Hi,
I am writing some scripts to manage the users on our Splunk environment. The scripts should be invoke in non-interactive mode from within another tool used for managing users in our company.
The problem is that "splunk add user" or "splunk edit user" on command line require logging in with an existing user with admin privileges. They ask about username/password.
I know I could write something in "expect" or modify the splunk passwd file all by myself with the script but that's somehow too much overhead in my opinion.
Is there a way to make it non-iteractive or to save the credentials in some file or to allow "splunk..." commands without password from the command line of the same server??
Reagards, Bartosz
Thanks for the tips. I played around with passing variables to Splunk CLI using the examples you had in this post and was able to change passwords w/o exposing the password on the screen or storing the password in a file.
'#!/bin/bash
read -sp "Enter Current Password: " currPass
echo
read -sp "Enter New Password: " newPass
/opt/splunk/bin/splunk edit user john -password $(echo $newPass) -auth john:$(echo $currPass)'
I had this problem whilst using puppet to provision my servers. I found that Example42's puppet module for Splunk solved it for me.
Has anyone any idea what am I missing? What does the "splunk" command do what my scripts don't? Or should I slowly start looking at the API? 😉
Thanks in advance for any clues.
Bartosz
Hi again,
I've got another problem now. My script is getting the password as an MD5 hash on input. As far as I understand the "splunk add user -password" expects cleartext password. So I am creating the user woth any password first and then I am editing the /opt/splunk/etc/passwd with a PERL script to put the MD5 hash in. But I have discovered that as soon as you edit the "passwd" file by other means than the splunk command you cannot log in (via "splunk login" or via web interface). It just says incorrect username. As if the "splunk" command did some hidden stuff which my PERL does not.
I would recommend using a scripted input and the Splunk REST API. Scripted inputs, configured via inputs.conf, can be passed a valid authentication token via STDIN if the passAuth= option is included. This auth token can be used to authenticate to the REST API and perform tasks such as adding or editing users.
Sounds like magic to me at the moment. 😄 I would probably have to spend a week to learn the API first and stuff about some auth tokens to do a trivial task. The "cat file" sollution is fine for me ATM. Thanks anyway. Will probably have to struggle with API anyway later...
I would of preferred not to use the alias approach, since I'd have to monkey with root bashrc stuff on a box that i don't directly have linux ownership of. But i could not get embedding 'cli:$(cat /root/.splunk-cli-credentials)' in the cron.monthly script to work. Some special alias magic that my bash skills are not up to figuring out
I used shopts -s expand_aliases in the script and its working now.
This is how I managed to get a non-interactive way to work with splunk with the root user:
I've added a new user to Splunk called cli with a long random password.
Then I created a file /root/.splunk-cli-credentials with the password as content
echo "mySecretPassword " > /root/.splunk-cli-credentials
chmod 600 /root/.splunk-cli-credentials
and added the following entry to my /root/.bashrc:
alias xsplunk="splunk login -auth 'cli:$(cat /root/.splunk-cli-credentials)' && splunk"
This lets me use the xsplunk command without logging in each time:
xsplunk add user test -password bar -role user
xsplunk search "sourcetype=foo"
Yes, but only for the root user.
The "cat file" works perfect for me. Just what I needed. However the password is still stored somewhere and accessible one way ot another.
Thanks!!