Radius authentication/authorisation



Is there an order in which userLogin, getUserInfo and getUsers is called ? I don't want to create a manual user mapping but use radius AV pairs returned during the user authentication. If I know userLogin is always first I could dynamically create a role mapping database and use it for later getUserInfo calls.

Is getUsers a requirement or optional ? If I use Radius I won't have the information of all possible users, but I could use the info of previously logged in users from my dynamically created role mapping database.

Would that work ?

Thank you

0 Karma


I created the below python script.

Can someone comment if that would be sufficient ?


    This is only a sample authentication script, and is NOT SUPPORTED by Splunk.

    For the most basic example of how to use scripted auth, please see
    This script serves as an example of how to interact between splunkd and RADIUS.

    The example uses the RADIUS client from the freeradius server.

    You must download and install this client for this script to function
    properly. If you already have your own RADIUS client you may use that
    but you may have to edit the function contactRADIUS to make it compatible
    with your client.

    Function breakdown
        userLogin   : will be called on userLogin into splunk.
        getUserInfo : Get information about a particular user. ( username, realname, roles )
        getUsers    : Get a list of all users available.

    Optional Calls  :
        getSearchFilter : return a search filter for a given user. Called when the user searches.

import sys, subprocess, getopt
import re, pickle, fcntl
from datetime import *

# keys we'll be using when talking with splunk.
USERNAME    = "username"
USERTYPE    = "role"
SUCCESS     = "--status=success"
FAILED      = "--status=fail"

# freeradius-client-1.1.6-40.1
RADIUS_CLIENT = '/opt/splunk/sbin/radiusclient'

RADIUS_USER   = 'User-Name'
RADIUS_PASS   = 'Password'
USERMAP_FILE  = '/opt/splunk/etc/usermap.pkl'
USERMAP_LOCK_FILE  = '/opt/splunk/etc/.usermap.pkl.lock'

roleMappingDict = {}

This is a basic user database for storing users and their corresponding Splunk roles.

This is only intended to be a sample and is NOT SUPPORTED. If you only have a handful of users
this may suffice for mapping your users to roles. It may not scale well to thousands of users.

IMPORTANT: If you intend to use both the getUsersRole and getAllUsers functions defined here,
the roleMappingDict must have an entry for each user in your auth system. Otherwise, you could potentially
get roles for a particular user in getUsersRole that is not returned in getAllUsers (since we
default to returning the user role in getUsersRole). An incomplete database of users here would result in
undefined behavior.

# read the inputs coming in and put them in a dict for processing.
def readInputs():
   optlist, args = getopt.getopt(sys.stdin.readlines(), '', ['username=', 'password='])

   returnDict = {}
   for name, value in optlist:
      returnDict[name[2:]] = value.strip()

   return returnDict

# Read dictionary from file
def readMapDict():
    global roleMappingDict
       userMap = open(USERMAP_FILE, 'rb')
    except IOError:
       roleMappingDict = pickle.load(userMap)
    except EOFError:

# If you want a user to have admin or power level you will need to add them
# to this map OR just replace getUserRole and getUserFilter function with
# your own code that restrieves this information from elsewhere.
# roleMappingDict = {
#     #username     #splunk role           # search filter                                 lastlogin
#     'boo'     :  ([ "admin" ],           [ 'NOT APACHE', 'NOT FLUBBER', 'NOT FLUBBER' ], [ date ]),
#     'root'    :  ([ "admin", "power" ],  [], [ date ]),
#     'peon'    :  ([ "user" ],            [], [ date ]),
#     'steve'   :  ([ "user" ],            [ 'NOT GLOBAL' ], [ date ]),
#     'john'    :  ([ "power" ],           [], [ date ] ),
#     'jack'    :  ([ "admin" ],           [], [ date ] )
# }

def getUsersRole( username ):
    global roleMappingDict
    if roleMappingDict.has_key( username ):
        return roleMappingDict[username][0]
        print "Unable to find user " + username
        print "Returning lowest role of user"
        return [ "user" ]

def getUsersFilters( username ):
    global roleMappingDict
    if roleMappingDict.has_key( username ):
        return roleMappingDict[username][1]
        print "Unable to find user " + username
        print "Returning no search filter"
        return [ "" ]

def getAllUsers():
    global roleMappingDict
    out = ""
    for u, r in roleMappingDict.iteritems():
        out += ' --userInfo=' + u + ';' + u + ';' + u + ';' + ':'.join(r[0])

    return out

def getOctalStr(s):
    oct = ''
    for c in s:
        oct += '\%03o' % ord(c)
    return oct

