curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

post(splunk-app-acl): non-removable lookup

This commit is contained in:
Ming Di Leom 2024-03-10 08:52:52 +00:00
parent 5ea22c0f6d
commit 0a7f4979fc
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
source/_posts/splunk-app-acl.md
View File

@ -82,3 +82,18 @@ access = read : [ roleA, roleB ], write : [ ]
```
In this approach, every new objects created in appA will not be accessible to roleB because it does not have app access.
## Non-removable lookup file
I noticed lookup files that have object-level ACL, e.g.
```conf
[lookups/lookupC.csv]
access = read : [ roleA ], write : [ ]
```
makes it non-removable, even with admin/sc-admin role.
My theory is that the object is non-removable to prevent the ACL from being orphaned. But this theory does not hold, at least for a lookup file that is shipped with an app; deleting a lookup file merely resets its content back to the app's version. Deleting a lookup file is necessary during an app update that also have updated content of a bundled lookup file. Even when a lookup was never modified, Splunk will keep the content during an app update. Updating an app does not automatically update the bundled lookup, the lookup will only be updated after a delete operation.
Similar limitation (i.e. app update does not update the app's object) also applies to dashboards. However, there is no way to delete a dashboard xml in Splunk Cloud, so updating a dashboard through app update always require app uninstallation beforehand.