Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."

10306629
New Member
‎10-16-2017 10:17 AM

"Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible. Learn more"

The above is the warning message I am getting after I updated the Splunk ES to 4.7.2. Could someone advice what needs to be done here.

0 Karma
Reply

vicky05ssr04
Engager
‎11-27-2017 12:03 PM

hello maraman even I have the same problem, the solution provided seems very appropriate. The trouble is I could see the roles admin, ess_analyst tagged to most of the users. what are the things that still need to checked and how, please let me know.

0 Karma
Reply

10306629
New Member
‎11-27-2017 11:18 AM

Thanks maraman, i have did that but still i am getting these message "Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."
could please suggest me any other way to do this..

0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎10-17-2017 01:33 PM

Hi,

I had the same problem and from what I understand the explanation is as follow :
- ES used to have to change right to authorize.conf but the way it was done was not ideal.
- ES 4.7 migrate the old configuration to a new config which remove the original need.
- the migration script has no way to know that the changes to authorize.conf where done by ES -> don't touch them as they could be legitimate otherwise.
- ES permission checks detect the too open permission and warm about

So the current solution would be to manually go on each app in metadata/local.meta , look for authorize.conf stanza and remove non admin right on it as appropriate to your env.

Hope that helps.

0 Karma
Reply

hardikJsheth
Motivator
‎10-16-2017 10:27 PM

The Splunk has introduced number of new roles with latest ES (4.7 and above ) version. The warning is thrown to make user aware of these changes so that he/she can reconfigure access control if required.

You can refer http://docs.splunk.com/Documentation/ES/4.7.0/Install/ConfigureUsersRoles for more information.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...