Re: change how outputlookup assigns permissions an...

splunkettes · ‎06-22-2020

Years back the outputlookup command would create a csv lookup file in the user's app folder making it Private and owned by the user who ran the command. Now the lookup gets created with "No owner" and inherits the permissions of the app.

Allowing users to run the outputlookup command this way can lead to massive number of public lookup files without owners. Additionally, anyone with write permissions to the app can then overwrite another user's lookup file.

What conf settings can be modified so that the outputlookup command is set to create the lookup file as a privately owned object (owner being the user who ran the command)

anilchaithu · ‎06-22-2020

@splunkettes

you need to create owner for this app in either default.meta/local.meta.

Its is best practice to make the user who owns this app as the owner so the lookups created using outputlookup command will be saved against the owner.

you can give read& write permissions to the roles that require corresponding access.

splunkettes · ‎06-22-2020

Thank you for your reply. I changed the app owner and now when a user runs the outputlookup command the lookup is assigned to the owner I specified for the app and not the user. I would like for the lookup ownership to be assigned to the user who created the lookup file via the outputlookup command.

For instance, in the search & reporting app, when a user creates a new report, that report is saved by default as private to the user. I would like the same thing to happen in the search & reporting app, when a user creates a lookup file via the outputlookup command.

anilchaithu · ‎06-22-2020

@splunkettes

try this

remove the owner and add/edit below stanza to either default.meta OR local.meta. This can be used for all KO OR specific to lookups. Replace roles with actual role of the user. If you want this for all the roles within the app replace it with "*", which is a bad practice.

All KOs:

[]

access = read : [roles], write : [roles]

Only for lookups:

[lookups]

access = read : [roles], write : [roles]

splunkettes · ‎06-23-2020

I modified the files how you suggested. Doing so changes the default permissions applied when the user runs the outputlookup command. So now if a user creates a lookup file with the command it creates a lookup owned by nobody and only admins can modify it.

I think the lack of ownership is an issue with the command itself rather than the metadata settings because when you go to the lookup files page and select to create a new lookup, that new file is created as a private object under the user's account. I may need to look into limiting who can run the outputlookup command so that we can reduce the number of ad hoc lookups created by nobody. We have a scripted process to reassign these lookups based on the last person who ran an outputlookup to create/updated the file, but I was trying to stop the creation of lookup files without owners at its source.

If anyone knows how the outputlookup command is programmed in Splunk, I'd love to see it. It should function like the lookup-table-files.xml (Create new lookup form) in ...\Splunk\etc\apps\search\default\data\ui\manager\data_lookup_table_files.xml but it clearly doesn't. 😞

change how outputlookup assigns permissions and ownership to new files

lookup

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms