Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

in_splunk: splunk token validation must be case-insensitive #9518

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

in_splunk: splunk token validation must be case-insensitive #9518

wants to merge 1 commit into from

Conversation

lecaros
Copy link
Contributor

@lecaros lecaros commented Oct 23, 2024
edited
Loading

Changes validation of received Splunk token to be case-insensitive, as the Splunk HEC does.

fixes #9517

Backporting

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

@lecaros
in_splunk: splunk token validation must be case-insensitive, since th…
85beb0f 
…at's the behavior from Splunk HEC

Signed-off-by: lecaros <[email protected]>
@lecaros lecaros mentioned this pull request Oct 23, 2024
Open
@edsiper
Copy link
Member

edsiper commented Oct 23, 2024

@lecaros where we can confirm in Splunk docs that indeed auth token are not case sensitive ? (it does not sound normal since it's a security mechanism)

@lecaros
Copy link
Contributor Author

lecaros commented Oct 23, 2024

@edsiper I agree on that, it's way easier to break it if it's case-insensitive.
I was looking into the docs, but couldn't find anything explicitly saying that.
https://docs.splunk.com/Documentation/Splunk/9.3.1/Data/UsetheHTTPEventCollector
https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/CreateAuthTokens

However, I confirmed the behavior using latest image of Splunk, as explained in the repro.
If we don't want to do that, then we just need to update the docs instead of mirroring what Splunk is doing.

@cosmo0920
Copy link
Contributor

Or, should we provide case-sensitive or case-insensitive option on in_splunk? This could preserve backward compatibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

@leonardo-albertovich leonardo-albertovich Awaiting requested review from leonardo-albertovich leonardo-albertovich is a code owner

@fujimotos fujimotos Awaiting requested review from fujimotos fujimotos is a code owner

@koleini koleini Awaiting requested review from koleini koleini is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docs-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Splunk input plugin token validation is case-sensitive, the Splunk HEC is not. It should be consistent
3 participants
@lecaros @edsiper @cosmo0920