topic How does precedence work for authorize.conf? in Security

How does precedence work for authorize.conf?

ddrillic — Wed, 02 Aug 2017 14:54:22 GMT

On the deployer server we have the authorize.conf under /opt/splunk/etc/shcluster/apps/key_all_authentication/local and on the search heads we ended up having authorize.conf under etc/system/local. Apparently the one under etc/system/local takes precedence, which seems to me a bit strange as search time precedence order starts usually with the apps...

What am I missing?

Re: How does precedence work for authorize.conf?

bheemireddi — Wed, 02 Aug 2017 17:24:16 GMT

Configs under system/local always gets precedence over the apps//system/local.
In regards to authorize.conf, since these are clustered search heads and you use deployer, would be better to use under apps to avoid confusion.

Re: How does precedence work for authorize.conf?

ddrillic — Wed, 02 Aug 2017 19:08:57 GMT

Fair enough. Since it's search time the following, in my mind, should apply

Configuration file precedence

It says

Precedence order within app or user context

When there's an app/user context, directory priority descends from user to app to system:

User directories for current user -- highest priority
App directories for currently running app (local, followed by default)
App directories for all other apps (local, followed by default) -- for exported settings only
System directories (local, followed by default) -- lowest priority

An attribute in savedsearches.conf, for example, might be set at all three levels: the user, the app, and the system. Splunk will always use the value of the user-level attribute, if any, in preference to a value for that same attribute set at the app or system level.

Re: How does precedence work for authorize.conf?

bheemireddi — Wed, 02 Aug 2017 20:08:22 GMT

Yes, Splunk applies different precedence for the configuration files in global context vs app/user context. Below link should explain in detail. Since authorize.conf is a system configuration file and not a user/app context.

http://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Wheretofindtheconfigurationfiles

Precedence order within global context:
When the context is global (that is, where there's no app/user context), directory priority descends in this order:

System local directory -- highest priority
App local directories
App default directories
System default directory -- lowest priority

Re: How does precedence work for authorize.conf?

ddrillic — Thu, 03 Aug 2017 00:27:17 GMT

Perfect - thank you.