Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

ess_admin role issues

astatrial
Contributor
‎04-17-2019 06:26 AM

Hello,
I have a splunk cloud managed deployment which has ES installed on it.

First thing is that my user has only ess_admin role without any other Splunk platform admin role, which according to Splunk docs is necessary for ess_admin role.
(https://docs.splunk.com/Documentation/ES/5.2.2/Install/ConfigureUsersRoles).
Is it really a demand for this role ? I have all the needed ES permissions working just fine at the moment.

Second is that i ran the command | rest /services/authorization/roles and i can see that ess_admin role has access to _internal and _* in the "srchIndexDefault", but for some weird reason i don't really have permissions for those kind of indexes and i can't figure out why.

Thanks for any help!!

0 Karma
Reply

teunlaan
Contributor
‎04-18-2019 04:27 AM

We are running ES with the ess_admin user only, And it works!.

BUT you need to be sure there are no references to admin in de default.meta.

Some config is "owned by admin" and it will fail is tou don't remove is.
We run this to be sure admin is removed:

find . -type f -name default.meta -exec sed -i 's/owner = admin/#owner = admin/g' {} +

and

find . -name *.meta -type f -print | xargs sed -i '/^access/c\access = read : [ * ], write : [ ess_admin ]'
0 Karma
Reply

astatrial
Contributor
‎04-17-2019 07:56 AM

I think i figured out why it acts like this.

In the srchIndexesAllowed there is nothing, so although that in the srchIndexesDefault there are all the indexes, it doesn't use them.

On the other hand in the srchIndexesAllowed of the user role, there is * which represent according to authorize.conf all the non-internal indexes. So when there is * in ess_admin role Imported_srchIndexesAllowed, it refers to all the non internal indexes.

Still i don't understand if Splunk platform admin role is necessary for ess_admin role...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...