Security

How to disable REST API access for a user

Murali2888
Communicator

I want to disable REST API access for a user. In other words, he/she should be able to log in to Splunk Web and run searches where as they should not have provision to run searches via API calls.

I tried disabling the below capability for the user in authorize.conf, but it does not block the user from accessing REST API

rest_properties_get
rest_properties_set

Is there any way we can configure these capability for the user?

DalJeanis
SplunkTrust
SplunkTrust

If the underlying issue is a user running hundreds of automated searches via API, then you might want to consider reassigning them to a new role that has a very low max concurrent search setting, until they demonstrate good citizenship.

Also, if they are obviously wasting resources, then check the searches that they ARE running, to make sure they aren't doing something silly like running a realtime search "for all time" and wondering why it never finishes, so they submit it again.

0 Karma

serpin
Explorer

Hi DalJeanis. I also need to disable REST API for some roles , letting it open to some others.

My goal is to limit the first group to a specific set of dashboards (I've removed permisson to the search dashboard) and prevent them to use the REST api to do ad-hoc searches. At the same time there are some other roles that should maintain the REST access.

Do you have some advise?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

I don't think this is possible because splunkweb UI uses the REST API itself. You could disable access to port 8089 on your search head for any host other than localhost (ie. the search head itself), but that's an all or nothing approach.
From a security perspective, if a user has permission to search via the UI, he/she has permission to search from wherever.
If you want to elaborate on your use case, maybe there is another way to achieve what you need.

Murali2888
Communicator

Hi ssievert,

We have two set of user profiles as per our Client's standard. One profile is for users to access the UI and run searches, create reports and dashboards etc. The other profile is for application user accounts to access SPLUNK REST API from specific application to search for data.

However, we have few UI users accessing REST API programatically and are running hundreds of searches which we want to restrict. Also, we want to allow only the application user accounts to access the REST API.

Hope I have provided enough details on what we are trying to do

0 Karma

khyoung7410
Communicator

Hi
I want to disable rest api.
How to?

0 Karma

pradeepkumarg
Influencer

Any latest suggestions/workaround to achieve this? We have a similar use case where we don't want all the users connection via REST

0 Karma

sk314
Builder

Have you checked which roles are being applied to the user. If any one of the roles has those capabilities, they would automatically be inherited.

0 Karma

Murali2888
Communicator

yes. I have checked the capabilities. Disabling the search capability restricts the user from accessing REST API but that also blocks the UI search capability.

I am interested in blocking the REST API access alone.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...