How to modify lookup ACL via custom REST in Python...

GindiKhangura · ‎05-14-2021

(Although this example will use Splunk's Lookup Editor app, it applies to custom REST commands in general.)

I am using the Lookup Editor provided by Splunk from SplunkBase (authored by @LukeMurphey) and am saving the lookups with the user in context, which saves it as a private user-scoped artifact.

I would like to make it globally shared while retaining the lookup's ownership information, so I attempt the following after the rest call that saves the lookup:

# Set ACL to make lookup globally shared
url = '/servicesNS/%s/%s/data/lookup-table-files/%s/acl' % (owner, namespace, lookup_file)
postargs = {
    'owner': owner, 
    'sharing': 'global'
}

rest.simpleRequest(url, postargs=postargs, sessionKey=key, raiseAllErrors=True)

When using the lookup editor as an admin, it will work fine as the admin has the capabilities to make such modifications; however, users are not able to do so and the call fails.

How can I programmatically make this REST call as an admin? I am hoping that as the script is on the server-side, I won't have to authenticate as an admin as I imagine that would require having to store credentials, which would be tricky as we have several clusters.

I have also tried making the REST call using the Splunk binary as mentioned in this Answer, but it had no effect.

How to modify lookup ACL via custom REST in Python?

python

rest API

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...