Security
Highlighted

importRoles doesn't inherit srchDiskQuota and srchJobsQuota.

Champion

I configured a new role to inherit new default settings but the srchDiskQuota and srchJobsQuota is not being honored by the new role. Anyone else seen this issue?

Basically:

[role_base]
srchDiskQuota = 1000
srchJobsQuota = 5

[role_new]
importRoles = base

Result:

[role_new]
srchDiskQuota = 100
srchJobsQuota = 3

(these are the defaults that ship with Splunk)

SPL-136568

0 Karma
Highlighted

Re: importRoles doesn't inherit srchDiskQuota and srchJobsQuota.

Legend

This is how it is supposed to work.

The documentation says that role inheritance applies to capabilities and indexes. The other settings are not inherited.
That would be my experience as well.

0 Karma
Highlighted

Re: importRoles doesn't inherit srchDiskQuota and srchJobsQuota.

Champion

Can you point to the section of documentation that indicates only capabilities and indexes are inherited? I didn't interpret the spec file in that way.

importRoles =
* Semicolon delimited list of other roles and their associated capabilities that should be imported.
* Importing other roles also imports the other aspects of that role, such as allowed indexes to search.
* By default a role imports no other roles.

0 Karma
Highlighted

Re: importRoles doesn't inherit srchDiskQuota and srchJobsQuota.

Path Finder

This bit me recently as well; the documentation piece that implies all parts of a role should be imported is Importing other roles also imports the other aspects of that role, such as allowed indexes to search.

I can't think why it actually works like it does. I create a templated role and use that as my import for other roles and then I have to go to those other roles anyway and fill in all the stuff that wasn't part of the import with the same exact values.

0 Karma
Highlighted

Re: importRoles doesn't inherit srchDiskQuota and srchJobsQuota.

Path Finder

Crazy. I'd like to highlight another spot in official documentation confirming that roles' settings are imported:

(v 7.1.2)
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf

srchTimeWin =
* Maximum time span of a search, in seconds.
* This time window limit is applied backwards from the latest time
specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
(infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for
this role
* This is equivalent to not setting srchTimeWin at all, which means it
can be easily overridden by an imported role

Also, in my Splunk, "User-level concurrent search jobs limit" is successfully inherited from parent role, tested.

Highlighted

Re: importRoles doesn't inherit srchDiskQuota and srchJobsQuota.

Champion

Interesting. I wonder if this is then a bug in a previous version that they didn't want to acknowledge as a bug but secretly fixed. It has happened.

0 Karma