Security
Highlighted

Admin can't see users with a certain role and we can't take out the "grantableRoles = admin" option

Explorer

Hi, all the splunk gurus out there.

Recently we added a new role and we couldn't see the users with the role when logged in as admin.

So we took out "grantableRoles = admin" option on "/etc/sysyem/local/authorize.conf"

It seemed it should work but splunk just restore the option as we save admin role on the web.

What are we missing? please help us.

We have 3 SH with clustering and the version of splunk is 7.2.4.

Thanks!

Highlighted

Re: Admin can't see users with a certain role and we can't take out the "grantableRoles = admin" option

SplunkTrust
SplunkTrust

HI,

I am assuming that you modified /etc/sysyem/local/authorize.conf directly on command line and removed grantableRoles = admin option from admin role, after that have you restarted splunk ? And then you modified admin role from Splunk Web after splunk restart ?

Additionally are you running any centralized config management tool like Puppet, Chef to maintain this config file ? If yes in that case those tools are overriding your configuration.

0 Karma
Highlighted

Re: Admin can't see users with a certain role and we can't take out the "grantableRoles = admin" option

Explorer

As i save admin role on web, the grantableRoles option comes back. And we don't use any config managing tools.

0 Karma
Highlighted

Re: Admin can't see users with a certain role and we can't take out the "grantableRoles = admin" option

Splunk Employee
Splunk Employee

Hi @yangban,

I can see that your issue is somewhat similar to the following Splunk Answer.

https://answers.splunk.com/answers/718467/cannot-view-users-with-can-delete-role.html

We have realized that the roles implementation/feature mechanism needs to be improved/fixed to prevent this issue and have raised SPL-164129 and SPL-155548 bugs.

In the bugs, we have identified that when a setting is modified/updated in the admin role it will add "grantableRoles = admin" in authorize.conf. This can cause the UI to not display some users vs others. This is because of a conflicting capability/capabilities between roles.

In your scenario, perhaps one of your users might have a capability enabled which the "admin" role did not. Hence, due to the conflicting capability, users with admin or other roles which do not have this capability, they will not be bale to see the user in the UI. More information about how grantableRoles work is explained below for your reference.

http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Authorizeconf#.5Brole_.3CroleName.3E.5D

NOTE: A role that has been assigned 'grantableRoles' can list only the users whose capabilities are a subset of all capabilities of the roles assigned to 'grantableRoles'.

Example: Consider a Splunk instance where role1-4 are assigned the following capabilities: role1: c1, c2, c3 role2: c4, c5, c6 role3: c1, c6 role4: c4, c8 Users user1-4 are assigned the following roles: user1: role1 user2: role2 user3: role3 user4: role4

You can also use the following search on any SH to view the capabilities of each role:

| rest /services/authorization/roles splunk_server=local | search title=admin OR title=<role_name> OR title=<role_name> | table title capabilities imported_srchFilter srchTimeWin imported_roles imported_capabilities srchIndexesAllowed srchIndexesDefault

To restore your admin capability to view those users again with certain roles, you can implement one of the following workarounds.

  1. Remove grantableRoles = admin option from admin role from authorize.conf. Though this will need to be done every time capabilities are modified in the admin role.
  2. Alternatively, you can add the other user role as a 'grantableRoles' to "admin". However, any future roles that has conflicting capabilities, you will have to add it to grantableRoles as well.
  3. Lastly, add any capabilities that the other user roles have to the "admin" role. This is probably the most simplest workaround, where you would want the admin role to have all capabilities ideally.

View solution in original post

Highlighted

Re: Admin can't see users with a certain role and we can't take out the "grantableRoles = admin" option

Explorer

Thank you for your kind reply. Though, i really hope maybe next patch or coming up version would cover this issue.

0 Karma
Highlighted

Re: Admin can't see users with a certain role and we can't take out the "grantableRoles = admin" option

Splunk Employee
Splunk Employee

There is one other step missing from the above suggestions. You must modify the admin account by removing the capability editrolesgrantable from admin leaving only edit_roles. THEN remove grantableRoles from the authorize.conf file under the admin role and finally use the "Reload authentication configuration" button under Authentication method [obviates the need to restart Splunk].

Highlighted

Re: Admin can't see users with a certain role and we can't take out the "grantableRoles = admin" option

Explorer

I will double check that. Thank you!

0 Karma