search

splunk / splunk-sdk-python

Splunk Software Development Kit for Python
http://dev.splunk.com
Apache License 2.0
687 stars 369 forks source link

All Set-Cookie responses incorrectly assumed to be auth cookies #438

Closed bendikro closed 2 years ago

bendikro commented 2 years ago

In short: splunklib expects any Set-Cookie to be an auth cookie from Splunk. This is a problem when authenticating with a bearer token.

When hosting Splunk behind a load balancer like F5, which sets its own Set-Cookie in the response for connection persistence (stickiness), the Set-Cookie in the response from F5 will be included in the request headers instead of the splunk bearer token due to the logic in splunklib/binding.py#L520

When authenticating with user/pass, this makes sense, since Splunk API responds with a Set-Cookie for the session token (splunkd_8089). With a bearer token, Splunk does not respond with a session token, however the _auth_headers function seems to expect any Set-Cookie to be a session token.

The result is that, with bearer token authentication, requests to the Splunk API after the initial request will fail with "Request failed: Session is not logged in"

To Reproduce 1) Host Splunk behind F5 with stickiness enabled (Or any middleware that adds a Set-Cookie to the HTTP response) 2) Create a splunklib.client.Service with bearer token authentication 3) Perform a call that requires authentication and see that it fails

client = splunklib.client.Service(host='..', splunkToken='XXXX')
client.info()

Expected behavior Authentication should work

Workaround By passing the splunk token header manually, splunklib will include both the stickiness cookie as well as the splunk token in the requests.

client = splunklib.client.Service(host='..', splunkToken='XXXX', headers=[('Authorization', 'Splunk {}'.format('<token>'))])
client.info()

Splunk:

SDK:

akaila-splunk commented 2 years ago

Thanks for reporting this issue with the detailed information, we'll investigate it and try to provide a fix.

ashah-splunk commented 2 years ago

Hi @bendikro , we have added the fix and it will be available in the next release. Reference

bendikro commented 2 years ago

Thanks, that solves the authentication problem. However, the fix does not take the Set-Cookie from the middleware into consideration. Any non-auth-cookies in self.http._cookies are no longer included in the requests unless there is an auth cookie as well.

ashah-splunk commented 2 years ago

@bendikro we would request you to use the latest Python SDK and let us know if it resolves the issue.

bendikro commented 2 years ago

@bendikro we would request you to use the latest Python SDK and let us know if it resolves the issue.

Hi

Version 1.7.0 gives TypeError due to this change: https://github.com/splunk/splunk-sdk-python/pull/463/files#diff-701b42a0245cf832be44eb595d99bef52b3afca77ae631caa24643ed1ea6c4f3R547

Btw, why would you be calling __len__ directly on https://github.com/splunk/splunk-sdk-python/pull/463/files#diff-701b42a0245cf832be44eb595d99bef52b3afca77ae631caa24643ed1ea6c4f3R546 ? if self.get_cookies(): should be sufficient?

ashah-splunk commented 2 years ago

Hi @bendikro , we have fixed the TypeError and it will be available in the next release. Reference

ashah-splunk commented 2 years ago

@bendikro we would request you to use the latest Python SDK release. We have fixed the code for TypeError and also considered your suggestion in the fix. Please let us know if it resolves your issue. Thanks!

bendikro commented 2 years ago

@bendikro we would request you to use the latest Python SDK release. We have fixed the code for TypeError and also considered your suggestion in the fix. Please let us know if it resolves your issue. Thanks!

Seems to be working now with version 1.7.1. Thanks!