Security

What are the capabilities required for a role/user to apply shcluster-bundle from deployer server?

manjunathmeti
SplunkTrust
SplunkTrust

We need to create a role on deployer server to create the users since admin access is blocked. What are the capabilities required for a role to apply shcluster-bundle from deployer server using below command?

/splunkdrive/splunk/bin/splunk apply shcluster-bundle --answer-yes -auth <user>:<user_pwd> -target https://<SEARCH_HEAD_IP>:8089
0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

I've added all the capabilities to the user except admin_all_objects , the below error was coming.
insufficient permission to access this resource

Looks like admin_all_objects is required for applying shcluster-bundle from deployer server.

View solution in original post

0 Karma

goelli
Communicator

We opened a case for this (1165853) and there is a solution:
You can build a custom role to not need a user to have admin_all_objects capability.

Step 1: Define a new capability and assign it to a role - via authorize.conf

[capability::deployer_capability]
[role_deployer]
deployer_capability = enabled

Step 2: Assign the capability to the correct REST endpoint, which is used by this CLI command - via restmap.conf

[apps-deploy:apps-deploy]
capability.post=deployer_capability

This is working pretty fine for us and we can now have a techical user doing a "splunk apply shcluster-bundle" without having a technical user with admin priviliges.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

I've added all the capabilities to the user except admin_all_objects , the below error was coming.
insufficient permission to access this resource

Looks like admin_all_objects is required for applying shcluster-bundle from deployer server.

0 Karma

inventsekar
Ultra Champion

maybe, check these..
http://docs.splunk.com/Documentation/Splunk/6.1.7/Admin/authorizeconf

  [capability::edit_deployment_client]
            * Self explanatory. The deployment client admin endpoint requires this cap for edit.

    [capability::list_deployment_client]
            * Self explanatory.

    [capability::edit_deployment_server]
            * Self explanatory. The deployment server admin endpoint requires this cap for edit.

    [capability::list_deployment_server]
            * Self explanatory.
0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

I added these capabilities and checked but it's not working. I get below error:
insufficient permission to access this resource

I've also added all the capabilities to the user except admin_all_objects , still getting the same error. Looks like admin_all_objects is required for applying shcluster-bundle from deployer server. But providing admin_all_objects to a user is like making that user an admin.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...