"Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible. Learn more"
The above is the warning message I am getting after I updated the Splunk ES to 4.7.2. Could someone advice what needs to be done here.
hello maraman even I have the same problem, the solution provided seems very appropriate. The trouble is I could see the roles admin, ess_analyst tagged to most of the users. what are the things that still need to checked and how, please let me know.
Thanks maraman, i have did that but still i am getting these message "Splunk Enterprise Security: "Search peer has the following message: Review roles for unnecessary read or write access to authorize.conf and remove access if possible."
could please suggest me any other way to do this..
I had the same problem and from what I understand the explanation is as follow :
- ES used to have to change right to authorize.conf but the way it was done was not ideal.
- ES 4.7 migrate the old configuration to a new config which remove the original need.
- the migration script has no way to know that the changes to authorize.conf where done by ES -> don't touch them as they could be legitimate otherwise.
- ES permission checks detect the too open permission and warm about
So the current solution would be to manually go on each app in metadata/local.meta , look for authorize.conf stanza and remove non admin right on it as appropriate to your env.
Hope that helps.
The Splunk has introduced number of new roles with latest ES (4.7 and above ) version. The warning is thrown to make user aware of these changes so that he/she can reconfigure access control if required.
You can refer http://docs.splunk.com/Documentation/ES/4.7.0/Install/ConfigureUsersRoles for more information.