Security

Scripted Authentication and Scheduled Searches

MatMeredith
Path Finder

I think I've hit a Splunk "bug", and I wonder if anyone knows of any way to work around it?

I'm using Splunk's scripted authentication. Specifically I have a python script that

  • authenticates users
  • provides per user search filters.

This works fine up to a point. My users can log in to Splunk and run searches and they only see results that are compliant with their per user search filter.

The problem is that such a user can then schedule PDF generation of a view and when the PDF is later scheduled...

  • the authentication script does not get invoked (to check that the user still has permission to access the system)
  • (worse) the authentication script does not get invoked to provide the per user search filter, and so the search to generate the PDF is executed with no search filter, with the result that the user gets e-mailed a report containing all the data on the system, rather than just the subset they are permitted to see.

yoho
Contributor

I believe part of the answer is in the link below. I'll have to make some tests.

http://splunk-base.splunk.com/answers/1438/how-to-specify-an-owner-for-pre-canned-saved-searches-for...

0 Karma

MatMeredith
Path Finder

An update on this -- it turns out the problem is far worse than I thought as it applies to locally configured Splunk users too.

  • Configure a user on Splunk with a role that has restricted search terms. In our case a filter that restricts them to only seeing their company’s data.
  • User logs in and views dashboard. Can only see their data. Great.
  • User schedules PDF generation for dashboard using Splunk’s built in PDF reporting. At the appropriate time a PDF is generated and e-mailed to the user.
  • When the PDF is generated the user’s search restrictions are not applied. The user gets e-mailed a report containing data from all companies.
0 Karma

yoho
Contributor

According to your title, users are scheduling the search. I also have the impression it's not possible to make "scheduled" search run as another user than "system" which basically has all permissions.

I've posted a somewhat related comment about savedsearches.conf - see http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Savedsearchesconf. I've received an answer but must admit it was not entirely satisfying and I didn't follow it up very closely. I should probably raise this issue with support.

0 Karma

MatMeredith
Path Finder

Hi. Any news on this? Were you able to raise this? Thanks!

0 Karma

MatMeredith
Path Finder

I'm using native PDF support in 5.0.2, build 149561. Thanks!

0 Karma

LukeMurphey
Champion

A couple of questions:

What version of Splunk are you using?
How are you generating PDFs (through the native PDF support in 5.0+ or with the old PDF Report Server)?

Let me know, I would like to get this reported immediately. Based on your answers, I might make a minimal repro so that this can get escalated quickly.

0 Karma