Security

Recipe for "read-only" administrator role?

kqc767
Path Finder

Greetings!

As part of an internal education initiative, I need to configure a "sandbox" instance of Splunk to allow new/prospective users to "poke around" and become familiar with what's there, and what things look like.

They will need "power" user access, as well as the ability to see (but not modify) most everything that the "admin" role has access to.

I've been banging on this for more than a week, with only a modicum of success--I've tried a hundred different things with local.meta, as well as the GUI role editor. I've googled my brains out, to little effect.

There has to be an easier way to do this...does anyone have any suggestions/recipes?

If possible, I need to do this for both a 4.3 and 6.2 instance.

Many thanks in advance!

JP

0 Karma
1 Solution

kqc767
Path Finder

I believe that I may have hacked something together that works pretty well:

In authorize.conf:

[role_admin2]
#For admin-like student accounts
#See most everything, but no perms to change
#Don't rename the role--anything other than
#"[role_admin2]" breaks it.
admin_all_objects = enabled
importRoles = user
rtSrchJobsQuota = 1
rtsearch = enabled
schedule_search = enabled
srchIndexesAllowed = *;_*
#This is 14 days
srchMaxTime=1209600

I'm not sure why the role name affects whether this works or not--I've tried "role_student", "role_admin_student", "role_admin3", "role_adminadmin", and "role_admin9999", but the only name that seems to work is "role_admin2".

Feature, or bug? I'm not sure. It's not documented anywhere, though--I'm sure of that. 😉

I also had to remove "power" user as an inherited role--just add the needed capabilities to the "admin2" role.

This works on 4.3 and 6.2 for me. If anyone discovers any additional "features" or improves this hack, I would be very interested in hearing about it. 😃

Cheers,

JP

View solution in original post

0 Karma

kqc767
Path Finder

I believe that I may have hacked something together that works pretty well:

In authorize.conf:

[role_admin2]
#For admin-like student accounts
#See most everything, but no perms to change
#Don't rename the role--anything other than
#"[role_admin2]" breaks it.
admin_all_objects = enabled
importRoles = user
rtSrchJobsQuota = 1
rtsearch = enabled
schedule_search = enabled
srchIndexesAllowed = *;_*
#This is 14 days
srchMaxTime=1209600

I'm not sure why the role name affects whether this works or not--I've tried "role_student", "role_admin_student", "role_admin3", "role_adminadmin", and "role_admin9999", but the only name that seems to work is "role_admin2".

Feature, or bug? I'm not sure. It's not documented anywhere, though--I'm sure of that. 😉

I also had to remove "power" user as an inherited role--just add the needed capabilities to the "admin2" role.

This works on 4.3 and 6.2 for me. If anyone discovers any additional "features" or improves this hack, I would be very interested in hearing about it. 😃

Cheers,

JP

0 Karma

bandit
Motivator

Configure Splunk as you like. Just backup the etc folder under your Splunk home folder. i.e. /opt/splunk/etc.

When the session is complete.
- stop Splunk
- remove etc folder
- restore the etc folder you backed up
- optionally you could run a ./splunk clean eventdata
- start Splunk

I imagine you could script this in shell, powershell or .bat file depending on your environment.

You could also do a variant with Virtual Box and Ubuntu, etc. Just creating a VM snapshot and restoring the snapshot.

0 Karma

kqc767
Path Finder

Hi, Rob.

The requirement exists because I'll have > 25 students using the instance to orient, and I'd rather not have to reinstall Splunk twice a day. 😉

The online sandbox isn't really an option for us, but great suggestion. 😃

JP

0 Karma

bandit
Motivator

Are you running on Unix?

Will each student have their own instance or is an instance shared?

Is it an all in one instance or are you setting up distributed search, etc?

0 Karma

kqc767
Path Finder

Yes, running on RHEL 6.x.

This will be a shared, single-tier instance to allow students to follow along with Bumgarner's book (Implementing Splunk) without having to download and install (including the data generator) their own platform.

I suppose that it's not imperative that they see every nook and corner of the interface, but it would be nice, and would also probably save me from having to field the occasional "mine looks different from the book" questions. 😉

I probably ought to just "do the book" as a power user and make notes re: what looks different (or won't work) if you're not an admin.

0 Karma

bandit
Motivator

Is this an option for you? Not sure if it has the admin experience you are seeking.

https://www.splunk.com/page/sign_up/cloudtrial?redirecturl=/getsplunk/onlinesandbox

0 Karma

kqc767
Path Finder

Hi, Rob...thanks for your suggestion.

This is actually the second approach that I tried, without success--none of the admin-specific panes display under the "Manager" view.

Tweaking settings in the local.meta file (i.e., app "read" permissions) does not change or remedy this. 😕

JP

0 Karma

bandit
Motivator

Might be a bunch of trial an error with the permissions and may not work right.

If this is a test/trial instance, why is there a requirement that they cannot make edits?

For permissions at the app/dashboard level it's quite easy to control permissions for read/write. I think your biggest challenge would be in the admin configuration area which I don't know if it supports read without write.

Other alternatives would be a little bit hackish. Like on linux, changing all .conf files to be owned by root, etc. with read only permission for the id that splunk runs as.

Another alternative, If you install S.O.S app, you can see and search .conf files through that UI.

0 Karma

bandit
Motivator

I haven't tried to create a read-only admin. As a first go, I would do something like this. Don't see a way to clone a role in the UI so I'm doing it directly in the config. Notice I've just cloned the role_admin to role_admin_ro as in read only. Then I disabled anything with edit. Restart Splunk then add these users to the admin_ro role via the UI and see if that works.

In your SPLUNK_HOME/ect/system/local/authorize.conf paste, the following.

[role_admin_ro]
# ==== Subsumed roles ====
importRoles = power;user
# ==== Capabilities   ====
accelerate_datamodel   = enabled
admin_all_objects      = enabled
change_authentication  = enabled
edit_deployment_client = disabled
list_deployment_client = enabled
edit_deployment_server = disabled
list_deployment_server = enabled
list_search_head_clustering = enabled
edit_dist_peer         = disabled
edit_forwarders        = disabled
edit_httpauths         = disabled
edit_input_defaults    = disabled
edit_monitor           = disabled
edit_roles             = disabled
edit_scripted          = disabled
edit_search_head_clustering = enabled
edit_search_server     = disabled
edit_server            = disabled
edit_splunktcp         = disabled
edit_splunktcp_ssl     = disabled
edit_tcp               = disabled
edit_udp               = disabled
edit_user              = disabled
edit_view_html         = disabled
edit_web_settings      = disabled
get_diag               = enabled
indexes_edit           = disabled
license_edit           = disabled
license_tab            = enabled
list_forwarders        = enabled
list_httpauths         = enabled
rest_apps_management   = enabled
restart_splunkd        = enabled
run_debug_commands     = enabled

proylea
Contributor

I downvoted this post because the poster requested the down vote as this answer doesn't work, see comments below

0 Karma

bandit
Motivator

You might want to mark this unanswered since your test validated it didn't work. Someone else may chime in with a solution.

Your tech requirement seems to be read everything via the UI that an admin can but no update ability.

In summary for read only permissions:
admin configs - I'm not sure ( would be nice for Splunk to create an out of the box read only admin role)
apps - yes

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...