Security

How to restrict access to specific rows?

joerglang
Engager

I have an index with kubernetes logs.
Each log line has a field called namespace with following values

  • prod
  • dev
  • qa
  • test

I want to limit some users, that the can not access lines with value "prod" but each other lines.
How can we do that?

thanks
Jörg

TonyLeeVT
Builder

Hi Joerglang, Not sure if you saw this presentation, but this is what they are doing here in this .conf 2017 talk:  https://conf.splunk.com/files/2017/slides/splunking-with-multiple-personalities-extending-role-based...

It would be nice to see row-level security natively built in though.

0 Karma

Lucas_K
Motivator

Best practice. Separate you logs into different indexes. Apply normal restrictions at the indexing tier via srchIndexesAllowed in authorize.conf - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf

I'd suggest not using search filters for a non-metadata based field as they can be bypassed.

0 Karma

joerglang
Engager

Thanks for your feedback.

The problem is, that it is one single log, which has the content with , let me call it, different contextes.

what we are looking for is something like "row level security".

There is s feature for the "splunk connctors for kubernetes" to route logs namespace specific but there is a "topic" on naming convention.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...