Security

No parent module with ViewRedirector when using SSO and Apache RP

newfdawg
Explorer

When using SSO and Apache RP - am getting the following type of messages in red in the banner on any page except the "Home" page. The SSO is working, but Splunk is missing a lot of the portions of the screen.
This view has a Splunk.Module.ViewRedirector module but that module has no parent modules to receive changes from. This module will not work in this configuration so this represents a configuration error. OR: This view has a Splunk.Module.RowNumbers module but it is configured with no child modules to push its changes to. This represents a configuration error.

Splunk 4.2.5; Apache 2.2.22 with mod_proxy and mod_proxy_html.
server.conf:

trustedIP = 127.0.0.1
remoteUser = Remote-User
SSOMode = permissive
trustedIP = "IP of RP"
root_endpoint = "/splunk-xxxx

Apache_RP.conf:

ProxyVia On
ProxyPassInterpolateEnv On
RequestHeader set REMOTE_USER %{REMOTE_USER}s
ProxyHTMLDoctype HTML
ProxyHTMLBufSize 32768
AllowCONNECT 8000
ProxyPass /splunk-xxxx http://splunk-searchhead.company.com:8000/splunk-xxxx
ProxyPassReverse /splunk-xxxx http://splunk-searchhead.company.com:8000/splunk-xxxx
0 Karma

newfdawg
Explorer

Ah. Ok. We have ProxyHTMLEnable set globally to on. I'll change that to only directly set it where needed. Working great now. Thank you!!

0 Karma

newfdawg
Explorer

With "ProxyHTMLDoctype HTML" used - I don't get the red banner messages and it is better behaved. I have 2 issues. On the Splunk> Summary page I get:

Events indexed <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

N/A


On the search results screen, it is working, but the results are displayed at the bottom of the screen (below the fields on the left) and starting in the blue section. Anyone using SPlunk wiht mod_proxy_html - is there something I'm missing in my list? Thanks!

Here's the declaration for W3C HTML 4.01 and XHTML 1.0a

ProxyHTMLLinks a href
ProxyHTMLLinks area href
ProxyHTMLLinks link href
ProxyHTMLLinks img src longdesc usemap
ProxyHTMLLinks object classid codebase data usemap
ProxyHTMLLinks q cite
ProxyHTMLLinks blockquote cite
ProxyHTMLLinks ins cite
ProxyHTMLLinks del cite
ProxyHTMLLinks form action
ProxyHTMLLinks input src usemap
ProxyHTMLLinks head profile
ProxyHTMLLinks base href
ProxyHTMLLinks script src for
ProxyHTMLEvents onclick ondblclick onmousedown onmouseup \
onmouseover onmousemove onmouseout onkeypress \
onkeydown onkeyup onfocus onblur onload \
onunload onsubmit onreset onselect onchange
ProxyHTMLLinks frame src longdesc
ProxyHTMLLinks iframe src longdesc
ProxyHTMLLinks body background
ProxyHTMLLinks applet codebase

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I'm pretty sure that you should no be doing any rewriting of anything you proxy from Splunk, other than the HTTP-level redirects. The fact that you're getting declarations embedded in the page indicates to me that you are rewriting XML and script. You should be, once again, rewriting nothing.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I've never used the ProxyHTMLDocType declaration in Apache, but reading its description, I would be inclined to turn it off, since many many Splunk requests are definitely not HTML.'

0 Karma

newfdawg
Explorer

Not sure what you need. It's the default splunk search page. Do you want the page source?

0 Karma

sideview
SplunkTrust
SplunkTrust

something very strange is going on. This error would definitely not be generated by the default search page. By default search page do you mean the 'flashtimeline' view within the search app? Just being specific. You said that you see this error on every page except the "home" page. By home page do you mean the 'dashboard' view within the search app?
Also, is it possible that some app you recently installed has somehow modified the 'search.html' view template? Because that could result in this kind of breakage.

0 Karma

sideview
SplunkTrust
SplunkTrust

Can you post the xml? It's extremely odd to have either of those two modules in a situation where they have no parents. Much less both in one view.

And by the way 'parent' just means - the <module> tag that the ViewRedirector is nested immediately inside. When a module has no parents it means it's right at the top, right under the <view> tag.

In fact, I suspect that something weird is going on, like there are parents there but they've been rendered into layoutPanels that don't exist in that template (search.html vs dashboard.html usually) . Can you post the XML of the view?

UPDATE:

To back up a second, aside from the obvious way of giving RowNumbers no children and giving ViewRedirector no parents, you can also get this error message if somehow the corresponding parent or child modules' layoutPanels get somehow obliterated. Thus although the XML looks fine, the ViewRedirector and RowNumbers modules end up being sort of 'orphaned' or 'de-child-ed' respectively.

I took a look at the search app's views in 4.3, and 1) some views give the ViewRedirector it's own layoutPanel (all the dashboard views and only the dashboard views it seems) 2) Also the 'flashtimeline view, aka the default search UI, gives the RowNumbers module a layoutPanel of resultsOptions. The upstream modules of the ViewRedirectors in the (1) cases, are rendered into "splSearchControls-inline" layoutPanel and the downstream modules in the (2) cases are rendered into "resultsAreaLeft".

So.. it sounds crazy, but the best theory here is that something, possibly some fancy app, has taken it upon itself to override both the dashboard.html template and the search.html template, without realizing that this could damage functionality in other apps. They have destroyed the 'splSearchControls-inline' layoutPanel in the search.html template, and destroyed the resultsAreaLeft layoutPanel in the search.html template.

What I would do is search $SPLUNK_HOME/etc/apps for any files called search.html and dashboard.html. And send everything over to Splunk Support for them to look into this. Whatever it is, it's such a crazy problem that I'm pretty confident it'll be easy to fix.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...