I want to disable REST API access for a user. In other words, he/she should be able to log in to Splunk Web and run searches where as they should not have provision to run searches via API calls.
I tried disabling the below capability for the user in
authorize.conf, but it does not block the user from accessing REST API
Is there any way we can configure these capability for the user?
Have you checked which roles are being applied to the user. If any one of the roles has those capabilities, they would automatically be inherited.
yes. I have checked the capabilities. Disabling the
search capability restricts the user from accessing REST API but that also blocks the UI search capability.
I am interested in blocking the REST API access alone.
I don't think this is possible because splunkweb UI uses the REST API itself. You could disable access to port 8089 on your search head for any host other than localhost (ie. the search head itself), but that's an all or nothing approach.
From a security perspective, if a user has permission to search via the UI, he/she has permission to search from wherever.
If you want to elaborate on your use case, maybe there is another way to achieve what you need.
We have two set of user profiles as per our Client's standard. One profile is for users to access the UI and run searches, create reports and dashboards etc. The other profile is for application user accounts to access SPLUNK REST API from specific application to search for data.
However, we have few UI users accessing REST API programatically and are running hundreds of searches which we want to restrict. Also, we want to allow only the application user accounts to access the REST API.
Hope I have provided enough details on what we are trying to do
If the underlying issue is a user running hundreds of automated searches via API, then you might want to consider reassigning them to a new role that has a very low max concurrent search setting, until they demonstrate good citizenship.
Also, if they are obviously wasting resources, then check the searches that they ARE running, to make sure they aren't doing something silly like running a realtime search "for all time" and wondering why it never finishes, so they submit it again.
Hi DalJeanis. I also need to disable REST API for some roles , letting it open to some others.
My goal is to limit the first group to a specific set of dashboards (I've removed permisson to the search dashboard) and prevent them to use the REST api to do ad-hoc searches. At the same time there are some other roles that should maintain the REST access.
Do you have some advise?