Security
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

apply shcluster-bundle returning insufficient permission to access this resource

fabiocaldas
Contributor

Hi,

I'm trying to deploy new apps to shcluster via my deployer and running apply shcluster bundle command I'm receiving a erro message.

/splunkdrive/splunk/bin/splunk apply shcluster-bundle --answer-yes -auth admin:{{ADMIN_PASSWORD}} -target https://{{SEARCH_HEAD_IP}}:8089

With return: insufficient permission to access this resource

I already tested a API call at search head using same auth and it was OK both on deployer and on search head cluster element

0 Karma
1 Solution

fabiocaldas
Contributor

We finally got the solution:

We had a custom authorize.conf under $SPLUNK_HOME/splunk/etc/system/local and probably was missing some capability.

When we removed this authorize.conf command worked fine

View solution in original post

goelli
Communicator

For those who come to this page looking for an answer how to avoid giving a user admin_all_objects capability, if you only want the user to do a "splunk apply shcluster-bundle"...

We opened a case for this (1165853) and there is a solution:
You can build a custom role for this.

Step 1: Define a new capability and assign it to a role - via authorize.conf

[capability::deployer_capability]
[role_deployer]
deployer_capability = enabled

Step 2: Assign the capability to the correct REST endpoint, which is used by this CLI command - via restmap.conf

[apps-deploy:apps-deploy]
capability.post=deployer_capability

This is working pretty fine for us and we can now have a techical user doing a "splunk apply shcluster-bundle" without having a technical user with admin priviliges.

manjunathmeti
Champion

Capability admin_all_objects is required for a user role to apply/deploy shcluster-bundle from deployer server.

0 Karma

fabiocaldas
Contributor

We finally got the solution:

We had a custom authorize.conf under $SPLUNK_HOME/splunk/etc/system/local and probably was missing some capability.

When we removed this authorize.conf command worked fine

View solution in original post

manjunathmeti
Champion

By any chance did you find out capabilities needed to apply shcluster-bundle from deployer?

0 Karma

snaikwade_splun
Splunk Employee
Splunk Employee

First I would suggest not to use -auth parameters. Run the command without -auth and see if you can make any changes.

Secondly, insufficient permissions mean that the -auth admin:{passowrd} is incorrect. To resolve the error, change the admin password on deployer and so on all the SHC members. Then you can try again.

0 Karma

fabiocaldas
Contributor

Problem isn't related with the use of -auth we tried without that but the error message persists

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!