Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Scripted Authentication and Scheduled Searches

MatMeredith
Path Finder
‎05-01-2013 01:45 AM

I think I've hit a Splunk "bug", and I wonder if anyone knows of any way to work around it?

I'm using Splunk's scripted authentication. Specifically I have a python script that

  • authenticates users
  • provides per user search filters.

This works fine up to a point. My users can log in to Splunk and run searches and they only see results that are compliant with their per user search filter.

The problem is that such a user can then schedule PDF generation of a view and when the PDF is later scheduled...

  • the authentication script does not get invoked (to check that the user still has permission to access the system)
  • (worse) the authentication script does not get invoked to provide the per user search filter, and so the search to generate the PDF is executed with no search filter, with the result that the user gets e-mailed a report containing all the data on the system, rather than just the subset they are permitted to see.
Reply

yoho
Contributor
‎05-08-2013 01:22 AM

I believe part of the answer is in the link below. I'll have to make some tests.

http://splunk-base.splunk.com/answers/1438/how-to-specify-an-owner-for-pre-canned-saved-searches-for...

0 Karma
Reply

MatMeredith
Path Finder
‎05-08-2013 12:55 AM

An update on this -- it turns out the problem is far worse than I thought as it applies to locally configured Splunk users too.

  • Configure a user on Splunk with a role that has restricted search terms. In our case a filter that restricts them to only seeing their company’s data.
  • User logs in and views dashboard. Can only see their data. Great.
  • User schedules PDF generation for dashboard using Splunk’s built in PDF reporting. At the appropriate time a PDF is generated and e-mailed to the user.
  • When the PDF is generated the user’s search restrictions are not applied. The user gets e-mailed a report containing data from all companies.
0 Karma
Reply

yoho
Contributor
‎05-07-2013 02:15 PM

According to your title, users are scheduling the search. I also have the impression it's not possible to make "scheduled" search run as another user than "system" which basically has all permissions.

I've posted a somewhat related comment about savedsearches.conf - see http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Savedsearchesconf. I've received an answer but must admit it was not entirely satisfying and I didn't follow it up very closely. I should probably raise this issue with support.

0 Karma
Reply

MatMeredith
Path Finder
‎05-07-2013 01:51 AM

Hi. Any news on this? Were you able to raise this? Thanks!

0 Karma
Reply

MatMeredith
Path Finder
‎05-01-2013 09:10 AM

I'm using native PDF support in 5.0.2, build 149561. Thanks!

0 Karma
Reply

LukeMurphey
Champion
‎05-01-2013 08:13 AM

A couple of questions:

What version of Splunk are you using?
How are you generating PDFs (through the native PDF support in 5.0+ or with the old PDF Report Server)?

Let me know, I would like to get this reported immediately. Based on your answers, I might make a minimal repro so that this can get escalated quickly.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...