Splunk Search

unable to change password / edit users

jonuwz
Influencer

There seems to be a dependency on roles inheriting from 'user' and 'admin'.

Example.

I create a new role defined like this (an exact replica of 'user'):

[research]
change_own_password = enabled
get_metadata = enabled
get_typeahead = enabled
request_remote_tok = enabled
rest_apps_view = enabled
rest_properties_get = enabled
rest_properties_set = enabled
rtSrchJobsQuota = 1
search = enabled

If I create a user with only this role assigned, when he logs in, and clicks 'Manager', the page is completely blank.

Likewise, if I create a replica of the admin role (which inherits from 'power' and 'user'), all the admin tabs (like user roles, index management) are missing.

I've tested this against 4.3.2 4.3.3 and 4.3.4

Am I missing something, is this a bug, or expected behaviour?

It defeats the purpose of having capabilities like 'edit_user' and 'change_own_password'

John

Tags (1)
0 Karma
1 Solution

jonuwz
Influencer

In the end it was to do with app permissions.

If a user does not inherit read access to the 'Search' app, the management page is always blank.

Seems a bizarre scenario.

View solution in original post

jonuwz
Influencer

In the end it was to do with app permissions.

If a user does not inherit read access to the 'Search' app, the management page is always blank.

Seems a bizarre scenario.

gkanapathy
Splunk Employee
Splunk Employee

There is no UI way of doing this, as of Splunk 5.0 or lower. In fact there is a lot of Splunk functionality and configuration that can only be accessed via configuration files or REST API calls.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

More info: I grew suspicious that there should be a cleaner, UI way of doing this. I am still unable to find it. Here's where I left off if anyone wants to build on my research to find the proper solution.

Search has a ui level 'manager' folder which is not found in other apps. This can be found at $SPLUNK_HOME/etc/apps/search/default/data/ui/manager.
The instructions on this page seem like the most useful but I cannot find manager nor its artificats under even the 'All configurations' page.
http://docs.splunk.com/Documentation/Splunk/5.0.1/AdvancedDev/SetPermissions

0 Karma

jonuwz
Influencer

great tip !

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I think it's important to highlight that the changes must be made in the 'search' app's metadata local file. I state this because there's many similar questions out there but its not clear that splunk's manager settings are specified in the 'search' app.

For those who are crazy enough to create a new role from scratch (like me), you might want to cat default.meta >> local.meta and then do some find/replace to change the admin to your custom admin role.

Once I did that, I was all set.

melting
Splunk Employee
Splunk Employee

Yes the manager pages are included in the search app. Read access to the search app is sort of a prerequisite in most cases.

I am glad you figured it out!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Note that in addition to the capabilities, the manager pages have access control lists, so any user/role must have both in order to be able to do something on the pages. (The ACL is not needed, e.g., if the user is making calls via the REST API or the CLI)

0 Karma

jonuwz
Influencer

I think its only the manager landing page that considers ACLs when deciding what links to display.

You can bypass the fact the 'Access controls' link is missing on the manager page by typing the url directly.

https://splunk:8000/en-GB/manager/search/authentication/users

0 Karma

yannK
Splunk Employee
Splunk Employee

yes, this is correct. The capabilities are not always enough to access some manager pages.
To solve this, make the role research inherit from the role user.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...