Splunk Search

Access Control for Splunk DB Connect

dabbank
Path Finder

Do I get it right that after the successful setup of the Splunk DB Connect every Splunk user can access the configured databases?
This is not acceptable for almost every environment. I wonder how to implement access control at least per external database on a role basis. It would be nice, if Splunk would implement this feature. You should be able to choose the Roles which are allowed to use an external database, don't you think?

dabbank
Path Finder

If a user should be able to configure database connections himself, he needs the admin_all_objects capability in his role 😞

0 Karma

dabbank
Path Finder

The settings in apps/search/metadata/local.meta are respected half way. You can add an access-line within the stanza for an external database connection

[database/MyDB]
access = read : [ admin, db_admin ]

At least Splunk respects the read permissions while you edit the settings. E.g. if a user has no read access, he does not see the configured connection underneath External Databases
A lack of read permissions does not stop the user from using the external database within dbquery, though.

0 Karma

dabbank
Path Finder

I played with the app and found some interesting results:

The permissions defined in etc/apps/dbx/metadata/default.meta overule the settings in etc/apps/dbx/metadata/local.meta. Therefore you can not use the WebGUI to adjust the access rights. E.g. only the role admin can use the dbquery command per default.
I changed all role settings within the default file to "*" and now it works as expected.

0 Karma

jpass
Contributor

Can't you just set the permissions for the DB Connect application itself to only allow certain roles to access it? That's what I do and only the admin role can access the Splunk DB Connect interface, views, commands.

I haven't set up lookups yet but I have set up multiple monitoring inputs that push data to different indexes. Indexes have their own permissions settings.

These seem like obvious settings so I'm concerned that I'm missing something on my end and users can access the databases. Can you tell me specifically how all users access the configured db?

Thanks,J

0 Karma

Dan
Splunk Employee
Splunk Employee

This is high on the docket but I can't provide a timeframe yet

0 Karma

batcave
Explorer

any updates on this Dan?

0 Karma

Dan
Splunk Employee
Splunk Employee

We will look into this and consider per-database entitlements a feature for an upcoming release. Thanks for raising the issue.

Drainy
Champion

Thats the generic Splunk copyright, have a scroll to the bottom of the page. I believe thats probably the year it came into existence

0 Karma

dabbank
Path Finder

All files of the app state
Copyright (C) 2005-2012 Splunk Inc. All Rights Reserved.

0 Karma

Ayn
Legend

Uh, the DB connect is not from 2005, it was just released.

0 Karma

dabbank
Path Finder

Not only do we run numerous database but I also want to implement separate entries using different users for the same database. Hereby I could use the database restrictions to adjust the capabilities for my Splunk users. I consider a separate instance for every access profile not even as workaround -- who knows about side effects and the waste of resources caused by this approach.
The DB Connect application is from 2005 and does not support a proper rights management. Do we really talk about an enterprise solution?

0 Karma

Drainy
Champion

How many databases do you access? Another solution could be to have multiple versions of the db connect app installed but renamed for their different purposes. Of course this is a bit of a hack, plus it would break any automatic updates.

0 Karma

dabbank
Path Finder

To limit the access for the whole application to certain roles is of course no solution. The entitlement for a specific database is user dependent. I can not name a role with access to all databases. Application wide permissions render the DB Connect useless.
I would like to grant the users e.g. R/O access to "their" databases so they can use "dbquery" and "lookup" within searches.

Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...