Re: What is the minimum permissions I can give a u...

ollie920049 · ‎07-14-2015

So far I've tried the built in roles User/Power/Admin, but only Administrator worked.

I was wondering if anybody new the exact permission's required to insert data into a single app's KV Store via the REST API?

Thanks,
Ollie

florianhh · ‎06-09-2021

Hey There,

i want to push this threat and ask if somethings changed since 2016?

I have the same question, need to delete and post data to a KV store and do not want to grand Admin level permissions to a user just for that.

goodsellt · ‎11-08-2016

I've gotten it working by giving the user I perform the read/writes with externally in Python write permission to the app the collection is defined/stored in within Splunk.

rharrisssi · ‎10-17-2016

All that's required now, is that the API user be a regular user, and given permissions to the collection.

1.) Set up user with normal permissions.
2.) Create the KV store.
3.) Edit default.meta in your metadata folder within your App manually. My example is of a KV Store "mykvstore" and the user as "myuser".

[collections/mykvstore]
access = read : [ * ], write : [ myuser ]
export = none
owner = myuser

Obviously step 3 can be completed via the GUI as well.

TonyLeeVT · ‎06-13-2016

Both power and admin roles work for this purpose, however it is difficult to figure out the minimum capabilities necessary. It would be ideal if we did not need to grant the power role if possible.

Creating a role with the "admin_all_objects" capability does seem to work, but I am wondering if it is possible to reduce this even further.

the_wolverine · ‎10-14-2016

admin_all_objects grants capability to "admin all objects" so it is not recommended, particularly if OP is asking for a way to grant minimum capabilities.

rharrisssi · ‎11-11-2015

Does anyone have any idea if this is even on Splunk's roadmap?

starcher · ‎10-16-2016

Did you make sure the user account had app level write permissions to the app context where the collection is stored?

rharrisssi · ‎10-17-2016

Yes, some time ago. See my comment below, I posted when I received a notification about an update to this.

phoenixdigital · ‎09-03-2015

I'd like to know the answer to this as well if you ever found out.

I have a python script which updates the KV stores via the REST interface and want to limit it to only be able to touch certain KV stores if possible.

Would these be enough?

rest_properties_get
rest_properties_set

and what is to stop this user from modifying something else apart from KV stores via the REST interface?

Edit: Those are not enough. I made sure kv_store user had a role with only those

When trying to clear the contents of the KV store via Python I get this error

Status Code 403
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">User 'test_importer' with roles { test_importer, kv_store_rest_interface_access } cannot write: /nobody/nvd_datafeeds/collections/cve_test {
 read : [ * ], write : [ admin ] }, export: global, removable: no</msg>
  </messages>
</response>

I also made sure that the role had permissions to write to this kv store. So not sure why the error says this

read : [ * ], write : [ admin ]

It should say this

read : [ * ], write : [ admin, kv_store_rest_interface_access ]

Checking my metadata/local.meta it contains

[transforms/cve_test]
access = read : [ * ], write : [ admin, kv_store_rest_interface_access ]
export = system
owner = nobody
version = 6.2.3
modtime = 1441344296.674109600

phoenixdigital · ‎09-03-2015

These capabilities for the role work

admin_all_objects
rest_properties_get
rest_properties_set

But obviously I don't want "admin_all_objects"

Giving ALL capabilities apart from "admin_all_objects" doesn't work either and gives the error.

Status Code 500
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">bad allocation</msg>
  </messages>
</response>

jkat54 · ‎05-20-2016

@ppablo_splunk, hello sir. No clue where Ollie the op went but this is the correct answer IMHO.

ppablo · ‎05-21-2016

Let's also give the OP a chance to see these notifications and provide follow up if possible. @ollie920049, please follow up with the questions you ask here on Answers. This topic has gotten a lot of attention, but would be good to know if any of the responses above solve your immediate issue.

@jkat54 If you can get other folks in the community to vouch for it too (sharing this through IRC/Slack), then we can move forward with converting and accepting it if we don't hear back from the op.

jkat54 · ‎05-23-2016

@phoenixdigital proved the permissions needed, and I agree with his solution. @ollie920049 was last seen May 7th this year so maybe he/she will come back, but the answer is correct regardless. You need admin_all_objects to write to kv store, and the other rest permissions to read/write to rest.

dolivasoh · ‎05-19-2016

admin_all_objects is also required to use a secured SMTP relay for sending dashboard PDF's. I agree this grants way too much access and I've opened enhancement request #352759 to address it.

phoenixdigital · ‎09-03-2015

Also FWIW I can read the contents of the KV store via the REST interface.

I just can't write or delete from it.... unless I give admin permissions.

What is the minimum permissions I can give a user to input data into the KV Store via REST API?

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector