Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are Search Filters not being applied in scripted authentication?

lyndac
Contributor
‎01-12-2017 01:42 PM

Using Splunk Enterprise 6.4.1. I am attempting to use scripted authentication to apply search filters to my users. I can see that the script is being initiated and I can see calls being made to the getUsers and getUserInfo functions, however, I never see a call to the getSearchFilter function. When I do the search, I can tell that no filters are being applied. I just can't figure out why.

I created the authentication script. The getSearchFilter method of said script returns results like:
--status=success --search_filter=foo=1234 --search_filter=foo=3432 --search_filter=foo=8742

With the above searchFilter, I expect to only see results where foo=1234 OR foo=3432 OR foo=8742. But I am seeing many more values that that. I set my authentication.conf up like this:

    [authentication]
    authType = Scripted
    authSettings = script

    [script]
    scriptPath = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/share/splunk/authScriptSamples/abactest.py"
    scriptSearchFilters = 1

    [cacheTiming]
    userLoginTTL    = 10s
    getUserInfoTTL  = 1min
    getUsersTTL     = 2mins

I turned on debug for the AuthenticationManagerScripted, and see the following in the log file so I know the script is being run:

Initializing scripted auth with script path '"/opt/splunk/bin/python" "/opt/splunk/share/splunk/authScriptSamples/abactest.py"'
Scripted search filters: turned on
Calling script '"/opt/splunk/bin/python" "/opt/splunk/share/splunk/authScriptSamples/abactest.py"' getUsers' with arguments''
...
Found return key 'userInfo' with value 'lcarey;lcarey;l carey;admin:user'

What am I missing?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lyndac
Contributor
‎01-30-2017 01:15 PM

I figured out why the search filters are not being applied. It was because the user had a role of 'admin' and the 'admin' role overrides searchFilters applied to the user.

Other things I found while working on this:

  • If you have a local splunk user with the same name as a scripted auth user, the local user takes precedence. So, in my case, I removed the admin role from the user and still wasn't seeing the search filter be applied. Turns out that I had a local splunk user with the same name that did NOT have search filters specified and that user has precedence.
  • User search filters are NOT applied to tstats searches!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lyndac
Contributor
‎01-30-2017 01:15 PM

I figured out why the search filters are not being applied. It was because the user had a role of 'admin' and the 'admin' role overrides searchFilters applied to the user.

Other things I found while working on this:

  • If you have a local splunk user with the same name as a scripted auth user, the local user takes precedence. So, in my case, I removed the admin role from the user and still wasn't seeing the search filter be applied. Turns out that I had a local splunk user with the same name that did NOT have search filters specified and that user has precedence.
  • User search filters are NOT applied to tstats searches!
0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎02-13-2017 04:48 PM

Hi @lyndac - Did your answer above provide a solution to your question? If yes, don't forget to click "Accept" to close out your question. Thank you.

0 Karma
Reply
Solved! Jump to solution

mattness
Splunk Employee
Splunk Employee
‎02-02-2017 01:49 PM

You're partially correct about role-based search filters not being applied to tstats searches. By default they are applied to tstats searches of ordinary indexed data. But they are not applied to tstats searches of accelerated data models and accelerated data model objects. There is a tstats setting that you can use in limits.conf to change this default.

This is discussed in the documentation of the tstats command:

http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Tstats#Selecting_data

0 Karma
Reply
Solved! Jump to solution

lyndac
Contributor
‎02-03-2017 07:05 AM

Actually, user-based search Filters is what I was talking about. The role-based ones work as advertised.

I am trying to use scripted authentication to apply a search filter per USER. In that instance, the search filter is NOT applied to a tstats search even on ordinary indexed data.

0 Karma
Reply
Solved! Jump to solution

mattness
Splunk Employee
Splunk Employee
‎02-03-2017 10:30 AM

Ok. The same restriction applies to user-based search filters, unfortunately. The plain truth is that no search filters whatsoever can be applied to accelerated data models or their objects. I'll update the documentation to reflect this.

The fact that the filter isn't working for ordinary indexed data is puzzling, however, and I don't have any immediate suggestions to resolve it. If I do, I'll respond here.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...