Security
Highlighted

Admin Down! Restarting Splunk does not reload Authorize.conf after edit

Path Finder

Hi,

I seem to have foobar'd my Admin account, resulting in the majority of the admin privileges not working through the UI:

AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/admin/launcher/data/modular-inputs?count=-1

I have edited the \local\authorize to match that of the \default config and restarted Splunk via CLI, but this has not restored my previous admin privileges.

C:\Program Files\Splunk\etc\system\local\authorize.conf as follows to reset:

(a cut and copy from \default\authorize.conf)

[role_admin]
accelerate_datamodel = enabled
admin_all_objects = enabled
change_authentication = enabled
edit_deployment_client = enabled
list_deployment_client = enabled
edit_deployment_server = enabled
list_deployment_server = enabled
edit_dist_peer = enabled
edit_forwarders = enabled
edit_httpauths = enabled
edit_input_defaults = enabled
edit_monitor = enabled
edit_roles = enabled
edit_scripted = enabled
edit_search_server = enabled
edit_server = enabled
edit_splunktcp = enabled
edit_splunktcp_ssl = enabled
edit_tcp = enabled
edit_udp = enabled
edit_user = enabled
edit_view_html = enabled
edit_web_settings = enabled
get_diag = enabled
indexes_edit = enabled
license_edit = enabled
license_tab = enabled
list_forwarders = enabled
list_httpauths = enabled
rest_apps_management = enabled
restart_splunkd = enabled
run_debug_commands = enabled


# This enables the windows specific capabilities for admin
edit_win_eventlogs = enabled
edit_win_wmiconf = enabled
edit_win_regmon = enabled
edit_win_admon = enabled
edit_win_perfmon = enabled
list_win_localavailablelogs = enabled
list_pdfserver = enabled
write_pdfserver = enabled

importRoles = power;user
srchIndexesAllowed = *;_*
srchIndexesDefault = main;os
srchFilter = *
srchTimeWin = 0
srchDiskQuota = 10000
srchJobsQuota = 50
rtSrchJobsQuota = 100
cumulativeSrchJobsQuota = 200
cumulativeRTSrchJobsQuota = 400
0 Karma
Highlighted

Re: Admin Down! Restarting Splunk does not reload Authorize.conf after edit

Path Finder

I deleted the /local/authorize.conf (after making a copy) and replace the /default/authorize.conf with a fresh version. Seems I may have saved the wrong one, or the local was for some reason corrupt.

Restart and relax...

View solution in original post

Highlighted

Re: Admin Down! Restarting Splunk does not reload Authorize.conf after edit

Path Finder

It seems if you edit the 'user' role, then inheritance also affects the 'admin' role.

I removed all the permissions from the user role, which then locked my admin role.

0 Karma