I am writing some scripts to manage the users on our Splunk environment. The scripts should be invoke in non-interactive mode from within another tool used for managing users in our company.
The problem is that "splunk add user" or "splunk edit user" on command line require logging in with an existing user with admin privileges. They ask about username/password.
I know I could write something in "expect" or modify the splunk passwd file all by myself with the script but that's somehow too much overhead in my opinion.
Is there a way to make it non-iteractive or to save the credentials in some file or to allow "splunk..." commands without password from the command line of the same server??
This is how I managed to get a non-interactive way to work with splunk with the root user:
I've added a new user to Splunk called cli with a long random password.
Then I created a file /root/.splunk-cli-credentials with the password as content
echo "mySecretPassword " > /root/.splunk-cli-credentials chmod 600 /root/.splunk-cli-credentials
and added the following entry to my /root/.bashrc:
alias xsplunk="splunk login -auth 'cli:$(cat /root/.splunk-cli-credentials)' && splunk"
This lets me use the xsplunk command without logging in each time:
xsplunk add user test -password bar -role user xsplunk search "sourcetype=foo"
The "cat file" works perfect for me. Just what I needed. However the password is still stored somewhere and accessible one way ot another.
I would of preferred not to use the alias approach, since I'd have to monkey with root bashrc stuff on a box that i don't directly have linux ownership of. But i could not get embedding 'cli:$(cat /root/.splunk-cli-credentials)' in the cron.monthly script to work. Some special alias magic that my bash skills are not up to figuring out
I would recommend using a scripted input and the Splunk REST API. Scripted inputs, configured via inputs.conf, can be passed a valid authentication token via STDIN if the passAuth= option is included. This auth token can be used to authenticate to the REST API and perform tasks such as adding or editing users.
Sounds like magic to me at the moment. 😄 I would probably have to spend a week to learn the API first and stuff about some auth tokens to do a trivial task. The "cat file" sollution is fine for me ATM. Thanks anyway. Will probably have to struggle with API anyway later...
I've got another problem now. My script is getting the password as an MD5 hash on input. As far as I understand the "splunk add user -password" expects cleartext password. So I am creating the user woth any password first and then I am editing the /opt/splunk/etc/passwd with a PERL script to put the MD5 hash in. But I have discovered that as soon as you edit the "passwd" file by other means than the splunk command you cannot log in (via "splunk login" or via web interface). It just says incorrect username. As if the "splunk" command did some hidden stuff which my PERL does not.
Has anyone any idea what am I missing? What does the "splunk" command do what my scripts don't? Or should I slowly start looking at the API? 😉
Thanks in advance for any clues.