Splunk Enterprise

Changing permission of a private knowledge object makes all access inaccessible

burwell
SplunkTrust
SplunkTrust

Scenario on a SHC, Splunk 8.2.2.1

  • user1 and user2 are 2 users in role user
  • user1 who is in role user owns a private extraction (and saved searches). she is leaving the company and wants user2 to now own the knowledge object
  • admin does a reassign knowledge objects of all knowledge objects from user1 -> user2 (and yes they probably got the warning that this might make knowledge objects inaccessible)
  • now no one including admin can access this knowledge object from the UI or curl .. /services/configs/conf-props/extractnamehere/acl
  • Fortunately: the props.conf file in /opt/splunk/etc/users/user1/search/local/props.conf is still there

    Is there any other way the admin could gain access to this knowledge object other than grabbing the configs off the file system of the Splunk head?
Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
You should see those via Settings -> All configurations. If I recall right this is the only place in GUI (or at least which I have found) where the one can see users' private KOs.
r. Ismo
0 Karma

SinghK
Builder

Did you check if the object is showing under orphaned objects?

0 Karma

burwell
SplunkTrust
SplunkTrust

The object doesn't show under "All configurations"

0 Karma

SinghK
Builder

you can try what Ismo  said about creating the same user(exact user id that existed) locally on splunk. I have done that before same issue as you described and then it let le me reassign object to other user.

0 Karma

burwell
SplunkTrust
SplunkTrust

Hi. Thanks for the responses.

So as an experiment with my two users.. I never removed the first user. I login locally and that user does not see their knowledge object (extract) BUT it is there on the local disk. So the meta data is gone I guess.

We had this happen on a SHC so I repo'd on a standalone head. I can totally reproduce this.

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Can you try to create temporarily user1 as local on this SHC and see if those KOs are then available and can be copied/assigned again to user2?
0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...