I am using Splunk with SSO (Shibboleth) for authentication. Unfortunately, I still need to create a Splunk user for every user coming in through SSO.
How can I bulk import users into Splunk, preferably from the command line?
There is a file named $SPLUNK_HOME/etc/passwd
. I have added users to this file, but they don't appear in the web interface under http://splunk.example.org/en-US/manager/launcher/authentication/users . In addition, Splunk removes users from this file periodically.
The command $SPLUNK_HOME/bin/splunk import userdata -dir /tmp/export.dat
, but there is almost no documentation about this feature, and I cannot find anything which describes the format of export.dat . It looks as if this feature is really intended to export userdata from Splunk and import it to another Splunk instance, which is not what I am trying to do.
Well, in the end I just ended up doing a loop like:
for USER in $USERLIST
do
$SPLUNK_HOME/bin/splunk add user ${USER}@example.org -password jibberish
done
Not quite a bulk import, but it gets the job done.
Well, in the end I just ended up doing a loop like:
for USER in $USERLIST
do
$SPLUNK_HOME/bin/splunk add user ${USER}@example.org -password jibberish
done
Not quite a bulk import, but it gets the job done.
Hi,
We have a scenario like one deployment server and two search heads. Can we bulk load the users from deployment servers for the searchheads?
Have you tried adding users using a script with the CLI (import userdata)?
Oh look, yes you did. Not sure how I missed that, sorry!
Yes I have, which is why I mentioned import userdata
in my question.
It is the authz that require the user to be available in splunk, you can workaround by either
creating a LDAP strategy pointing to your Shibboleth identity store if it is LDAP.
or
duplicating the Shibboleth user identities in the Splunk with proper role mapping
I use a script like this to create a local splunk users
#!/bin/sh FILE=$HOME/scripts/uids.txt ACTION=$1 user_add() { line1=$1 curl -k -u admin:changeme -X POST -d "name=$line&password=$line&roles=admin" https://localhost:8089/services/authentication/users #curl -k -u admin:changeme -X POST -d "name=$line&password=$line&roles=splunk_role_edit_tcp" https://localhost:8089/services/authentication/users echo "Creating User $line" return 0 } user_del() { line1=$1 curl -k -u admin:changeme -X DELETE https://localhost:8089/services/authentication/users/$line1 echo "Deleting User $line" return 0 } user_auth() { line1=$1 curl -k -X POST -d "username=$line1&password=$line1" https://localhost:8089/services/auth/login echo "Authenticating User $line" return 0 } cat $FILE|while read line do if [ $ACTION = "add" ] then user_add $line elif [ $ACTION = "del" ] then user_del $line else user_add $line user_auth $line user_del $line fi done
my uids.txt is something like, I use uid/pwd same but you get the point
Lewis_User0
Cesar_User1
Mark_User2
James_User3