I am adding a new role to allow analysts to access the Monitoring Console
. I believe that the minimum set of capabilities
for this to be these:
[role_moncon_user]
# ==== Capabilities ====
dispatch_rest_to_indexers = enabled
list_accelerate_search = enabled
list_app_certs = enabled
list_deployment_client = enabled
list_deployment_server = enabled
list_forwarders = enabled
list_health = enabled
list_httpauths = enabled
list_indexer_cluster = enabled
list_indexerdiscovery = enabled
list_inputs = enabled
list_introspection = enabled
list_metrics_catalog = enabled
list_pipeline_sets = enabled
list_search_head_clustering = enabled
list_search_scheduler = enabled
list_settings = enabled
list_storage_passwords = enabled
list_tokens_all = enabled
list_tokens_own = enabled
list_workload_pools = enabled
list_workload_rules = enabled
# ==== Index Values ====
srchIndexesAllowed = *;_*
I added this to authorize.conf
file in the client_all_search_base
app and restarted Splunk; so far, so good. However when I try to assign this moncon_user
role to anybody, after clicking Save
it fails with Role=moncon_user is not grantable
. I figured that I would be able to brute-force it in by manually adding it to a user in the $SPLUNK_HOME/etc/passwd
file but all that did was cause splunk to disable that user completely (it doesn't even show in the GUI at all after that).
What is really happening and how can I get this to work?
It turns out that I had this setting in authorize.conf
in a base_config app for search heads:
[role_admin]
grantableRoles = admin
I am not sure how it got there or what it was supposed to accomplish but when I removed this, my new role
became grantable
to every user
and role
.
It turns out that I had this setting in authorize.conf
in a base_config app for search heads:
[role_admin]
grantableRoles = admin
I am not sure how it got there or what it was supposed to accomplish but when I removed this, my new role
became grantable
to every user
and role
.
Thanks @woodcock this solved my problem
In authorize.conf check if setting grantableRoles is set to the role of the user you logged in to add new user.
If you are using admin and admin role is edited then grantableRoles is set to admin for admin role. You can remove this or add new role to grantableRoles.
[role_admin]
grantableRoles = admin
To add and edit roles/capabilities I assume authorize.conf would be the correct file.
Please refer this Splunk doc
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Addandeditroleswithauthorizeconf
As per document
After you make changes to authentication.conf, you must refresh the authentication scheme to have the changes take effect. You can do this with either Splunk Web or the CLI. Refreshing the authentication scheme does not log users off of the system.
Refresh the authentication scheme using Splunk Web
From the system bar, click Settings > Authentication Methods.
Use the CLI command ./splunk reload auth:
./splunk reload auth
No, no, no. I have restarted Splunk to no effect. That us not the problem. I am way beyond what is mentioned in this answer.
I added the above capabilities to a new authorize.conf file and then created a new user assigning the moncon_user role. I had no issues.
I'm using Splunk 7.3.4