Security

Why is Splunk Web limited to 50 users when using Scripted Authentication Input for RSA & TFTI?

hartfoml
Motivator

I am using TFTI agent with a splunk script to get user authentication. I use the "usermapping.py" file to map the user requesting access through the TFTI client to the role the user is assigned to have. I am using the "passwd" file to map the user to the display name. I have changed the pamscripted.py file to look for the passwd file in ~/etc/system/local and to get the user info like this.

def getUsers( infoIn 😞
# just going to use /etc/passwd here but you may use any method you wish.
FILE = open("/opt/splunk/etc/system/local/passwd" ,"r")
fileLines = FILE.readlines()

All is working fine and only authenticated users that are in the usermapping.py file are granted access and are restricted to there role.

Here is my problem. Only the first 50 users show up in the Splunk Web as scripted users and only the first 50 users can see their saved reports/alerts/dashboards.

The users can save the work and call it with the link but they can not select it or see it in the Splunk Web.

Any help would be great

We started using scripted authentication in 4.1 and are now at 6.5
I don't know when this limitation was introduced.

Any ideas help would be greatly appreciated.

damien_chillet
Builder

Users private knowledge objects should be stored under /opt/splunk/etc/users/ directory.
If Splunk Web does not seem to be able to list some users and their knowledge objects, it could indicate an issue at this level?
Are you able to check if that directory exists on the filesystem for one of the user that is subject to the problem?

Taking a saved search for example (still for one user with the problem), can you find in which configuration file it is residing using btool:

/opt/splunk/bin ./splunk btool --debug savedsearches list "<savedsearch>"

Another idea could be to run a the following SPL rest:

| rest /services/authentication/users

Eventually you could get an error message that could help find the issue.

Finally I would suggest searching _internal logs for errors. Users and saved searches panels are populated using rest api calls, so you may see errors in there that could help too.

A last one, if possible: temporarily remove one of the 50 first users and see if user 51 (now 50) behaves properly.

0 Karma

ggssa2000
Explorer

According your situation, I guess is the user-limit in splunk web ?
I have searched the splunk doc to find some instructions about the user's number setting.

  1. [limit.comf], [typeahead] max_concurrent_per_user =
  2. The maximum number of concurrent typeahead searches per user. Once this maximum is reached only cached typeahead results might be available
  3. Default: 3
  4. There is no user's number limit issue in splunk I guess. Maybe you can check the capability betweeen the TFTI and splunk 6.5 service

Hope well.

https://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Limitsconf

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!