Security

Admin Down! Restarting Splunk does not reload Authorize.conf after edit

jdbtee
Path Finder

Hi,

I seem to have foobar'd my Admin account, resulting in the majority of the admin privileges not working through the UI:

AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/admin/launcher/data/modular-inputs?count=-1

I have edited the \local\authorize to match that of the \default config and restarted Splunk via CLI, but this has not restored my previous admin privileges.

C:\Program Files\Splunk\etc\system\local\authorize.conf as follows to reset:

(a cut and copy from \default\authorize.conf)

[role_admin]
accelerate_datamodel = enabled
admin_all_objects = enabled
change_authentication = enabled
edit_deployment_client = enabled
list_deployment_client = enabled
edit_deployment_server = enabled
list_deployment_server = enabled
edit_dist_peer = enabled
edit_forwarders = enabled
edit_httpauths = enabled
edit_input_defaults = enabled
edit_monitor = enabled
edit_roles = enabled
edit_scripted = enabled
edit_search_server = enabled
edit_server = enabled
edit_splunktcp = enabled
edit_splunktcp_ssl = enabled
edit_tcp = enabled
edit_udp = enabled
edit_user = enabled
edit_view_html = enabled
edit_web_settings = enabled
get_diag = enabled
indexes_edit = enabled
license_edit = enabled
license_tab = enabled
list_forwarders = enabled
list_httpauths = enabled
rest_apps_management = enabled
restart_splunkd = enabled
run_debug_commands = enabled


# This enables the windows specific capabilities for admin
edit_win_eventlogs = enabled
edit_win_wmiconf = enabled
edit_win_regmon = enabled
edit_win_admon = enabled
edit_win_perfmon = enabled
list_win_localavailablelogs = enabled
list_pdfserver = enabled
write_pdfserver = enabled

importRoles = power;user
srchIndexesAllowed = *;_*
srchIndexesDefault = main;os
srchFilter = *
srchTimeWin = 0
srchDiskQuota = 10000
srchJobsQuota = 50
rtSrchJobsQuota = 100
cumulativeSrchJobsQuota = 200
cumulativeRTSrchJobsQuota = 400
0 Karma
1 Solution

jdbtee
Path Finder

I deleted the /local/authorize.conf (after making a copy) and replace the /default/authorize.conf with a fresh version. Seems I may have saved the wrong one, or the local was for some reason corrupt.

Restart and relax...

View solution in original post

jdbtee
Path Finder

I deleted the /local/authorize.conf (after making a copy) and replace the /default/authorize.conf with a fresh version. Seems I may have saved the wrong one, or the local was for some reason corrupt.

Restart and relax...

jdbtee
Path Finder

It seems if you edit the 'user' role, then inheritance also affects the 'admin' role.

I removed all the permissions from the user role, which then locked my admin role.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...