Solved: Can I force a powershell input to execute the .ps1...

lycollicott · ‎08-10-2016

Our Spunk service runs as a Mcrosoft Managed Service Account (MSA) and that MSA is an admin account and we have a Powershell input that just calculates & indexes the size of some splunkdb folders. When new subfolders are created they do not have inherited permissions from the parent (a MASSIVE annoyance that I still have an open question on) and the Powershell inputis unable to read those new subfolders resulting in incorrect size calculations.

Is there a way to force the ps1 script to run "as administrator"?

(This seems silly, because the MSA is an admin account, but so is my own personal account and it cannot read those new subfolders. Windows. grrr)

PS - I could do a script input that is a wrapper around the ps1 which does a runas, but is that really the best way?

esix_splunk · ‎08-10-2016

I've run into this in the past. The best solution is outside of Splunk. Depending on the frequency of file system changes, schedule a powershell script that runs as an admin user, and use calcs.exe to set the permissions.

As a more direct answer, Splunk doesn't have a method to runas/ priveledge elevate processes. That's why the above is the easiest solution.

View solution in original post

jkat54 · ‎08-10-2016

The runas is one way. Another is psexec from MS pstools. With psexec you could execute commands as the local system account which should have full access.

Ive also had success using a batch file and the 'at' command to schedule other executables in the near future... it looks something like this:

REM schedule a restart splunk 2 minutes in the future
set xSPLUNKEXE="%SPLUNK_HOME%\bin\splunk.exe"
set xSWITCH="restart"
for /f "tokens=1,2,3 delims=: " %%A IN ('Time /T') do set h=%%A & set m=%%B & set t=%%C
set /a m=m+2
set h=%h: =%
set a=%h%:%m%%t%
at %a% %xSPLUNKEXE% %xSWITCH%

esix_splunk · ‎08-10-2016

I've run into this in the past. The best solution is outside of Splunk. Depending on the frequency of file system changes, schedule a powershell script that runs as an admin user, and use calcs.exe to set the permissions.

As a more direct answer, Splunk doesn't have a method to runas/ priveledge elevate processes. That's why the above is the easiest solution.

lycollicott · ‎08-10-2016

Do you know how or why Splunk creates these new sufolders with permissions that are not inherited from the parent folder? (I blame Windows, but the WinAdmins blame Splunk - LOL)

jkat54 · ‎08-10-2016

In windows there is a check box that says "Include inheritable permissions from this object's parent".

https://technet.microsoft.com/en-us/library/cc726071(v=ws.11).aspx

There are three recommended ways to make changes to inherited permissions:
Make the changes to the parent object where the permissions are explicitly defined, and then the child object will inherit these permissions. For more information, see Set, View, Change, or Remove Permissions on an Object.

lycollicott · ‎08-10-2016

Yes, we have done that. Inheritance is on and permissions are set from the topmost level on "this folder, subfolders and files".

If I go into a bucket and manually create a subfolder, it inherits correctly. However, when Splunk creates a new bucket with a rawdata subfolder, both the bucket and rawdata have perms for only the MSA and local administrators group which are set to "this folder only". When you go into Advanced Security Settings it gives you the option to disable inheritance, but also indicates that nothing was inherited. (Windows. )

Now, what bothers me is that the MSA creates the folders, has permissions and owns them, BUT the MSA also runs the powershell input which is not reading the folders I unless I change them to "this folder, subfolders and files".

This is causing me to slip slowly into madness at a rapid rate.

jkat54 · ‎08-10-2016

gah gah gah... I'd throw you a rope but I gave up on NTFS permissions a long time ago.

There's just too many checkboxes and context menus.

Check this out though... maybe splunk "moves" the folder as part of the process:

https://support.microsoft.com/en-us/kb/320246

Also there's some advanced options discussed on this thread:

https://social.technet.microsoft.com/Forums/sharepoint/en-US/76e50b7d-40b2-4198-a2e2-23cf26f08761/pe...

"In 'Advanced Security' - if you double click one of the permissions that is not propagating down, you get the 'Permission Entry' properties form.

At the bottom of the form, there's a tick box labelled "Apply these permissions to objects and/or containers within this container only"

If this box is ticked, it stops the permission propagating more than one layer down the tree. This overrides the 'Apply To This folder, subfolders..' setting.

As a result, on sub-folders, the 'Apply To' box sets itself to 'This folder' and greys itself out, and the permission in question doesn't inherit any further."

esix_splunk · ‎08-10-2016

Hmm so there maybe something set in the GPO or MSA policy about the way file / permission inheritance works... Its not Splunk doing this. We don't much around with the filesystem or change permissions. We let the OS do that...

lycollicott · ‎08-10-2016

I have told the WinAdmins that sort of thing on more than one occasion ....they reject all logic. LOL

Can I force a powershell input to execute the .ps1 script as an administrator?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life