TIPS & TRICKS

Read-only database connections

Version 1.1.1 of the Splunk DB Connect Add-on is now available on our community site, and there’s a great new option for managing your users’ database access. Let’s walk through how to grant selected users permissions to query only certain databases and have the option to restrict connections to read-only mode.

First, we’ll set up a test platform using Oracle’s MySQL.

* Install a MySQL database and a full JRE. Note that you don’t need to get JDBC drivers for MySQL, though you might have to download separate drivers for some database platforms. You might also want MySQL Workbench if you’re not comfortable with the command line.

* Upload the World sample database into your database.

* Create a MySQL user named alice:

CREATE USER alice@'localhost' IDENTIFIED BY 'some_pass';

* Grant all privileges on World to alice

GRANT ALL PRIVILEGES ON World TO 'alice'@'localhost' WITH GRANT OPTION;

Now we’re ready to go to Splunk.

* Install a test instance of Splunk if you haven’t already, and add the DB Connect Add-on to it. Click Setup to provide the full path to your JRE.

* In DB Connect, click Database Connections and add a new database connection called “rwmysql”. Use the MySQL alice account. That’s all we need to do to enable Splunk admins to use the database, but now we want to setup role-based access.

* Now add a second database connection called “romysql”. Use the same MySQL alice account, and make sure you check the “Read Only” box at the bottom of the form.

* Now create a Splunk role called “readonlydbrole” and inherit the User role to it. This will be the role used by users that are not allowed to write to the database.

* Also create a Splunk role called “readwritedbrole” and inherit the User role to it. That way you can allow some users to write to the database without giving them excessive Splunk permissions.

* Now go to the Splunk Manager, Apps, DB Connect, Permissions and grant read rights to these two new roles so that they can use the app.

* You’ll also need to manage Apps, DB Connect, View Objects and grant read rights to the dbinfo and dbquery views and commands, and database connections (rwmysql and romysql). Write rights are not necessary, but without read rights the roles will not be able to use DB Connect or its commands.

* Now we just need some users for our roles: create Splunk user bob and add to “readonlydbrole” role, and create Splunk user charlie and add to “readwritedbrole” role.

Testing time! Log into Splunk as bob or charlie and browse the world database through the DB Connect app or the Search app.

| dbquery "romysql" "SELECT * FROM City" limit=1000

Only charlie can execute SQL update commands though:

UPDATE City SET Name="People's Republic of Berkeley" where Name="Berkeley";

When bob tries this command, he is given an error message from the JDBC driver.

command="dbquery", A database error occurred: Can not issue data manipulation statements with executeQuery().

There is still a way for bob to potentially update the database through the dbquery command though. While he cannot browse the list of databases, if he somehow gets the name of the writable database connection he can use it successfully from the Search app:

| dbquery “rwmysql” “UPDATE City SET Name=\"Berkeley\" where Name=\"People\'s Republic of Berkeley\";

To close this loophole, we will now create another MySQL user, dory.

CREATE USER dory@'localhost' IDENTIFIED BY 'some_pass';

* grant read-only privileges on World to dory

GRANT SELECT, SHOW VIEW ON World TO 'dory'@'localhost';

* In DB Connect, edit the database connection “romysql” and change the credentials to the dory account instead of the alice account.

To recap, we now have three levels of access control:

  • Database users have granular permissions to access databases.
  • DB Connect connections have “Read Only” mode control.
  • Splunk roles have permissions to see specific connections within DB Connect.

Happy Splunking!

----------------------------------------------------
Thanks!
Jack Coates

Splunk
Posted by

Splunk

Join the Discussion