Splunk Search

How to change sharing and permissions for a lookup table using the REST API?

polymorphic
Communicator

I need to change sharing and permissions for a lookup table file using the REST API.

I have been searching high and low for documentation, but I have been unable to find anything.

Does anyone have an idea how this is done?

1 Solution

polymorphic
Communicator

Got it:

curl -k -u admin:password http://localhost:8089/servicesNS/js/search/data/lookup-table-files/lookup.csv/acl -d owner=js -d sharing=app -d perms.read=* -d perms.write=*

View solution in original post

polymorphic
Communicator

Got it:

curl -k -u admin:password http://localhost:8089/servicesNS/js/search/data/lookup-table-files/lookup.csv/acl -d owner=js -d sharing=app -d perms.read=* -d perms.write=*

ranjithjosephd
Explorer

That's a good catch. It helped me now to automate the 'Roles'(edit permissions) for dashboards/fields/tags.. etc
Thank you!

spause
Explorer

Hi, I'm hoping you could share this knowledge. Especially as it relates to tags. We have tons of tags that needs to be added and have permissions set.

0 Karma

spause
Explorer

Posting this as I cannot see the comment supposedly posted here by kartik13.

Got the answer finally.

You can update the permission of tags through REST API having a POST request at the following url and parameters:

https://localhost:8089/servicesNS/ks/search/saved/fvtags/tag_name/field%3Dvalue/acl -d owner="ks" -d sharing="app" -d perms.read="*" -d perms.write="*"
0 Karma

spause
Explorer

Unfortunately, this doesn't work for me. I do not appear to have a "fvtags" section. I have to use a "tags" url like below, but it doesn't work to look at the acl as expected in my 2nd url below.

https://serverDNSname:8089/servicesNS/<username>/<app-name>/search/tags

https://serverDNSname:8089/servicesNS/<username>/<app-name>/search/tags/host%3Dvalue/acl

Can you confirm that the separator characters between host and value are "percent 3D"?

In the first url, it appears to be two colons.

Error received:
Unknown endpoint.

0 Karma

kartik13
Communicator

host and value are basically field value pairs of of your tag. So it will be like in in this format field=value.In the URL it is encoded as %3D(in my case).Also i observed one thing .When i tried to have my username it didn't work.So i added nobody in the username and altered the owner in the paramters.Try with that too.

0 Karma

spause
Explorer

Found the fvtags section. This URL format works.

https://serverDNSname:8089/servicesNS/<username>/<app-name>/admin//fvtags/host%3Dvalue/acl

But I cannot modify its acl. This one below fails. I am just using a web browser to submit these btw.

https://serverDNSname:8089/servicesNS/<username>/<app-name>/admin//fvtags/host%3Dvalue/acl -d owner=username1 -d sharing=app -d perms.read=group1,group2 -d perms.write=group1,group2

In handler 'fvtags': Could not find object id=host=value -d owner=username1 -d sharing=app -d perms.read=group1,group2 -d perms.write=group1,group2

This 2nd version fails differently:

https://serverDNSname:8089/servicesNS/<username>/<app-name>/admin//fvtags/host%3Dvalue/acl -d owner="username1" -d sharing="app" -d perms.read="group1" -d perms.write="group1"

In handler 'fvtags': Invalid custom action for this internal handler (handler: fvtags, custom action: acl%20-d%20owner=%22username1%22%20-d%20sharing=%22app%22%20-d%20perms.read=%22group1%22%20-d%20perms.write=%22group1%22, eai action: list).

This third version exists, but again fails to modify.

https://serverDNSname:8089/servicesNS/<username>/<app-name>/saved/fvtags/host=value/acl

https://serverDNSname:8089/servicesNS/<username>/<app-name>/saved/fvtags/host=value/acl -d owner=username1 -d sharing=app -d perms.read=* -d perms.write=*

In handler 'fvtags': Invalid custom action for this internal handler (handler: fvtags, custom action: acl%20-d%20owner=username1%20-d%20sharing=app%20-d%20perms.read=*%20-d%20perms.write=*, eai action: edit).
0 Karma

polymorphic
Communicator

Did some testing and found this working like a charm:

curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/search/saved/fvtags/host%3Dvalue/acl -d owner="nobody" -d sharing="global" -d perms.read="user" -d perms.write="admin,power,user"
0 Karma

spause
Explorer

Unfortunately, that isn't working for me. I'm on version 6.2.7. Could that be it?

Also, I have a search cluster, could that be breaking this feature?

In handler 'fvtags': Type = tags, Context = (user: username1, app: app_name, root: /dir1/opt/splunk/etc), Acting as = username1: Replication-related issue: Cannot move asset lacking a pre-existing asset ID: /username1/app_name/tags/host=hostname
0 Karma

kartik13
Communicator

Too Awesome....

0 Karma

kartik13
Communicator

Thanks @spause

0 Karma

kartik13
Communicator

Hi , can you please explain. As i did same thing but in response i am getting Unknown Url endpoint

0 Karma

polymorphic
Communicator

Maybe you just need to replace ../js/.. with your own username and ../lookup.csv with your own lookup file?
Note that user "nobody" =everyone.

0 Karma

kartik13
Communicator

I tried with own username ..i am basically trying to update the permission of tags so for this i am using this url
https://localhost:8089/servicesNS/admin/search/search/tags/{tag_name}/acl

0 Karma

polymorphic
Communicator

Could you please explain exactly what you are trying to achieve?

This post is originally about changing permissions on a lookup file, however from the REST endpoint in your last post im guessing that you are trying to change permissions on tags?

Please be aware that you need to access the endpoint through the current owner.
As far as i understand:
If sharing is global: https://localhost:8089/servicesNS/nobody/....
If sharing is app or private: https://localhost:8089/servicesNS/*username of owner*/....

Next comes the app directory:
eg.: https://localhost:8089/servicesNS/nobody/search/....

From here its a blur but this link has been very helpfull for me: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTaccess

0 Karma

kartik13
Communicator

I am trying to create new tags through REST API. I had success in that ,creating new tags ,but then i noticed that it's in my name and also the permission is set to private.So have to change the permission of tag to public so that it can be used .
And i can my find my tag using this url
https://localhost:8089/servicesNS/ks/search/search/tags/testTag
So , if my
username ->ks
tag_name-> testTag
So i am hitting the URL with post request with following data
https://localhost:8089/servicesNS/ks/search/search/tags/testTag/acl -d sharing="app" -d perms.read="" -d perms.write=""

But its giving me Unknown EndPoint .

0 Karma

polymorphic
Communicator

Making a get on this endpoint:
https://localhost:8089/servicesNS/{user}/search/search/tags/{tagname}
does not return ACL.
This makes me think that this option doesnt exists, for this endpoint which is confirmed by:
http://localhost:8000/en-US/manager/{app}/saved/ntags?ns=-&search=&app_only=1

0 Karma

kartik13
Communicator

So in that case i cannot update the permissions of the tags through REST , right ?

0 Karma

polymorphic
Communicator

As far as i understand, there are no permissions you can set on "Tags » List by tag name" which are the ones your endpoint is pointing at.

0 Karma

kartik13
Communicator

Thanks a lot @polymorphic i really appreciate you time and efforts . 🙂

Got the answer finally :
You can update the permission of tags through REST API having a POST request at the following url and parameters:
https://localhost:8089/servicesNS/ks/search/saved/fvtags/tag_name/field%3Dvalue/acl -d owner="ks" -d sharing="app" -d perms.read="" -d perms.write=""
Please check the following link
https://answers.splunk.com/answers/388854/how-can-i-change-the-permissions-of-dynamically-cr.html

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...