Security

New "role" cannot be added to any users due to "is not grantable"; how to make roles "grantable"?

woodcock
Esteemed Legend

I am adding a new role to allow analysts to access the Monitoring Console. I believe that the minimum set of capabilities for this to be these:

[role_moncon_user]
# ==== Capabilities   ====
dispatch_rest_to_indexers = enabled
list_accelerate_search = enabled
list_app_certs = enabled
list_deployment_client = enabled
list_deployment_server = enabled
list_forwarders = enabled
list_health = enabled
list_httpauths = enabled
list_indexer_cluster = enabled
list_indexerdiscovery = enabled
list_inputs = enabled
list_introspection = enabled
list_metrics_catalog = enabled
list_pipeline_sets = enabled
list_search_head_clustering = enabled
list_search_scheduler = enabled
list_settings = enabled
list_storage_passwords = enabled
list_tokens_all = enabled
list_tokens_own = enabled
list_workload_pools = enabled
list_workload_rules = enabled
# ==== Index Values   ====
srchIndexesAllowed = *;_*

I added this to authorize.conf file in the client_all_search_base app and restarted Splunk; so far, so good. However when I try to assign this moncon_user role to anybody, after clicking Save it fails with Role=moncon_user is not grantable. I figured that I would be able to brute-force it in by manually adding it to a user in the $SPLUNK_HOME/etc/passwd file but all that did was cause splunk to disable that user completely (it doesn't even show in the GUI at all after that).

What is really happening and how can I get this to work?

Labels (1)
1 Solution

woodcock
Esteemed Legend

It turns out that I had this setting in authorize.conf in a base_config app for search heads:

[role_admin]
grantableRoles = admin

I am not sure how it got there or what it was supposed to accomplish but when I removed this, my new role became grantable to every user and role.

View solution in original post

woodcock
Esteemed Legend

It turns out that I had this setting in authorize.conf in a base_config app for search heads:

[role_admin]
grantableRoles = admin

I am not sure how it got there or what it was supposed to accomplish but when I removed this, my new role became grantable to every user and role.

gcusello
SplunkTrust
SplunkTrust

Hi @woodcock,

how can I apply your solution to a Search Head Cluster?

Ciao.

Giuseppe

splunkreal
Motivator

Hi @gcusello  did you get answer from @woodcock regarding applying on all etc/system/local/authorize.conf search head nodes (preferably from GUI if possible) ?

Thanks.

 

* If this helps, please upvote or accept solution if it solved *

amankhan1
Path Finder

Thanks @woodcock this solved my problem 

0 Karma

manjunathmeti
Champion

In authorize.conf check if setting grantableRoles is set to the role of the user you logged in to add new user.

If you are using admin and admin role is edited then grantableRoles is set to admin for admin role. You can remove this or add new role to grantableRoles.

[role_admin]
grantableRoles = admin

sumanssah
Communicator

To add and edit roles/capabilities I assume authorize.conf would be the correct file.

Please refer this Splunk doc
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Addandeditroleswithauthorizeconf

As per document

After you make changes to authentication.conf, you must refresh the authentication scheme to have the changes take effect. You can do this with either Splunk Web or the CLI. Refreshing the authentication scheme does not log users off of the system.

Refresh the authentication scheme using Splunk Web
From the system bar, click Settings > Authentication Methods.

Use the CLI command ./splunk reload auth:
./splunk reload auth

0 Karma

woodcock
Esteemed Legend

No, no, no. I have restarted Splunk to no effect. That us not the problem. I am way beyond what is mentioned in this answer.

anmolpatel
Builder

I added the above capabilities to a new authorize.conf file and then created a new user assigning the moncon_user role. I had no issues.

I'm using Splunk 7.3.4

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...