Security

Is it possible to set app permissions via the REST API?

Communicator

I'm trying to automate the creation of an App using either the Remote CLI or the REST API. This involves creating an Index, App, Role and User and tying them all together (the user in the Role, the default App for the Role is the new App and the Role's default Index is the created Index). The one thing it seems I can't do is set the Permissions on the App so only the users in that Role can access it. The only way to do this is to edit a config file but I'd like to be able to do this via the Remote CLI or REST API. Is this possible?

Tags (4)
1 Solution

Splunk Employee
Splunk Employee

This is possible and every EAI endpoint has a sub /acl endpoint on which to POST. You should find some good information in the 'Object Sharing and ACL presentation/mutations' section below, if it's still not clear to you how to do it after going through that info, please reply and let us know exactly what you're running and what kind of result you're getting.

Object Sharing and ACL presentation/mutations

All endpoints that list user objects should support object sharing and access control list (ACL) presentation and mutation.

ACL Presentation

An ACL consists of the following fields:

modifiable
Required. A boolean flag indicating whether the ACL is modifiable or not.
owner
Required. Username of the owner of this object, if an object is not owned by a user should be set to 'nobody'
perms
Required. A dictionary that maps action to a list of roles which can perform that action sharing
The level at which this object is shared, can be one of: system, app, user, global

Example:

<s:key name="acl">
    <s:dict>
        <s:key name="modifiable">false</s:key>
        <s:key name="owner">admin</s:key>
        <s:key name="sharing">user</s:key>
        <s:key name="perms">
            <s:dict>
               <s:key name="read"><s:list><s:item>admin</s:item></s:list></s:key>
               <s:key name="write"><s:list><s:item>admin</s:item></s:list></s:key>
            </s:dict>
       </s:key>
     <s:dict/>
</s:key>

ACL Modification A request to modify the ACL of an object should POST on the 'acl' custom action of an object (url: ...endpoint/entity-name/acl). The entire ACL should be provided rather than a diff. The following parameters should be provided:

perms.<action>
A comma delimited list of roles which can perform the given action
owner
The username of the new owner of the object
sharing
The level at which this object is shared, can be one of: system, app, user, global

View solution in original post

Explorer

I've reviewed the information at the /services URI and can add the App but it's not clear from the API how to edit the permissions. Accessing /services/apps/local/myapp shows the "perms" element as well as the "read" and "write" sub elements as does /services/apps/local/myapp/acl but it's not clear how to format my POST to modify those values. I've tried "read=admin" but it didn't recognize "read" as a valid element.

0 Karma

Splunk Employee
Splunk Employee

This is theoretically possible, but a lot of work. All functions in the Splunk UI and most in the CLI call the REST API, so anything that can be done can be done directly with REST calls.

However, the API is currently unpublished and unsupported for admin operations, as of 4.1.5. (It is supported and documented right now for running and getting results and status of searches.) It is expected that eventually it will be supported, but I don't have a timeline.

In the meantime, you can look at the rest API by going to https://localhost:8089/services and https://localhost:8089/servicesNS/ (or whatever your Splunkd URL is) in Firefox/Chrome/Safari (it works in IE, but it doesn't apply the stylesheet and therefore isn't as readable or clickable), logging in with a Splunk admin account, and exploring some of the API calls.

0 Karma

Explorer

That link is broken and Googling "Object Sharing and ACL presentation/mutations" didn't provide any useful results.

Splunk Employee
Splunk Employee

That's an internal Splunk URL I believe.

0 Karma

Splunk Employee
Splunk Employee

This is possible and every EAI endpoint has a sub /acl endpoint on which to POST. You should find some good information in the 'Object Sharing and ACL presentation/mutations' section below, if it's still not clear to you how to do it after going through that info, please reply and let us know exactly what you're running and what kind of result you're getting.

Object Sharing and ACL presentation/mutations

All endpoints that list user objects should support object sharing and access control list (ACL) presentation and mutation.

ACL Presentation

An ACL consists of the following fields:

modifiable
Required. A boolean flag indicating whether the ACL is modifiable or not.
owner
Required. Username of the owner of this object, if an object is not owned by a user should be set to 'nobody'
perms
Required. A dictionary that maps action to a list of roles which can perform that action sharing
The level at which this object is shared, can be one of: system, app, user, global

Example:

<s:key name="acl">
    <s:dict>
        <s:key name="modifiable">false</s:key>
        <s:key name="owner">admin</s:key>
        <s:key name="sharing">user</s:key>
        <s:key name="perms">
            <s:dict>
               <s:key name="read"><s:list><s:item>admin</s:item></s:list></s:key>
               <s:key name="write"><s:list><s:item>admin</s:item></s:list></s:key>
            </s:dict>
       </s:key>
     <s:dict/>
</s:key>

ACL Modification A request to modify the ACL of an object should POST on the 'acl' custom action of an object (url: ...endpoint/entity-name/acl). The entire ACL should be provided rather than a diff. The following parameters should be provided:

perms.<action>
A comma delimited list of roles which can perform the given action
owner
The username of the new owner of the object
sharing
The level at which this object is shared, can be one of: system, app, user, global

View solution in original post