Permissions different between pooled search heads

nocostk · ‎03-30-2011

Currently I have two search heads in a pooled configuration. However, I'm seeing an error where a particular user is unable to successfully log in completely. Looking at the audit logs the person can log in - but is unable to view anything:

03-30-2011 10:21:49.468 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:49.468, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:21:49.686 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:49.686, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:21:53.828 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:53.828, user=myuser, action=search, info=denied REST: /search/timeparser/tz][n/a]
03-30-2011 10:21:59.430 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:59.430, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:21:59.624 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:59.624, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:22:12.366 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:22:12.366, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:23:09.804 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:23:09.803, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:30:55.989 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:30:55.989, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:30:56.230 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:30:56.230, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:33:27.240 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:33:27.240, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:33:35.092 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:33:35.092, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:34:03.224 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:34:03.224, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:34:46.088 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:34:46.088, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:34:46.364 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:34:46.364, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]

Login/access works fine on the other pooled search head.

The dates are in sync and this instance runs as root (so no permission issues).

ARothman · ‎01-27-2012

Hi Nocostk,

I noticed in the log: action=rest_properties_get, info=denied

I just recently had to rebuild my Splunk v4.3 and discovered that there are 4 required capabilities for each role that is assigned to a user (I'm actually a bit frustrated that Splunk allows you to remove these capabilities, seeing as they're required for apps to work properly... it caused me a great headache and amount of time to figure out). Per http://docs.splunk.com/Documentation/Splunk/latest/admin/Addandeditroles, the below information is provided regarding these capabilities. Make sure that all of your users have these and I'll bet it will fix the problem.

rest_apps_management - Can edit settings in the python remote apps handler.

rest_apps_view - Can list properties in the python remote apps handler.

rest_properties_get - Can get information from the services/properties endpoint.

rest_properties_set - Can edit the services/properties endpoint.

Permissions different between pooled search heads

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk