Currently I have two search heads in a pooled configuration. However, I'm seeing an error where a particular user is unable to successfully log in completely. Looking at the audit logs the person can log in - but is unable to view anything:
03-30-2011 10:21:49.468 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:21:49.468, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:21:49.686 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:21:49.686, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:21:53.828 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:21:53.828, user=myuser, action=search, info=denied REST: /search/timeparser/tz][n/a]
03-30-2011 10:21:59.430 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:21:59.430, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:21:59.624 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:21:59.624, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:22:12.366 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:22:12.366, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:23:09.804 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:23:09.803, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:30:55.989 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:30:55.989, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:30:56.230 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:30:56.230, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:33:27.240 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:33:27.240, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:33:35.092 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:33:35.092, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:34:03.224 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:34:03.224, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:34:46.088 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:34:46.088, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:34:46.364 -0600 INFO AuditLogger - Audit:[timestamp=03-30-2011 10:34:46.364, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
Login/access works fine on the other pooled search head.
The dates are in sync and this instance runs as root (so no permission issues).
Hi Nocostk,
I noticed in the log: action=rest_properties_get, info=denied
I just recently had to rebuild my Splunk v4.3 and discovered that there are 4 required capabilities for each role that is assigned to a user (I'm actually a bit frustrated that Splunk allows you to remove these capabilities, seeing as they're required for apps to work properly... it caused me a great headache and amount of time to figure out). Per http://docs.splunk.com/Documentation/Splunk/latest/admin/Addandeditroles, the below information is provided regarding these capabilities. Make sure that all of your users have these and I'll bet it will fix the problem.
rest_apps_management
- Can edit settings in the python remote apps handler.
rest_apps_view
- Can list properties in the python remote apps handler.
rest_properties_get
- Can get information from the services/properties endpoint.
rest_properties_set
- Can edit the services/properties endpoint.