Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- I've created a custom Splunk App that has password...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've created a custom Splunk App that has passwords.conf file for external API credentials. How can I get a non-admin user to pull the credentials out of passwords.conf?
I am building a custom Splunk application. The app leverages custom python scripts to query an external API and present data in a dashboard directly in the Splunk UI. Using the setup.xml, I am able to successfully store the external API credentials in a passwords.conf file.
When I invoke the scripts and API calls with the admin user, everything works perfectly without any issues. However, when I try to do the same with a non-admin user, I get the following error:
Error: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/my-app/admin/passwords
How can I successfully pull out the credentials from passwords.conf with a user that isn't an admin?
My getCredentials() method is as follows:
def getCredentials(sessionKey, targetUsername, logger):
try:
# list all credentials
entities = entity.getEntities(['admin', 'passwords'], namespace=myapp, owner='nobody', sessionKey=sessionKey)
except Exception, e:
logger.error("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))
raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))
credentials = []
# return credentials
for i, c in entities.items():
if c['username'] == targetUsername:
credentials.append((c['username'], c['clear_password']))
return credentials
logger.error("No credentials have been found")
raise Exception("No credentials have been found")
My password.conf file looks like this (encrypted password string obfuscated):
[credential::api_user:]
password = $1234abcd=
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone you needs to hit the endpoint for stored creds needs to have the role capability 'list_storage_passwords' in v6.5+. Prior to 6.5 it has to be 'admin_all_objects'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting, however would not list_storage_passwords allow the REST API to be used to obtain the clear text password if the user had the knowledge and the ability (rest_properties_get) to use the REST API?
Wouldn't this then potentially allow the user to see the real password (assuming they had access to port 8089, had the required authorize.conf setting and found the passwords endpoint)...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gareth, how do you reverse engineer the password from the crypt. Do you not also need the splunk.secret ? (and that means splunk host access) ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try https://mysplunkserver:8089/servicesNS/nobody/storage/passwords in a browser, as per Storing Encrypted Credentials or Splunk Alert Scripts
Where using a default app such as search you may see the passwords from every other application, if you have many you may need to append ?count=-1 to the URL.
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Splunk Observability for AI
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
