Security

splunk add user non-interactive without logging in on command line

tzhmaba2
Path Finder

Hi,

I am writing some scripts to manage the users on our Splunk environment. The scripts should be invoke in non-interactive mode from within another tool used for managing users in our company.

The problem is that "splunk add user" or "splunk edit user" on command line require logging in with an existing user with admin privileges. They ask about username/password.

I know I could write something in "expect" or modify the splunk passwd file all by myself with the script but that's somehow too much overhead in my opinion.

Is there a way to make it non-iteractive or to save the credentials in some file or to allow "splunk..." commands without password from the command line of the same server??

Reagards, Bartosz

Tags (2)

john_w_shields
New Member

Thanks for the tips. I played around with passing variables to Splunk CLI using the examples you had in this post and was able to change passwords w/o exposing the password on the screen or storing the password in a file.

'#!/bin/bash

    read -sp "Enter Current Password: " currPass
    echo
    read -sp "Enter New Password: " newPass

/opt/splunk/bin/splunk edit user john -password $(echo $newPass) -auth john:$(echo $currPass)'

0 Karma

devs
Engager

I had this problem whilst using puppet to provision my servers. I found that Example42's puppet module for Splunk solved it for me.

0 Karma

tzhmaba2
Path Finder

Has anyone any idea what am I missing? What does the "splunk" command do what my scripts don't? Or should I slowly start looking at the API? 😉

Thanks in advance for any clues.

Bartosz

0 Karma

tzhmaba2
Path Finder

Hi again,

I've got another problem now. My script is getting the password as an MD5 hash on input. As far as I understand the "splunk add user -password" expects cleartext password. So I am creating the user woth any password first and then I am editing the /opt/splunk/etc/passwd with a PERL script to put the MD5 hash in. But I have discovered that as soon as you edit the "passwd" file by other means than the splunk command you cannot log in (via "splunk login" or via web interface). It just says incorrect username. As if the "splunk" command did some hidden stuff which my PERL does not.

0 Karma

araitz
Splunk Employee
Splunk Employee

I would recommend using a scripted input and the Splunk REST API. Scripted inputs, configured via inputs.conf, can be passed a valid authentication token via STDIN if the passAuth= option is included. This auth token can be used to authenticate to the REST API and perform tasks such as adding or editing users.

0 Karma

tzhmaba2
Path Finder

Sounds like magic to me at the moment. 😄 I would probably have to spend a week to learn the API first and stuff about some auth tokens to do a trivial task. The "cat file" sollution is fine for me ATM. Thanks anyway. Will probably have to struggle with API anyway later...

0 Karma

freeti00
Explorer

I would of preferred not to use the alias approach, since I'd have to monkey with root bashrc stuff on a box that i don't directly have linux ownership of. But i could not get embedding 'cli:$(cat /root/.splunk-cli-credentials)' in the cron.monthly script to work. Some special alias magic that my bash skills are not up to figuring out

0 Karma

freeti00
Explorer

I used shopts -s expand_aliases in the script and its working now.

0 Karma

ziegfried
Influencer

This is how I managed to get a non-interactive way to work with splunk with the root user:

I've added a new user to Splunk called cli with a long random password.

Then I created a file /root/.splunk-cli-credentials with the password as content

echo "mySecretPassword " > /root/.splunk-cli-credentials
chmod 600 /root/.splunk-cli-credentials

and added the following entry to my /root/.bashrc:

alias xsplunk="splunk login -auth 'cli:$(cat /root/.splunk-cli-credentials)' && splunk"

This lets me use the xsplunk command without logging in each time:

xsplunk add user test -password bar -role user
xsplunk search "sourcetype=foo"

ziegfried
Influencer

Yes, but only for the root user.

0 Karma

tzhmaba2
Path Finder

The "cat file" works perfect for me. Just what I needed. However the password is still stored somewhere and accessible one way ot another.

Thanks!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...