All Apps and Add-ons

Splunk ODBC & Tableau Desktop: Why logging in with a "user" role to connect to REST API produces error "Invalid Username or Password"?

benwu63
Explorer

I am using the latest Splunk ODBC driver (downloaded from https://apps.splunk.com/app/1606/) and the Tableau Desktop versions are 8.2.2 & 8.3. if I logged in as an admin user account (who has "user" & "power" roles), I could successfully connect to the Splunk instance and listed all the "Saved Searches" available. If I logged in as a normal user account (who has only "user" role), an error with "Invalid Username or Password" was produced. This normal user account has access to all non-internal Splunk indexes.

Below are the capabilities between these 2 accounts:

Admin account capabilities:

accelerate_datamodel
admin_all_objects
change_authentication
edit_deployment_client
edit_deployment_server
edit_dist_peer
edit_forwarders
edit_httpauths
edit_input_defaults
edit_monitor
edit_roles
edit_scripted
edit_search_server
edit_server
edit_splunktcp
edit_splunktcp_ssl
edit_tcp
edit_udp
edit_user
edit_view_html
edit_web_settings
get_diag
indexes_edit
license_edit
license_tab
list_deployment_client
list_deployment_server
list_forwarders
list_httpauths
rest_apps_management
restart_splunkd
run_debug_commands
schedule_rtsearch
accelerate_search
change_own_password
dbx_capable
embed_report
get_metadata
get_typeahead
input_file
list_inputs
output_file
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
rtsearch
schedule_search
search

Normal user account capabilities:

accelerate_search
change_own_password
dbx_capable
get_metadata
get_typeahead
input_file
list_inputs
output_file
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
search

The ONLY difference related to REST API from above 2 lists is "rest_apps_management", but I don't see why missing this capability will prevent the normal user account from successfully connecting to REST API interface and list all Saved Searches via Splunk Connector.

Does anyone have any insights about this? Thanks a lot!

0 Karma

tmillay
Engager

I ran into this same problem with one of my infosec users wanting access to the RestAPI. I created a new role "restapi" and added his account. The only capability I added to the new role was rest_apps_management and this allowed him to log in to the API successfully.

0 Karma

dcroteau
Splunk Employee
Splunk Employee

Same issue here. It all works if I am signed in as Splunk Admin, but I don't want to give Tableau the keys to the kingdom and all the capabilities associated with connecting to Splunk as "Admin" What are the least capabilities I need associate with a role to make this work?

0 Karma

benwu63
Explorer
0 Karma

benwu63
Explorer

The normal user account tried to log in via browser on the following saved search endpoint and could successfully list all saved searches available on the search head:

https://splunk_search_head_url:8089/services/saved/searches

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...