All - A user brought an issue to my attention today that i can't find a solution to. This user currently has the need to search through hypothetical index=a and index=b. He showed me that he could use the following command to write results to index=a or index=b:
index=b whateverfilter=true | head 2 | collect index=a marker="report=testing123" testmode=false
I have confirmed his write to the index to be successful. Although i'm able to easily identify the events he wrote to the index by searching for sourcetype=stash, the fact that he can write to the index is a pretty big no-no for us.
One post (http://answers.splunk.com/answers/7565/summary-index-question) suggested using local.meta to limit read's/write's to the index, however it doesn't appear to work.
Does anyone know how i can restrict a user's ability to write events to an index??
update: The user who brought this to my attention has the equivalent permissions to the default 'User' role.
update2: I'm running Splunk Enterprise 5.0.6
Do not give the [capability::indexes_edit] permission in authorize.conf
"indexes_edit" is for the ability to modify the properties of the index. It doesn't change the ability to write data to an index.
from the docs at http://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Rolesandcapabilities
"indexes_edit Lets the user change any index settings such as file size and memory limits. "
Normally, that is my instinct as well, but I can tell you that only a few hours ago I saw a user account for a customer denied permission to use the collect command until after the customer reported giving the indexes_edit capability. After which time, the collect command worked perfectly. So I can report that after the customer reported giving that capability and doing nothing else, I saw the collect command become functional for the user. I will verify that I understood their report correctly, but I am 99% sure at this point.
There is currently an outstanding ER for it:
SPL-133287: ability to specify an index as read-only
I confirm, I tested and the permissions change on[commands/pycollect]
or [commands/collect]
are not preventing an user to use the command.
Adding an option to Disable this command will be a new feature request.
They are 2 methods to write in a summary index :
search with the " | collect" command
scheduled search with the option "summary"
'collect' is not listed as a search command in the search app. There's pycollect and pystash. I've made those read/write admin only and i'm still able to use the collect command as a under-priveldged user
in the UI go to settings > Advanced search > Search commands
filter for the search app, and search for "collect"
then change permissions based on role.
I like your comment about disabling collect.. how is this done?