topic Re: set maintenance mode for indexer cluster with hashed password in Security

How to set maintenance mode for indexer cluster with hashed password?

leonaheidern2 — Fri, 27 May 2022 15:13:16 GMT

Hi all

I am having issues trying to script enabling and disabling maintenance mode with a hashed password.

The command is /opt/splunk/bin/splunk enable maintenance -mode - auth admin: somepassword

Is there a way I can hash the password. I have tried the hash-passwd and user-seed.conf but it does not seem to hash my clear text password upon restarting splunk

Re: set maintenance mode for indexer cluster with hashed password

PickleRick — Fri, 27 May 2022 09:54:35 GMT

Even if you could, that wouldn't increase your script security. As long as you're storing authentication data which can be provided in the clear to authenticate your user, it's prone to leakage and abuse. Storing it as "hashed" value if you can authenticate yourself with this hashed value effectively makes it cleartext.

Anyway, you can use REST to put cluster in maintenance mode. https://docs.splunk.com/Documentation/Splunk/8.2.6/RESTREF/RESTcluster#cluster.2Fmanager.2Fcontrol.2Fdefault.2Fmaintenance

Re: set maintenance mode for indexer cluster with hashed password

leonaheidern2 — Fri, 27 May 2022 10:27:22 GMT

I am actually trying to do this as a shell script for yum update.

Probably schedule maintenance mode on the master node first then set hourly intervals per indexer to offline and yum update and reboot

I have enable boot start for the Splunk so technically the splunk service starts up automatically on reboot

Re: set maintenance mode for indexer cluster with hashed password

PickleRick — Fri, 27 May 2022 11:02:33 GMT

Typically yum update should not require stopping splunkd as such. There is almost no real important dependencies that could interfere with splunk as the packages are updated. Of course if you need to reboot to upgrade kernel or systemd (why would you want to reboot otherwise?) you want to use maintenance mode.

Re: set maintenance mode for indexer cluster with hashed password

leonaheidern2 — Fri, 27 May 2022 11:13:09 GMT

I actually do. It's usually because of kernel patches that's why I have to reboot. Hence was thinking of an automated way to deal with the indexer cluster and master node. Currently I am doing this manually monthly.

Re: set maintenance mode for indexer cluster with hashed password

PickleRick — Fri, 27 May 2022 11:46:44 GMT

So any way of authentication that can be used in such batch operation has to rely on stored authentication data. Whether it's a plaintext password, password hash, ssh key, x509 certificate, you still have to "show" something to the entity you want to authenticate yourself to. That's a common problem with all "static" authentication mechanisms. You'd have to have some completely different authentication schema to avoid the possible impersonation problem.