Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Python SDK - getting username and password (without hard coding)

BernardEAI
Communicator
‎11-16-2020 04:29 AM

Hi

I'm trying to get the username and password of the user calling a python script from the search bar in the Splunk UI. I need this to log into smtp to send an email (smtp.login(username, password)).

I need to make use of SCPv2, so the

 results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults() 

route is not an option. I can get the authenticated session connection via the self object (self.service). I though I should be able to get the username and password using "storage_passwords", however when I use that and output the username and password to the logger, I see the following:

Username:Windows_Usage``splunk_cred_sep``2 Password:``splunk_cred_sep``S``splunk_cred_sep``P``splunk_cred_sep``L``splunk_cred_sep``U``splunk_cred_sep``N``splunk_cred_sep``K``splunk_cred_sep``

It looks like the username and password is encrypted in some way? If I try to use those credentials, I get a "[HTTP 401] Client is not authenticated" error. Looking at the capabilities o the user, I see that "list_storage_passwords" is included.

Any ideas on how I can get the username and password? If I hardcode the username and password everything works, but I do not like to have passwords in script files.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BernardEAI
Communicator
‎11-16-2020 11:38 PM

@Patrick_Peeters  I have determined that those passwords are encrypted, and for some reason they are not decrypted correctly.

I have now added my own username and password to a passwords.conf file in my app/local folder. I can now see that username and password if I run 

 

storage_passwords=self.service.storage_passwords
  for credential in storage_passwords:
            usercreds = {'username':credential.content.get('username'),'password':credential.content.get('clear_password')}

 

Initially the passwords I added were not encrypted, which is not very secure. I managed to generate an encrypted passwords by using an API call:

curl -k -u admin:<admin_password> https://<splunk_host>:8089/servicesNS/nobody/<app_name>/storage/passwords -d name=<username> -d password=<password>

View solution in original post

Reply
Solved! Jump to solution

BernardEAI
Communicator
‎11-16-2020 06:01 AM

Hi @Patrick_Peeters 

Thanks for the feedback. Correct, I used something very close to your code:

storage_passwords=self.service.storage_passwords
for storage_password in service.storage_passwords:
    if storage_password.username == username and storage_password.realm == 'your_app':
        clear_pw = storage_password.content.clear_password

Incidentally, how do you get the session key? I do not need the key since the search command already gives me an authenticated session connection via the self object. However I can't seem to get the value of sessionKey from the self object. If I could get the session key there would be another route to get the password.

0 Karma
Reply
Solved! Jump to solution

Patrick_Peeters
Splunk Employee
Splunk Employee
‎11-16-2020 02:04 PM

I got it by importing the Script class and using the following line:

from splunklib.modularinput import Script, Scheme, Argument, Event
session_key = self._input_definition.metadata["session_key"]
0 Karma
Reply
Solved! Jump to solution
Solution

BernardEAI
Communicator
‎11-16-2020 11:38 PM

@Patrick_Peeters  I have determined that those passwords are encrypted, and for some reason they are not decrypted correctly.

I have now added my own username and password to a passwords.conf file in my app/local folder. I can now see that username and password if I run 

 

storage_passwords=self.service.storage_passwords
  for credential in storage_passwords:
            usercreds = {'username':credential.content.get('username'),'password':credential.content.get('clear_password')}

 

Initially the passwords I added were not encrypted, which is not very secure. I managed to generate an encrypted passwords by using an API call:

curl -k -u admin:<admin_password> https://<splunk_host>:8089/servicesNS/nobody/<app_name>/storage/passwords -d name=<username> -d password=<password>
Reply
Solved! Jump to solution

Patrick_Peeters
Splunk Employee
Splunk Employee
‎11-16-2020 05:11 AM

I assume you tried something like this to get the output?

args = {'token': 'your_session_key'}
service = client.connect(**args)

for storage_password in service.storage_passwords:
    if storage_password.username == username and storage_password.realm == 'your_app':
        clear_pw = storage_password.content.clear_password

 That works in my case. I've seen something like your output when analysing passwords/secrets that I used when coding using the Splunk Add-on Builder but it's been a long time so not sure if it's related.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...