Security

Why is Splunk Web limited to 50 users when using Scripted Authentication Input for RSA & TFTI?

hartfoml
Motivator

I am using TFTI agent with a splunk script to get user authentication. I use the "usermapping.py" file to map the user requesting access through the TFTI client to the role the user is assigned to have. I am using the "passwd" file to map the user to the display name. I have changed the pamscripted.py file to look for the passwd file in ~/etc/system/local and to get the user info like this.

def getUsers( infoIn 😞
# just going to use /etc/passwd here but you may use any method you wish.
FILE = open("/opt/splunk/etc/system/local/passwd" ,"r")
fileLines = FILE.readlines()

All is working fine and only authenticated users that are in the usermapping.py file are granted access and are restricted to there role.

Here is my problem. Only the first 50 users show up in the Splunk Web as scripted users and only the first 50 users can see their saved reports/alerts/dashboards.

The users can save the work and call it with the link but they can not select it or see it in the Splunk Web.

Any help would be great

We started using scripted authentication in 4.1 and are now at 6.5
I don't know when this limitation was introduced.

Any ideas help would be greatly appreciated.

damien_chillet
Builder

Users private knowledge objects should be stored under /opt/splunk/etc/users/ directory.
If Splunk Web does not seem to be able to list some users and their knowledge objects, it could indicate an issue at this level?
Are you able to check if that directory exists on the filesystem for one of the user that is subject to the problem?

Taking a saved search for example (still for one user with the problem), can you find in which configuration file it is residing using btool:

/opt/splunk/bin ./splunk btool --debug savedsearches list "<savedsearch>"

Another idea could be to run a the following SPL rest:

| rest /services/authentication/users

Eventually you could get an error message that could help find the issue.

Finally I would suggest searching _internal logs for errors. Users and saved searches panels are populated using rest api calls, so you may see errors in there that could help too.

A last one, if possible: temporarily remove one of the 50 first users and see if user 51 (now 50) behaves properly.

0 Karma

ggssa2000
Explorer

According your situation, I guess is the user-limit in splunk web ?
I have searched the splunk doc to find some instructions about the user's number setting.

  1. [limit.comf], [typeahead] max_concurrent_per_user =
  2. The maximum number of concurrent typeahead searches per user. Once this maximum is reached only cached typeahead results might be available
  3. Default: 3
  4. There is no user's number limit issue in splunk I guess. Maybe you can check the capability betweeen the TFTI and splunk 6.5 service

Hope well.

https://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Limitsconf

Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...