I have a custom authorize.conf that was intended to disable the schedule_rtsearch capability for all users:
This config is generating these errors on the peers in the SH cluster:
07-29-2019 10:23:32.159 -0500 WARN AuthorizationManager - Capability 'schedule_rtsearch' had value '' - only 'enabled' is valid. Ignoring...
In the [role_] section of the the authorize.conf documentation for 7.1.7, it says all capabilities are disabled by default:
Note that 'enabled' is the only accepted value here, as capabilities are disabled by default.
But in the [default] stanza of the ~/etc/system/default/authorize.conf file, it's enabled:
splunk@server:[~]> splunk version;splunk btool authorize list default --debug | grep schedulertsearch
Splunk 7.1.7 (build 39ea4c097c30)
/opt/splunk/etc/system/default/authorize.conf schedulertsearch = enabled
I'm having some difficulty understanding the disconnect. How can I remove this capability from the default user role when authorize.conf does not accept a value other than "enabled"?
Did you try not setting the value at all, or removing the value from the
Capabilities are disabled by default, so if you list it in authorize.conf, it expects for you to use
enabled as the value. I think the disconnect is that you believe that you have to list the setting even if you want to disable it, that's not the case (since capabilities are disabled by default.)
Give it a try. I'll reply to your feedback email and we can continue the discussion there, or we can also do it here.
Please provide feedback on the docs page for authorize.conf, the docs team are awesome in checking such findings 😉
It might be just wrong in the docs, or you found a bug.
And yes, the default is in Splunk 7.1.4 as well
enabled. But you should be able to disable it by actually using
[default] schedule_rtsearch = disabled
instead of just an empty value for the option.
Hope this helps ...