Security

What capabilities are needed for a non-admin user to update Server Classes and Clients in Settings -> Forwarder Management

wrangler2x
Motivator

We've got a special role for non-admin security team members and I'd like some of them to be able to use Forwarder Management (in the Settings menu) to add new clients to a Server Class. I can't figure out what the required Capabilities are that need to be added to their role.

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Creating a specific role to manage deployment servers  serverclass  I experienced the same issue with 

User 'ds_user' with roles { ds_role, ds_user, user } cannot write: /nobody/system/serverclass/serverClass:My_server_class:app:my_app/restartSplunkWeb { read : [ * ], write : [ admin ] }, removable: no

The ds_role has the capabilities:
edit_deployment_client,
edit_deployment_server,
list_deployment_client
list_deployment_server

To be able to add an app to a serverclass the only option was to give the capability admin_all_objects. Which effectively would make ds_role users admins.  

To avoid this our workaround was to edit /opt/splunk/etc/system/metadata/local.meta to grant write privilege for ds_role to serverclass objects

#On Deployment Server
#/opt/splunk/etc/system/metadata/local.meta
[serverclass]
access = write : [ admin, ds_role ]
export = system

 

 

 

0 Karma

Rob2520
Communicator

I personally never gave that capability to anyone. But you could try edit_deployment_client, edit_deployment_server, list_deployment_server capabilities.

0 Karma

wrangler2x
Motivator

I downvoted this post because not working fully as it should.

0 Karma

wrangler2x
Motivator

With the three I mentioned above, he was able to add systems to the whitelist of clients in a Server Class, and he was able to create a new Server Class. However, he was not able to add an application to the new Server Class. I added back in the edit_deployment_client but this made no difference. It throws the following error when you try to save after editing settings and a similar one when trying to add an app:

User 'cinders' with roles { cinders, user, user_oit_security } cannot write: /nobody/system/serverclass/serverClass:OIT_SC_winevent_index_ADFS:app:OIT_DA_winevent_index_ADFS/restartSplunkWeb { read : [ * ], write : [admin ] }, removable: no
0 Karma

kscher
Path Finder

I have the same issue. It looks like the "edit_deployment_server" capability should confer this permission, but it doesn't. It looks like this could be worked-around by editing some metadata (which one, I wonder, $SPLUNK_HOME/etc/system/metadata/local.meta?), and adding the proper role at some level. But I don't want to mess with that. I want the capability to work the way you'd expect.

0 Karma

wrangler2x
Motivator

In order to edit the Server Classes you need to have edit_deployment_server turned on. This allows creating/editing Server Classes, adding an app to the Server Class, and editing the client list. I did not have to enable edit_deployment_client for these functions, which is what I want this person to do be able to do, so I have left that off. I also enabled list_deployment_client and list_deployment_server.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!