Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ess_admin role issues

astatrial
Contributor
‎04-17-2019 06:26 AM

Hello,
I have a splunk cloud managed deployment which has ES installed on it.

First thing is that my user has only ess_admin role without any other Splunk platform admin role, which according to Splunk docs is necessary for ess_admin role.
(https://docs.splunk.com/Documentation/ES/5.2.2/Install/ConfigureUsersRoles).
Is it really a demand for this role ? I have all the needed ES permissions working just fine at the moment.

Second is that i ran the command | rest /services/authorization/roles and i can see that ess_admin role has access to _internal and _* in the "srchIndexDefault", but for some weird reason i don't really have permissions for those kind of indexes and i can't figure out why.

Thanks for any help!!

0 Karma
Reply

teunlaan
Contributor
‎04-18-2019 04:27 AM

We are running ES with the ess_admin user only, And it works!.

BUT you need to be sure there are no references to admin in de default.meta.

Some config is "owned by admin" and it will fail is tou don't remove is.
We run this to be sure admin is removed:

find . -type f -name default.meta -exec sed -i 's/owner = admin/#owner = admin/g' {} +

and

find . -name *.meta -type f -print | xargs sed -i '/^access/c\access = read : [ * ], write : [ ess_admin ]'
0 Karma
Reply

astatrial
Contributor
‎04-17-2019 07:56 AM

I think i figured out why it acts like this.

In the srchIndexesAllowed there is nothing, so although that in the srchIndexesDefault there are all the indexes, it doesn't use them.

On the other hand in the srchIndexesAllowed of the user role, there is * which represent according to authorize.conf all the non-internal indexes. So when there is * in ess_admin role Imported_srchIndexesAllowed, it refers to all the non internal indexes.

Still i don't understand if Splunk platform admin role is necessary for ess_admin role...

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...