Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ess_admin role issues

astatrial
Contributor
‎04-17-2019 06:26 AM

Hello,
I have a splunk cloud managed deployment which has ES installed on it.

First thing is that my user has only ess_admin role without any other Splunk platform admin role, which according to Splunk docs is necessary for ess_admin role.
(https://docs.splunk.com/Documentation/ES/5.2.2/Install/ConfigureUsersRoles).
Is it really a demand for this role ? I have all the needed ES permissions working just fine at the moment.

Second is that i ran the command | rest /services/authorization/roles and i can see that ess_admin role has access to _internal and _* in the "srchIndexDefault", but for some weird reason i don't really have permissions for those kind of indexes and i can't figure out why.

Thanks for any help!!

0 Karma
Reply

teunlaan
Contributor
‎04-18-2019 04:27 AM

We are running ES with the ess_admin user only, And it works!.

BUT you need to be sure there are no references to admin in de default.meta.

Some config is "owned by admin" and it will fail is tou don't remove is.
We run this to be sure admin is removed:

find . -type f -name default.meta -exec sed -i 's/owner = admin/#owner = admin/g' {} +

and

find . -name *.meta -type f -print | xargs sed -i '/^access/c\access = read : [ * ], write : [ ess_admin ]'
0 Karma
Reply

astatrial
Contributor
‎04-17-2019 07:56 AM

I think i figured out why it acts like this.

In the srchIndexesAllowed there is nothing, so although that in the srchIndexesDefault there are all the indexes, it doesn't use them.

On the other hand in the srchIndexesAllowed of the user role, there is * which represent according to authorize.conf all the non-internal indexes. So when there is * in ess_admin role Imported_srchIndexesAllowed, it refers to all the non internal indexes.

Still i don't understand if Splunk platform admin role is necessary for ess_admin role...

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...