Hi Splunkers,
I am trying to restrict permissions to role/user.
I have created a new role not inherited from any default roles. Created an app to share to the new role and app requires kvstore lookup (permission granted to role in search app for this kvstore lookup) to populate inputs in dashboards, but the kvstore lookup is created in search app where role doesn't have access to.
I tried moving collection and transforms to newly created app still dashboard is not working.
Please share your ideas how to acheive this.
Thanks in advance.
I noticed that splunk not always acts on the owner-value as expected.
When I defined the url for navigating to the lookupeditor I had to change the owner in the url to "/app/lookup_editor/lookup_edit?owner=nobody&... to make it work. Using the name of the real owner of the lookup file results in an error "you do not have permissions to view this lookup file".
Maybe your problem is similar to this?
Hi @thambisetty,
You need to set the permissions of the collections from search head in Lookup
sections. Set the permissions of the collection to be accessible by the new role.
Alteranatively , object permissions are set in metadata
folder of the app. So you might need to copy the section which defines the permissions of the KV store collections and put them into new app.
Sample entry in .meta file will be similar to
[transforms/my_collection]
access = read : [ * ], write : [ * ]
export = system
owner = admin
version = 7.1.1
Hi,
Thanks for your answer. but not working this.
Alright! So lets try to make it work.
So far,you have an app to segregate user permissions and a new role is created and assigned to this app. All the dashboards are moved to this app and users are able to access the dashboards.
If you want your users to use your lookups which is created in kvstore, you need to have this definition in transforms.conf and collections.conf under this app. In addition to this , we need to give them permissions to use this collections which is either given by using splunk web and look for this collections and set the permissions or use the metadata file. Easiest way to troubleshoot is to simulate this by creating a new user and add the new role. Lets know the error you are getting while accessing the dashboard/lookup
Yes, Created a role and assigned few users an created a test user and added test user to this role to test access.
after that created an app and given access to newly created role to access app. I am able to see app and dashboards but the only problem is with lookups.
I have shared collections and transforms lookup which are in search app context in all configurations to newly created role and set "object should appear in" to all apps(global).
as you suggested, I have copied metadata of collections and transforms lookup to newly created app which is shared to newly created role. still no luck.
I have tested this with test user.
Hi @thambisetty,
I found a strange issue with kvstore lookup while testing your issue. Just to confirm, can you check if the default folder of search app, i.e. etc/apps/search/default has your collections.conf file? If its ot present, can you copy your collections.conf to that as well and try.
Its in local folder of search application.
I don't think, we can create duplicate object in Splunk, though there is an option to create using file system, there could be some issues. Transform defintion doesn't know where to read and write from/to wrt.
As mentioned earlier, try copying/moving it to the default
folder and try. You are not creating any duplicate objects but just the configuration. Splunk has an internal mechanism for file precedence. So even though you have duplicate configuration files splunk know how to handle it. Reference : http://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Wheretofindtheconfigurationfiles
Lets know if it works.
Moved it to
search/default/collections.conf:1:[collection].
tried accessing by user "test" part of newly created role, still not working.
whats the exact error you are getting now? Hope the role you created has search
capability assigned
Yes,
Whats the exact error? Is is something similar to
Error in 'inputlookup' command: Lookup failed because collection 'my_collection_search' in app 'search' does not exist, or user 'admin' does not have read access
No results found, try expanding the time range. in the job settings got an error like below
The lookup table 'sample_lookup' is invalid.
Do you have this entry in your collections.conf?
[sample_lookup]
Make sure that this entry is in collections.conf and collections.conf is present in default
No, thats the definition of lookup defined in transforms.conf of search local directory.
whatever the collection name you have provided in transforms.conf incollection =
, should be present in collections.conf in the format [collection_name] which is in default dir
Yes, its there.
First defined in collections.conf and used collection name in transforms.conf
Ok. Just to double check, are you able to access this lookup with admin user/power user? Then we could isolate this to a user permission issue
Yes, i can access this with admin/power/user role in the same application where new role doesn't have access.