I think I've hit a Splunk "bug", and I wonder if anyone knows of any way to work around it?
I'm using Splunk's scripted authentication. Specifically I have a python script that
This works fine up to a point. My users can log in to Splunk and run searches and they only see results that are compliant with their per user search filter.
The problem is that such a user can then schedule PDF generation of a view and when the PDF is later scheduled...
An update on this -- it turns out the problem is far worse than I thought as it applies to locally configured Splunk users too.
According to your title, users are scheduling the search. I also have the impression it's not possible to make "scheduled" search run as another user than "system" which basically has all permissions.
I've posted a somewhat related comment about savedsearches.conf - see http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Savedsearchesconf. I've received an answer but must admit it was not entirely satisfying and I didn't follow it up very closely. I should probably raise this issue with support.
A couple of questions:
What version of Splunk are you using?
How are you generating PDFs (through the native PDF support in 5.0+ or with the old PDF Report Server)?
Let me know, I would like to get this reported immediately. Based on your answers, I might make a minimal repro so that this can get escalated quickly.