Hi, all the splunk gurus out there.
Recently we added a new role and we couldn't see the users with the role when logged in as admin.
So we took out "grantableRoles = admin" option on "/etc/sysyem/local/authorize.conf"
It seemed it should work but splunk just restore the option as we save admin role on the web.
What are we missing? please help us.
We have 3 SH with clustering and the version of splunk is 7.2.4.
I am assuming that you modified
/etc/sysyem/local/authorize.conf directly on command line and removed
grantableRoles = admin option from admin role, after that have you restarted splunk ? And then you modified admin role from Splunk Web after splunk restart ?
Additionally are you running any centralized config management tool like Puppet, Chef to maintain this config file ? If yes in that case those tools are overriding your configuration.
As i save admin role on web, the grantableRoles option comes back. And we don't use any config managing tools.
I can see that your issue is somewhat similar to the following Splunk Answer.
We have realized that the roles implementation/feature mechanism needs to be improved/fixed to prevent this issue and have raised SPL-164129 and SPL-155548 bugs.
In the bugs, we have identified that when a setting is modified/updated in the admin role it will add "grantableRoles = admin" in authorize.conf. This can cause the UI to not display some users vs others. This is because of a conflicting capability/capabilities between roles.
In your scenario, perhaps one of your users might have a capability enabled which the "admin" role did not. Hence, due to the conflicting capability, users with admin or other roles which do not have this capability, they will not be bale to see the user in the UI. More information about how grantableRoles work is explained below for your reference.
NOTE: A role that has been assigned 'grantableRoles' can list only the users whose capabilities are a subset of all capabilities of the roles assigned to 'grantableRoles'.
Example: Consider a Splunk instance where role1-4 are assigned the following capabilities: role1: c1, c2, c3 role2: c4, c5, c6 role3: c1, c6 role4: c4, c8 Users user1-4 are assigned the following roles: user1: role1 user2: role2 user3: role3 user4: role4
You can also use the following search on any SH to view the capabilities of each role:
| rest /services/authorization/roles splunk_server=local | search title=admin OR title=<role_name> OR title=<role_name> | table title capabilities imported_srchFilter srchTimeWin imported_roles imported_capabilities srchIndexesAllowed srchIndexesDefault
To restore your admin capability to view those users again with certain roles, you can implement one of the following workarounds.
Thank you for your kind reply. Though, i really hope maybe next patch or coming up version would cover this issue.
There is one other step missing from the above suggestions. You must modify the admin account by removing the capability editrolesgrantable from admin leaving only edit_roles. THEN remove grantableRoles from the authorize.conf file under the admin role and finally use the "Reload authentication configuration" button under Authentication method [obviates the need to restart Splunk].