Configure Splunk DB Connect security and access controls
The role-based user access controls in Splunk Enterprise enable you to set up access permissions for identity and connection objects, as well as capabilities for inputs, outputs, and lookups in Splunk DB Connect. You can grant a user global access to all DB Connect features and available database connections, or limit a user's access to only specific database connections or capabilities.
Before using DB Connect, the logged-in user must have the ability to write to the $SPLUNK_HOME/var
directory (%SPLUNK_HOME%\var
on Windows hosts) and to $SPLUNK_HOME/etc/apps/splunk_app_db_connect
($SPLUNK_HOME/etc/apps/splunk_app_db_connect
on Windows hosts) and its sub-directories. For more information, see Use access control to secure Splunk data.
Roles
When thinking about permissions in DB Connect, familiarize yourself with the Splunk Enterprise role-based user access system. You can create Splunk Enterprise users with passwords and assign them to roles. Roles determine the access and permissions of any user you assign to that role, including whether a user can access DB Connect. Roles determine users' capabilities for many Splunk Enterprise tasks, including DB Connect tasks.
When you install DB Connect, it adds two new roles to Splunk Enterprise: db_connect_admin and db_connect_user. In addition, Splunk Enterprise gives DB Connect capabilities to its admin role.
- The db_connect_user role has 13 capabilities and inherits from the user role. Its capabilities involve reading DB Connect objects.
- The db_connect_admin role has 35 capabilities and inherits from the db_connect_user role. Its capabilities involve reading and writing DB Connect objects, plus actions involving the task server.
- The existing Splunk Enterprise admin role automatically gets all DB Connect-specific capabilities when you install DB Connect.
To set or view the capabilities of a specific role from within Splunk Enterprise, go to Settings > Access controls > Roles. From here you can also create new roles with specific capabilities.
Permissions
You set permissions when you define the DB Connect identities and connections. An identity object contains encrypted database credentials. A connection object contains the necessary information for connecting to a remote database.
Use the Permissions table on the New Identity and New Connection setup pages to enter the Splunk Enterprise roles that have access to the identity or connection.
- Read access to an object means that Splunk Enterprise roles can use the object.
- Write access to an object means that Splunk Enterprise roles can use and modify the object.
By default, the Splunk Enterprise "admin" and "db_connect_admin" roles have read-write access to objects such as identities or connections, the "db_connect_user" role has read access. All other roles have no access.
The permissions you set when you create a new identity or a new connection associate with Splunk Enterprise roles, and are not related to database permissions. Because identities store encrypted database credentials, the level of database access that an identity has is directly related to the user account that you store in the identity. When you use an identity to connect to your database, Splunk limits your access to that database to the database access level of the user you have stored in that identity.
For example, if you added the credentials of user1 to identity1, and user1 only has access to table abc on the database and not to table xyz, a connection that uses identity1 only has access to table abc, and not xyz, on the database. That means that any database input, output, or lookup using that connection also has access to only table abc on that database.
Therefore, you must consider which database credentials to store within a DB Connect identity. You might want to create DB Connect-specific users on the database who have access to only the database tables you want to access with Splunk Enterprise, and then assign those users to your identities.
Capabilities
Every role in Splunk Enterprise has capabilities. In DB Connect, permissions define access for identities and connections, but capabilities define access for DB Connect-specific modular inputs, which include inputs, outputs, and lookups.
By defining the capabilities a role has, you define what that role can do with the inputs, outputs, and lookups you have created. For instance, the db_connect_user role can use inputs, outputs, and lookups, but the db_connect_admin role includes the additional capabilities that enable it to edit inputs and outputs, specifically:
- "edit_modinput_dbx_db_input
- "edit_modinput_dbx_db_output
When creating a new role that will have edit access to '''Inputs''' and '''Outputs''', note that it should contain edit_modinput_dbx_db_input
and edit_modinput_dbx_db_output
capabilities respectively.
Read-only connections
Splunk DB Connect supports the readonly JDBC attribute which can restrict connections to read-only mode. This setting alone does not guarantee that users connecting using DB Connect can't write to the database.
When you create a new connection, select the readonly check box to restrict users to using SELECT
statements with the database. The readonly check box cannot always guarantee read-only access; the database driver is what ultimately allows or prevents changes.
If you use the read-only option, ensure that, on the database itself, you limit the user to read-only access. To determine if you database supports read-only access, see Supported databases or check your database vendor's documentation.
Configure Splunk DB Connect to support requireClientCert=true | Create and manage identities |
This documentation applies to the following versions of Splunk® DB Connect: 3.18.0
Feedback submitted, thanks!