Hey All,
I am working on setting up RBAC roles that restrict access to specific indexes.
In the GUI of my deployment manager I am not seeing all of the indexes. Should I add an indexes.conf to the local on that box?
Or should I just add the index names to the authorize.conf?
Also if I add them into authorize.conf will they show in the GUI?
Thanks!
Andrew
Hello there,
I'll show what I usually do in order to meet regulations for segregation of data. For this to work, you'll most likely need some sort of index naming concept. Otherwise you might end up asking yourself "what's that index or role for again?".
[role_i-INDEX_NAME]
. So a i-
prefix (or you could use a c-
for capability roles). For every index role, define only one index for both srchIndexesAllowed
and srchIndexesDefault
. If you define more, it will be a mess later on to manage.importRoles
. Be sure to check your settings by running a REST search like | rest /services/authorization/roles
and checker whether srchIndexesAllowed
and srchIndexesDefault
got properly inherited. These roles finally get assigned to users or LDAP groups.Does that answer your question?
Skalli
Hello there,
I'll show what I usually do in order to meet regulations for segregation of data. For this to work, you'll most likely need some sort of index naming concept. Otherwise you might end up asking yourself "what's that index or role for again?".
[role_i-INDEX_NAME]
. So a i-
prefix (or you could use a c-
for capability roles). For every index role, define only one index for both srchIndexesAllowed
and srchIndexesDefault
. If you define more, it will be a mess later on to manage.importRoles
. Be sure to check your settings by running a REST search like | rest /services/authorization/roles
and checker whether srchIndexesAllowed
and srchIndexesDefault
got properly inherited. These roles finally get assigned to users or LDAP groups.Does that answer your question?
Skalli
No that doesn't, thank for the info anyways.
In my deployment manager under the role settings you are able to setup access to indexes via the GUI.
All of my indices are not showing up under the GUI.
I am asking do I need to deploy my indexes.conf to this server for them to show up? Or should I just assign access to indices via the authorize.conf in my ldap app that is deployed environment wide?
Yes, the indexes.conf needs to be on the SH as well for indexes to show up in the GUI.
That is what I needed.
Thank you, I just put a copy of the indexes.conf into system/local on my deployment manager to achieve this.
Thank you for your feedback.
Just a little bonus addition: You might want to create an app instead under $SPLUNK_HOME/etc/apps and put that indexes.conf there under local. System/local isn't really considered a best practice (due to several reasons like clusters, deployment servers, system/local always having the highest config file precedence). 🙂
Skalli
Thanks for the info. We have an app that we deploy with these settings but the deployment manager doesn't list itself in the list of servers to deploy too. Hence why I deployed to system/local.