Security

Permissions different between pooled search heads

nocostk
Communicator

Currently I have two search heads in a pooled configuration. However, I'm seeing an error where a particular user is unable to successfully log in completely. Looking at the audit logs the person can log in - but is unable to view anything:

03-30-2011 10:21:49.468 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:49.468, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:21:49.686 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:49.686, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:21:53.828 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:53.828, user=myuser, action=search, info=denied REST: /search/timeparser/tz][n/a]
03-30-2011 10:21:59.430 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:59.430, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:21:59.624 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:59.624, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:22:12.366 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:22:12.366, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:23:09.804 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:23:09.803, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:30:55.989 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:30:55.989, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:30:56.230 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:30:56.230, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:33:27.240 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:33:27.240, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:33:35.092 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:33:35.092, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:34:03.224 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:34:03.224, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:34:46.088 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:34:46.088, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:34:46.364 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:34:46.364, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]

Login/access works fine on the other pooled search head.

The dates are in sync and this instance runs as root (so no permission issues).

Tags (1)
0 Karma

ARothman
Path Finder

Hi Nocostk,

I noticed in the log: action=rest_properties_get, info=denied

I just recently had to rebuild my Splunk v4.3 and discovered that there are 4 required capabilities for each role that is assigned to a user (I'm actually a bit frustrated that Splunk allows you to remove these capabilities, seeing as they're required for apps to work properly... it caused me a great headache and amount of time to figure out). Per http://docs.splunk.com/Documentation/Splunk/latest/admin/Addandeditroles, the below information is provided regarding these capabilities. Make sure that all of your users have these and I'll bet it will fix the problem.

rest_apps_management - Can edit settings in the python remote apps handler.

rest_apps_view - Can list properties in the python remote apps handler.

rest_properties_get - Can get information from the services/properties endpoint.

rest_properties_set - Can edit the services/properties endpoint.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...