Security

How to restrict access to specific rows?

joerglang
Engager

I have an index with kubernetes logs.
Each log line has a field called namespace with following values

  • prod
  • dev
  • qa
  • test

I want to limit some users, that the can not access lines with value "prod" but each other lines.
How can we do that?

thanks
Jörg

Labels (1)

TonyLeeVT
Builder

Hi Joerglang, Not sure if you saw this presentation, but this is what they are doing here in this .conf 2017 talk:  https://conf.splunk.com/files/2017/slides/splunking-with-multiple-personalities-extending-role-based...

It would be nice to see row-level security natively built in though.

0 Karma

Lucas_K
Motivator

Best practice. Separate you logs into different indexes. Apply normal restrictions at the indexing tier via srchIndexesAllowed in authorize.conf - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf

I'd suggest not using search filters for a non-metadata based field as they can be bypassed.

0 Karma

joerglang
Engager

Thanks for your feedback.

The problem is, that it is one single log, which has the content with , let me call it, different contextes.

what we are looking for is something like "row level security".

There is s feature for the "splunk connctors for kubernetes" to route logs namespace specific but there is a "topic" on naming convention.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...