Security

Do role-specific non-capability traits such as disk quota get inherited with imported roles? (also: how to view per-user quota?)

rtclark
Explorer

In authorize.conf, if I have a role B that imports role A, if role A has a defined disk quota, does role B also get that quota, or do I need to define the srchDiskQuota parameter explicitly for role B as well? In other words, does an import only include capabilities, where "capabilities" is defined as the settings that match "something = enabled", or are all traits/settings inherited?

For example, I want to set the default for all users at my company to have 10 concurrent searches and 500MB of disk space for stored search results, as well as be able to schedule searches, so I define this base group:

[role_My_Company_User]
schedule_search = enabled
srchJobsQuota = 10
srchDiskQuota = 500
importRoles = User

Then, I have groups based on department, matching our LDAP structure:

[role_DepartmentOne]
importRoles = My_Company_User;User

[role_DepartmentTwo]
importRoles = My_Company_User;User

So if user alice is in DepartmentOne, bob is in DepartmentTwo, and jsmith is in neither and is just a plain user who falls into the vanilla MyCompany_User role... Is jsmith the only one with the higher privileges and quotas? Or do alice and bob also inherit those settings?

I'm guessing that these things are -not- inherited based on a user running into a quota issue today after I thought I'd fixed it.

Related docs:

http://www.splunk.com/base/Documentation/latest/Admin/Addusersandassignroles

http://www.splunk.com/base/Documentation/latest/Admin/Authorizeconf

The only things moderately related seem to be these bullets from the latter doc:

"Roles inherit all capabilities from imported roles, and inherited capabilities cannot be disabled"

"Importing other roles also imports the other aspects of that role, such as allowed indexes to search."

But that's a bit vague... Shouldn't srchDiskQuota be an "other aspect"? In my case it doesn't seem to have been imported.

Follow-up question, that would be nice for users and for troubleshooting this -- is there a way to view per-user or your own disk quotas through the UI before you exceed them?

1 Solution

rtclark
Explorer

I think this issue has been sorted out. The short answer is that yes, quotas are inherited, so a quota set for a role should apply to a role that inherits the first role. Offically, Splunk support states: "Role combining is always done in a 'most permissive' fashion. So if the user has multiple roles, we take the maximum of the quota across those roles."

In my examples above, "roleB" would inherit the disk quota assigned to "roleA" if roleB imports roleA, and users in DepartmentOne and DepartmentTwo would inherit the the quotas assigned to the My_Company_User role.

The answer to the second part of the question is that no, there is no way to view one's own quotas or the per-user quotas through the UI, nor any good way to check this in 4.1. A new feature in 4.2 is supposedly the ability to check roles via REST endpoints, but I haven't had time to confirm this.

Lastly, for the curious, the issue that actually triggered the quotas not working properly in my environment was one of case sensitivity in declaring role names. In Splunk 3.4, role names were by default in camel case, and we propagated this to the authorize.conf in our 4.1 environment. But, in either 4.0 or 4.1, a new restriction was placed on role names, and they must now be only in lower case.

From: http://www.splunk.com/base/Documentation/latest/admin/Addusersandassignroles :

Note: Role names must use lowercase characters. For example: "admin", not "Admin". User names, however, are entirely case-insensitive: "Jacque", "jacque", "JacQue" are all the same to Splunk.

At some point, an edit of the role via the UI was made, and the UI split the role when writing to authorize.conf -- we wound up with one version of the role that had the camel-cased role name and the correct configs, and another that had an all lower case role name, and incomplete configs. The import statement preferred the lower case role over the camel case stanza, and the quotas were therefore not imported properly.

View solution in original post

0 Karma

rtclark
Explorer

I think this issue has been sorted out. The short answer is that yes, quotas are inherited, so a quota set for a role should apply to a role that inherits the first role. Offically, Splunk support states: "Role combining is always done in a 'most permissive' fashion. So if the user has multiple roles, we take the maximum of the quota across those roles."

In my examples above, "roleB" would inherit the disk quota assigned to "roleA" if roleB imports roleA, and users in DepartmentOne and DepartmentTwo would inherit the the quotas assigned to the My_Company_User role.

The answer to the second part of the question is that no, there is no way to view one's own quotas or the per-user quotas through the UI, nor any good way to check this in 4.1. A new feature in 4.2 is supposedly the ability to check roles via REST endpoints, but I haven't had time to confirm this.

Lastly, for the curious, the issue that actually triggered the quotas not working properly in my environment was one of case sensitivity in declaring role names. In Splunk 3.4, role names were by default in camel case, and we propagated this to the authorize.conf in our 4.1 environment. But, in either 4.0 or 4.1, a new restriction was placed on role names, and they must now be only in lower case.

From: http://www.splunk.com/base/Documentation/latest/admin/Addusersandassignroles :

Note: Role names must use lowercase characters. For example: "admin", not "Admin". User names, however, are entirely case-insensitive: "Jacque", "jacque", "JacQue" are all the same to Splunk.

At some point, an edit of the role via the UI was made, and the UI split the role when writing to authorize.conf -- we wound up with one version of the role that had the camel-cased role name and the correct configs, and another that had an all lower case role name, and incomplete configs. The import statement preferred the lower case role over the camel case stanza, and the quotas were therefore not imported properly.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...