I'm trying to automate the creation of an App using either the Remote CLI or the REST API. This involves creating an Index, App, Role and User and tying them all together (the user in the Role, the default App for the Role is the new App and the Role's default Index is the created Index). The one thing it seems I can't do is set the Permissions on the App so only the users in that Role can access it. The only way to do this is to edit a config file but I'd like to be able to do this via the Remote CLI or REST API. Is this possible?
This is possible and every EAI endpoint has a sub /acl endpoint on which to POST. You should find some good information in the 'Object Sharing and ACL presentation/mutations' section below, if it's still not clear to you how to do it after going through that info, please reply and let us know exactly what you're running and what kind of result you're getting.
Object Sharing and ACL presentation/mutations
All endpoints that list user objects should support object sharing and access control list (ACL) presentation and mutation.
ACL Presentation
An ACL consists of the following fields:
modifiable
Required. A boolean flag indicating whether the ACL is modifiable or not.
owner
Required. Username of the owner of this object, if an object is not owned by a user should be set to 'nobody'
perms
Required. A dictionary that maps action to a list of roles which can perform that action
sharing
The level at which this object is shared, can be one of: system, app, user, global
Example:
<s:key name="acl">
<s:dict>
<s:key name="modifiable">false</s:key>
<s:key name="owner">admin</s:key>
<s:key name="sharing">user</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read"><s:list><s:item>admin</s:item></s:list></s:key>
<s:key name="write"><s:list><s:item>admin</s:item></s:list></s:key>
</s:dict>
</s:key>
<s:dict/>
</s:key>
ACL Modification A request to modify the ACL of an object should POST on the 'acl' custom action of an object (url: ...endpoint/entity-name/acl). The entire ACL should be provided rather than a diff. The following parameters should be provided:
perms.<action>
A comma delimited list of roles which can perform the given action
owner
The username of the new owner of the object
sharing
The level at which this object is shared, can be one of: system, app, user, global
The curl call that changes an app permission looks like :
curl -s -k -u admin:<ADMIN_PASSWORD> --request POST "https://localhost:8089//services/apps/local/<APP_NAME>/acl" -d sharing=global -d owner=nobody
The required sharing parameter indicates how the resource is shared:
sharing |
|
The details are available here: REST API doc
I've reviewed the information at the /services URI and can add the App but it's not clear from the API how to edit the permissions. Accessing /services/apps/local/myapp shows the "perms" element as well as the "read" and "write" sub elements as does /services/apps/local/myapp/acl but it's not clear how to format my POST to modify those values. I've tried "read=admin" but it didn't recognize "read" as a valid element.
This is theoretically possible, but a lot of work. All functions in the Splunk UI and most in the CLI call the REST API, so anything that can be done can be done directly with REST calls.
However, the API is currently unpublished and unsupported for admin operations, as of 4.1.5. (It is supported and documented right now for running and getting results and status of searches.) It is expected that eventually it will be supported, but I don't have a timeline.
In the meantime, you can look at the rest API by going to https://localhost:8089/services and https://localhost:8089/servicesNS/ (or whatever your Splunkd URL is) in Firefox/Chrome/Safari (it works in IE, but it doesn't apply the stylesheet and therefore isn't as readable or clickable), logging in with a Splunk admin account, and exploring some of the API calls.
That link is broken and Googling "Object Sharing and ACL presentation/mutations" didn't provide any useful results.
That's an internal Splunk URL I believe.
This is possible and every EAI endpoint has a sub /acl endpoint on which to POST. You should find some good information in the 'Object Sharing and ACL presentation/mutations' section below, if it's still not clear to you how to do it after going through that info, please reply and let us know exactly what you're running and what kind of result you're getting.
Object Sharing and ACL presentation/mutations
All endpoints that list user objects should support object sharing and access control list (ACL) presentation and mutation.
ACL Presentation
An ACL consists of the following fields:
modifiable
Required. A boolean flag indicating whether the ACL is modifiable or not.
owner
Required. Username of the owner of this object, if an object is not owned by a user should be set to 'nobody'
perms
Required. A dictionary that maps action to a list of roles which can perform that action
sharing
The level at which this object is shared, can be one of: system, app, user, global
Example:
<s:key name="acl">
<s:dict>
<s:key name="modifiable">false</s:key>
<s:key name="owner">admin</s:key>
<s:key name="sharing">user</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read"><s:list><s:item>admin</s:item></s:list></s:key>
<s:key name="write"><s:list><s:item>admin</s:item></s:list></s:key>
</s:dict>
</s:key>
<s:dict/>
</s:key>
ACL Modification A request to modify the ACL of an object should POST on the 'acl' custom action of an object (url: ...endpoint/entity-name/acl). The entire ACL should be provided rather than a diff. The following parameters should be provided:
perms.<action>
A comma delimited list of roles which can perform the given action
owner
The username of the new owner of the object
sharing
The level at which this object is shared, can be one of: system, app, user, global