Addon writing output CSV into Windows\TEMP folder

[pavankumarh3]

Hi Guilhem, we are trying to use your Splunk addon in our company and after full deployment and configuration, its generating tickets in Jira but the attachments are not going into Jira ticket. Below is the error log, which indicates that the addon is trying to write the results file into WINDOWS\TEMP folder and access is getting denied. we have tried this with user/admin role both. Please let us know if you have seen this error and if its configurable. Any input will be highly appreciated.

2021-08-25 08:27:19,939 ERROR pid=7820 tid=MainThread file=cim_actions.py:message:280 | sendmodaction - signature="JIRA Service Desk ticket attachment file upload has failed!:[Errno 13] Permission denied: 'C:\Windows\TEMP\splunk_alert_results_2021-08-25-082719_3z_k1e8f.csv'" action_name="jira_service_desk" search_name="ske-test" sid="schedulerskesysearch__RMD52a8a75a560f32dff_at_1629894420_1106" rid="0" app="search" user="skesy" action_mode="saved" action_status="failure"

2021-08-25 08:27:18,816 INFO pid=7820 tid=MainThread file=cim_actions.py:message:280 | sendmodaction - signature="JIRA Service Desk ticket successfully created. https://jiraims.rm.com/rest/api/latest/issue, content={"id":"1724037","key":"JIR-167","self":"https://jiraims.rm.com/rest/api/latest/issue/1724037"}" action_name="jira_service_desk" search_name="ske-test" sid="schedulerskesysearch__RMD52a8a75a560f32dff_at_1629894420_1106" rid="0" app="search" user="skesy" action_mode="saved" action_status="success"

[guilhemmarchand]

Hi @pavankumarh3

I haven't personally tried this in a Windows based deployment, the TA uses a standard Python module to deal with the temporary files, as per code:

def attach_csv(helper, jira_url, jira_created_key, jira_attachment_token, jira_headers_attachment, ssl_certificate_validation, proxy_dict, *args, **kwargs):

    import gzip
    import tempfile
    import requests

    timestr = get_timestr()
    results_csv = tempfile.NamedTemporaryFile(mode='w+t', prefix="splunk_alert_results_" + str(timestr) + "_", suffix='.csv')
    jira_url = jira_url + "/" + jira_created_key + "/attachments"

    input_file = gzip.open(jira_attachment_token, 'rt')
    all_data = input_file.read()
    results_csv.writelines(str(all_data))
    results_csv.seek(0)

    try:

        files = {'file': open(results_csv.name, 'rb')}
        response = requests.post(jira_url, files=files, headers=jira_headers_attachment,
                                verify=ssl_certificate_validation, proxies=proxy_dict)
        helper.log_debug("response status_code:={}".format(response.status_code))

        if response.status_code not in (200, 201, 204):
            helper.log_error(
                'JIRA Service Desk ticket attachment file upload has failed!. url={}, '
                'jira_attachment_token={}, HTTP Error={}, '
                'content={}'.format(jira_url, jira_attachment_token, response.status_code,
                                    response.text))
        else:
            helper.log_info('JIRA Service Desk ticket attachment file uploaded successfully. {},'
                        ' content={}'.format(jira_url, response.text))

From the logs it seems that either this directory is not reacheable, or the Windows user running the Splunk service is not able to write to this location:

C:\Windows\TEMP\splunk_alert_results_2021-08-25-082719_3z_k1e8f.csv

So, it is important that you do the difference between the Splunk user context (what user you tried with in Splunk), and the OS level user name space.

Here, your problem is that from the OS perspective, the kind of permissions Splunk has relies on your configuration of the Splunk service, if you run Splunk with a limited account you need to allow the permissions to the standard TEMP directory from the Python point of view.

Can yo uhave a look at this please?

[fanou51500]

Hi Guilhem, I face a similar issue.

[guilhemmarchand]

@fanou51500 Windows too right?

[fanou51500]

@guilhemmarchand Yes Splunk runs on Windows. I set Everyone full access to Windows temp folder but it didn't fix the issue. In order to fix the issue, I changed in attach_csv funtions: results_csv = tempfile.NamedTemporaryFile(mode='w+t', prefix="splunk_alertresults" + str(timestr) + "_", suffix='.csv') by: results_csv = tempfile.NamedTemporaryFile(mode='w+t', prefix="splunk_alertresults" + str(timestr) + "_", suffix='.csv', delete=False) It seems that NamedTemporaryFile function behaves in a different way between Unix and Windows systems.

[guilhemmarchand]

Thanks @fanou51500 ! That is very useful, I came to the same understanding with some Google searches so it's amazing you can confirm ;-)

I will check that it does not impact anything on Linux, and will incorporate this fix anytime soon.

[pavankumarh3]

@guilhemmarchand @fanou51500 Good to know we have a work around. could you please point me to the location of this python file in the addon. I will test the same.

[guilhemmarchand]

@pavankumarh3

This is the file:

TA-jira-service-desk-simple-addon/bin/ta_service_desk_simple_addon/modalert_jira_service_desk_helper.py

You want the change in the relevant functions handling attachments.

[pavankumarh3]

@guilhemmarchand Thank You very much. After modifying the python script as detailed above, the attachment was successfully delivered.

[guilhemmarchand]

Awesome - I will publish a new release in the upcoming days

[guilhemmarchand]

@pavankumarh3 @fanou51500

This Windows specific issue is now addressed in version 2.0.2, please upgrade when convenient. Using the delete=False option while avoiding the failure is not ideal as it lets in place all the temporary files, not very convenient you will admit, in the release, the TA handles the temporary directory to be in the app name space, in addition, a function gets called to keep control of the temporary files and purge previous file iterations. LInux as a more serious server OS is not affected by this and remains clean immediately after closing the temp file.