Security
Highlighted

What is the minimum permissions I can give a user to input data into the KV Store via REST API?

Path Finder

So far I've tried the built in roles User/Power/Admin, but only Administrator worked.

I was wondering if anybody new the exact permission's required to insert data into a single app's KV Store via the REST API?

Thanks,
Ollie

Highlighted

Re: What is the minimum permissions I can give a user to input data into the KV Store via REST API?

I'd like to know the answer to this as well if you ever found out.

I have a python script which updates the KV stores via the REST interface and want to limit it to only be able to touch certain KV stores if possible.

Would these be enough?

  • restpropertiesget
  • restpropertiesset

and what is to stop this user from modifying something else apart from KV stores via the REST interface?

Edit: Those are not enough. I made sure kv_store user had a role with only those

When trying to clear the contents of the KV store via Python I get this error

Status Code 403
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">User 'test_importer' with roles { test_importer, kv_store_rest_interface_access } cannot write: /nobody/nvd_datafeeds/collections/cve_test {
 read : [ * ], write : [ admin ] }, export: global, removable: no</msg>
  </messages>
</response>

I also made sure that the role had permissions to write to this kv store. So not sure why the error says this

read : [ * ], write : [ admin ]

It should say this

read : [ * ], write : [ admin, kv_store_rest_interface_access ]

Checking my metadata/local.meta it contains

[transforms/cve_test]
access = read : [ * ], write : [ admin, kv_store_rest_interface_access ]
export = system
owner = nobody
version = 6.2.3
modtime = 1441344296.674109600
0 Karma
Highlighted

Re: What is the minimum permissions I can give a user to input data into the KV Store via REST API?

Also FWIW I can read the contents of the KV store via the REST interface.

I just can't write or delete from it.... unless I give admin permissions.

0 Karma
Highlighted

Re: What is the minimum permissions I can give a user to input data into the KV Store via REST API?

These capabilities for the role work

  • adminallobjects
  • restpropertiesget
  • restpropertiesset

But obviously I don't want "adminallobjects"

Giving ALL capabilities apart from "adminallobjects" doesn't work either and gives the error.

Status Code 500
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">bad allocation</msg>
  </messages>
</response>
0 Karma
Highlighted

Re: What is the minimum permissions I can give a user to input data into the KV Store via REST API?

Contributor

adminallobjects is also required to use a secured SMTP relay for sending dashboard PDF's. I agree this grants way too much access and I've opened enhancement request #352759 to address it.

0 Karma
Highlighted

Re: What is the minimum permissions I can give a user to input data into the KV Store via REST API?

SplunkTrust
SplunkTrust

@ppablo_splunk, hello sir. No clue where Ollie the op went but this is the correct answer IMHO.

0 Karma
Highlighted

Re: What is the minimum permissions I can give a user to input data into the KV Store via REST API?

Community Manager
Community Manager

Let's also give the OP a chance to see these notifications and provide follow up if possible. @ollie920049, please follow up with the questions you ask here on Answers. This topic has gotten a lot of attention, but would be good to know if any of the responses above solve your immediate issue.

@jkat54 If you can get other folks in the community to vouch for it too (sharing this through IRC/Slack), then we can move forward with converting and accepting it if we don't hear back from the op.

0 Karma
Highlighted

Re: What is the minimum permissions I can give a user to input data into the KV Store via REST API?

SplunkTrust
SplunkTrust

@phoenixdigital proved the permissions needed, and I agree with his solution. @ollie920049 was last seen May 7th this year so maybe he/she will come back, but the answer is correct regardless. You need adminallobjects to write to kv store, and the other rest permissions to read/write to rest.

0 Karma
Highlighted

Re: What is the minimum permissions I can give a user to input data into the KV Store via REST API?

Path Finder

Does anyone have any idea if this is even on Splunk's roadmap?

0 Karma
Highlighted

Re: What is the minimum permissions I can give a user to input data into the KV Store via REST API?

SplunkTrust
SplunkTrust

Did you make sure the user account had app level write permissions to the app context where the collection is stored?

0 Karma