search

splunk / splunk-app-examples

App examples for Splunk Enterprise
Apache License 2.0
119 stars 72 forks source link

bearerToken vs. splunkToken #33

Open UnitedMarsupials opened 1 year ago

UnitedMarsupials commented 1 year ago

The resolution of splunk/splunk-sdk-python#388 advises using the verb bearerToken to use the token-based authentication instead of the username/password credentials.

Both the python/README.md and the python/.env show the same verb -- although the line is commented-out in both examples. Unfortunately, trying to use it results in an error:

Traceback (most recent call last):
  File "submit.py", line 82, in <module>
    main(sys.argv[1:])
  File "submit.py", line 43, in main
    opts = parse(argv, RULES, ".env", usage=usage)
  File "/home/xx/splunk-app-examples/python/utils.py", line 226, in parse
    parser_.loadenv(config)
  File "/home/xx/splunk-app-examples/python/utils.py", line 172, in loadenv
    self.loadif(filepath)
  File "/home/xx/splunk-app-examples/python/utils.py", line 166, in loadif
    self.load(filepath)
  File "/home/xx/splunk-app-examples/python/utils.py", line 159, in load
    raise NameError("No such option --" + key)
NameError: No such option --bearerToken

Closer examination of the python/utils.py reveals, that the expected verb is splunkToken! At this time, the documented spelling should, probably, be added as an alias -- if possible -- to avoid breaking things for people already using the incorrect verb...

akaila-splunk commented 1 year ago

@UnitedMarsupials, Sorry for the delay in response, To connect with splunk using .env file you can use splunkToken key for bearer-token and token key for session-key. In the future release we'll update the sample .env files to avoid any confusion. Please let us know if you still face any issue after updating key name to splunkToken.

UnitedMarsupials commented 1 year ago

@akaila-splunk, putting splunkToken into .env does not work. The way to use the Splunk token currently is by using the token verb on the left side, and the string consisting of the word "Splunk" followed by a space, and then -- the hexadecimal token itself:

host=splunk-hec
port=8088
token=Splunk xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx

Unfortunately, even after the successful authentication, things don't really work -- because the client tries to get details about the index (even if it does not need any such details), which a Splunk-token is not authorized to do. The #34 discusses this problem in detail...