostname:port for links email alert.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!