Splunk Dev

Python SDK: How to create a user that can only write to specific indexes?

asherman
Path Finder

Hi,

I am working with code that sends data to Splunk indexes via the Python SDK (splunklib.client). I want to create a custom user for the purpose of this code. That is, a user who's privileges are strictly that of writing data into a small number of indexes and be otherwise restricted from writing elsewhere.

I currently have a user with just the capability 'edit_tcp' and the 4 indexes I want specified for search capability, but this does not seem to restrict the write capability when using the .send() python function.

Any help would be apreciated, thanks.

lguinn2
Legend

When you created your user, what role did you give it? Did this role Inherit from another role? If yes, then the user will be able to write into any indexes that were allowed for all the "parent" roles in the inheritance tree.

0 Karma

donaldson8
New Member

We have a similar use case, and are running into the same problem, on 6.4.0. I have a user with a role that grants the below capabilities, but has no allowed indexes for search (only for testing, in real life, it would be able to search a subset of the available indexes):

change_own_password
edit_tcp
output_file
schedule_rtsearch
search

This role inherits from no other roles, and the user has no other roles.

When authenticated as this user, I get no search results, and cannot use the collect command to write into any index, as is expected (or, when I have indexes allowed for the associated role, I can only use collect to write into the indexes that I am permitted to search).

However, using the Splunk Python SDK (via clientInstance.index[<index_name>].submit()) or the REST API (via /services/receivers/{simple,streaming}), while authenticated as this user, I am able to write into any index, regardless of which indexes I am permitted to search.

0 Karma

0verhaul
Engager

Hi,

I have a similar concern, I am building a Splunk app to capture user input and then POST it to an index. Users have edit_tcp capability and they can post data to any index irrespective of whether which they have read access to it or not.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...