Security

How to restrict access to specific rows?

joerglang
Engager

I have an index with kubernetes logs.
Each log line has a field called namespace with following values

  • prod
  • dev
  • qa
  • test

I want to limit some users, that the can not access lines with value "prod" but each other lines.
How can we do that?

thanks
Jörg

TonyLeeVT
Builder

Hi Joerglang, Not sure if you saw this presentation, but this is what they are doing here in this .conf 2017 talk:  https://conf.splunk.com/files/2017/slides/splunking-with-multiple-personalities-extending-role-based...

It would be nice to see row-level security natively built in though.

0 Karma

Lucas_K
Motivator

Best practice. Separate you logs into different indexes. Apply normal restrictions at the indexing tier via srchIndexesAllowed in authorize.conf - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf

I'd suggest not using search filters for a non-metadata based field as they can be bypassed.

0 Karma

joerglang
Engager

Thanks for your feedback.

The problem is, that it is one single log, which has the content with , let me call it, different contextes.

what we are looking for is something like "row level security".

There is s feature for the "splunk connctors for kubernetes" to route logs namespace specific but there is a "topic" on naming convention.

Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...