Security

Permissions different between pooled search heads

nocostk
Communicator

Currently I have two search heads in a pooled configuration. However, I'm seeing an error where a particular user is unable to successfully log in completely. Looking at the audit logs the person can log in - but is unable to view anything:

03-30-2011 10:21:49.468 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:49.468, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:21:49.686 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:49.686, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:21:53.828 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:53.828, user=myuser, action=search, info=denied REST: /search/timeparser/tz][n/a]
03-30-2011 10:21:59.430 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:59.430, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:21:59.624 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:21:59.624, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:22:12.366 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:22:12.366, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:23:09.804 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:23:09.803, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:30:55.989 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:30:55.989, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:30:56.230 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:30:56.230, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:33:27.240 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:33:27.240, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:33:35.092 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:33:35.092, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:34:03.224 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:34:03.224, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]
03-30-2011 10:34:46.088 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:34:46.088, user=myuser, action=login attempt, info=succeeded][n/a]
03-30-2011 10:34:46.364 -0600 INFO  AuditLogger - Audit:[timestamp=03-30-2011 10:34:46.364, user=myuser, action=rest_properties_get, info=denied REST: /properties/app][n/a]

Login/access works fine on the other pooled search head.

The dates are in sync and this instance runs as root (so no permission issues).

Tags (1)
0 Karma

ARothman
Path Finder

Hi Nocostk,

I noticed in the log: action=rest_properties_get, info=denied

I just recently had to rebuild my Splunk v4.3 and discovered that there are 4 required capabilities for each role that is assigned to a user (I'm actually a bit frustrated that Splunk allows you to remove these capabilities, seeing as they're required for apps to work properly... it caused me a great headache and amount of time to figure out). Per http://docs.splunk.com/Documentation/Splunk/latest/admin/Addandeditroles, the below information is provided regarding these capabilities. Make sure that all of your users have these and I'll bet it will fix the problem.

rest_apps_management - Can edit settings in the python remote apps handler.

rest_apps_view - Can list properties in the python remote apps handler.

rest_properties_get - Can get information from the services/properties endpoint.

rest_properties_set - Can edit the services/properties endpoint.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...