Security

How to disable REST API access for a user

Communicator

I want to disable REST API access for a user. In other words, he/she should be able to log in to Splunk Web and run searches where as they should not have provision to run searches via API calls.

I tried disabling the below capability for the user in authorize.conf, but it does not block the user from accessing REST API

rest_properties_get
rest_properties_set

Is there any way we can configure these capability for the user?

SplunkTrust
SplunkTrust

If the underlying issue is a user running hundreds of automated searches via API, then you might want to consider reassigning them to a new role that has a very low max concurrent search setting, until they demonstrate good citizenship.

Also, if they are obviously wasting resources, then check the searches that they ARE running, to make sure they aren't doing something silly like running a realtime search "for all time" and wondering why it never finishes, so they submit it again.

0 Karma

Explorer

Hi DalJeanis. I also need to disable REST API for some roles , letting it open to some others.

My goal is to limit the first group to a specific set of dashboards (I've removed permisson to the search dashboard) and prevent them to use the REST api to do ad-hoc searches. At the same time there are some other roles that should maintain the REST access.

Do you have some advise?

0 Karma

Splunk Employee
Splunk Employee

I don't think this is possible because splunkweb UI uses the REST API itself. You could disable access to port 8089 on your search head for any host other than localhost (ie. the search head itself), but that's an all or nothing approach.
From a security perspective, if a user has permission to search via the UI, he/she has permission to search from wherever.
If you want to elaborate on your use case, maybe there is another way to achieve what you need.

Communicator

Hi ssievert,

We have two set of user profiles as per our Client's standard. One profile is for users to access the UI and run searches, create reports and dashboards etc. The other profile is for application user accounts to access SPLUNK REST API from specific application to search for data.

However, we have few UI users accessing REST API programatically and are running hundreds of searches which we want to restrict. Also, we want to allow only the application user accounts to access the REST API.

Hope I have provided enough details on what we are trying to do

0 Karma

Path Finder

Hi
I want to disable rest api.
How to?

0 Karma

Influencer

Any latest suggestions/workaround to achieve this? We have a similar use case where we don't want all the users connection via REST

0 Karma

Builder

Have you checked which roles are being applied to the user. If any one of the roles has those capabilities, they would automatically be inherited.

0 Karma

Communicator

yes. I have checked the capabilities. Disabling the search capability restricts the user from accessing REST API but that also blocks the UI search capability.

I am interested in blocking the REST API access alone.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!