This function will be called when a user enters their credentials in the login page in UI.
        --username=<user> --password=<pass> 
        On Success:
        On Failuire:
            Anyhing but --status=success

    Splunk will print everything outputted to stdin if there is an error so you can add debugging info
    that will be printed in splunkd.log when the system is in DEBUG mode.
def userLogin( infoIn  ):
    global roleMappingDict
    # Create the list of arguments to pass to Popen
#    command = [RADIUS_CLIENT] + [RADIUS_USER + '=' + getOctalStr(infoIn['username'])] + [RADIUS_PASS + '=' + getOctalStr(infoIn['password'])]  + ['\n']
    command = [RADIUS_CLIENT] + [RADIUS_USER + '=' + infoIn['username']] + [RADIUS_PASS + '=' + infoIn['password']] + ['\n']

    proc = subprocess.Popen( command,

    output = proc.communicate( )

    retCode = proc.wait()

    if retCode != 0:
       print FAILED

    splunkRoles = [ "user" ]

# Look in output for attribute called Class and 
# store value in variable splunkRole
    splitLines = output[0].split('\n')
    for line in splitLines:
      if "Class" in line:
         role = re.sub(r'.*=(.*)',r'\1',line).strip()
# File lock to avoid two logins updating mapping dictionary file
    userMapLock = open(USERMAP_LOCK_FILE, 'w')
    fcntl.lockf(userMapLock, fcntl.LOCK_EX)
# Check if file with mapping dictionary exists and 
# read saved mapping dictionary
       userMap = open(USERMAP_FILE, 'rb')
    except IOError:
# File does not exist = > create it
       userMap = open(USERMAP_FILE, 'wr+b')
       roleMappingDict = pickle.load(userMap)
    except EOFError:
# Empty file => continue
# Cleanup user mapping file 
# Delete stale users after 30 days
    for user in roleMappingDict:
        lastLoginDelta =[user][2]
        if lastLoginDelta > timedelta(days=30):
            del roleMappingDict[user]
# Updat mapping dictionary with  new user
    roleMappingDict.update({ infoIn['username'] : ( splunkRoles , [], })
# Write updated mapping dictionary to file
    userMap = open(USERMAP_FILE, 'wb')
# remove lock
    fcntl.lockf(userMapLock, fcntl.LOCK_UN)
    print SUCCESS

    This function prints out the details of the userId supplied.
    Input :
        --status=success --userInfo=<userId>;<username>;<realname>;<role>:<role>:<role>    Note roles delimited by :
def getUserInfo( infoIn ):
    roleList = getUsersRole( infoIn['username'] )

    outStr = SUCCESS + " --userInfo=" + infoIn["username"] + ";" + infoIn["username"] + ";" + infoIn["username"] + ";"
    for roleItem in roleList:
        outStr = outStr + roleItem + ":"

    print outStr

    This function gets all the users in the system that scripted auth will work for.
    Input :
    Output :
        --status=success --userInfo=<userId>;<username>;<realname>;<role>:<role>:<role> --userInfo=<userId>;<username>;<realname>;<role>:<role>:<role>  ...
def getUsers( infoIn ):
    print SUCCESS + getAllUsers()

    Gets the search filter for a given user.
    You must have the flag scriptSearchFilters set to 1 on the config for this function to be used.
    Input :
        --search_filter=<filter> --search_fil....
def getSearchFilter( infoIn ):
    outStr = SUCCESS
    filters = getUsersFilters( infoIn['username'] )
    outStr = SUCCESS

    for i in filters:
        outStr = outStr + " --search_filter=" + str(i) 

    print outStr 

def contactRADIUS( inforIn, callname ):
    print "edit this function"

if __name__ == "__main__":
   callName = sys.argv[1]
   dictIn = readInputs()

   returnDict = {}
   if callName == "userLogin":
      userLogin( dictIn )
   elif callName == "getUsers":
      getUsers( dictIn )
   elif callName == "getUserInfo":
      getUserInfo( dictIn )
   elif callName == "getSearchFilter":
      getSearchFilter( dictIn )
      print "ERROR unknown function call: " + callName
0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...