Security

How do I allow users to perform some admin command without giving them full admin rights?

Explorer

Hi,

We would like to give another team the possibility to run administrative commands such as:

  • show shcluster-status
  • resync shcluster-replicated-config
  • offline

But we don't want to give them a role "admin". Is it possible to do this? I was thinking about giving specific sudo right, but those commands require a login after you type them.

Maybe there is a way to keep the login alive for a infinite period of time? This way, they would be able to run the command with a "sudo -u splunk" command without having to login as a Splunk admin user.

Any idea ?

0 Karma

Ultra Champion

You can configure sudo to have the specific unix commands you delegate to the other team.

0 Karma

Contributor

You can write a Python script and create a custom search command on the search head. The script would run as admin and only give access to the custom search command to a specific set of user.

Or on the Linux box use setuid on a bash script that would run as root but can be exec. by non root user like the password command.

When set-user identification (setuid) permission is set on an executable file, a process that runs this file is granted access based on the owner of the file (usually root), rather than the user who is running the executable file. This special permission allows a user to access files and directories that are normally only available to the owner. For example, the setuid permission on the passwd command makes it possible for a user to change passwords, assuming the permissions of the root ID
0 Karma

Explorer

Oh that is a good idea but how can I store securely the admin password in this script? This a very sensitive topic...

0 Karma