Archive

How to migrate users to a search head cluster?

Path Finder

I followed the instructions on https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads and thought that I could actually migrate users (not just their settings) from a standalone Splunk instance to a new Search Head Cluster. However, I now realize that only the users' settings were migrated, but not the actual users themselves. Is there a way to migrate users? I don't want to re-create every single on the new cluster which is extremely tedious.

Thanks.
- Patrick

0 Karma
1 Solution

Path Finder

As an experiment, I did the following:
- On each search head, I made a backup of etc/passwd (which contains only the admin user)
- I then copied the etc/passwd file from my stand-alone Splunk to each search head
- On the copied passwd file, I replaced the admin entry with the one from my backup passwd
- I restarted all my search heads

Result:
- I can successfully login to my search head using the users (with their passwords) contained in the copied passwd.
- I can also login to my search head using the admin and its pwd which I specified when I setup the new search header cluster

Honestly I don't know why it works (since I know Splunk will encrypt the password and possibly using different key), but it works for me.

View solution in original post

0 Karma

Path Finder

As an experiment, I did the following:
- On each search head, I made a backup of etc/passwd (which contains only the admin user)
- I then copied the etc/passwd file from my stand-alone Splunk to each search head
- On the copied passwd file, I replaced the admin entry with the one from my backup passwd
- I restarted all my search heads

Result:
- I can successfully login to my search head using the users (with their passwords) contained in the copied passwd.
- I can also login to my search head using the admin and its pwd which I specified when I setup the new search header cluster

Honestly I don't know why it works (since I know Splunk will encrypt the password and possibly using different key), but it works for me.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Do you mean user roles?

These are stored under authorize.conf file

so try copying /etc/users , /etc/system/local/authorize.conf , /etc/passwd

let me know if this helps!

0 Karma

Path Finder

See my new comment on my own post. I did the copy (plus some merging), and somehow it works, although I don't fully understand how the encryption part worked out.

0 Karma

Ultra Champion

I am not sure this is possible.
Assuming you are referring to 'Splunk Local' users (as opposed to LDAP/SAML users)

The issue is that Splunk uses its own encryption seed to secure passwords and other secrets. This seed is generated when Splunk first starts, and it can not (to my knowledge) be exported or copied.

This means that any configuration files which contain encrypted data will not be readable on your new system.
Whilst you could copy the ect/passwd files, I think you would be left needing to reset every users password, and since i doubt this approach would be supported anyway, may well be more hassle than its worth.

Your alternative approaches are to script the creation of new users via the rest API, or to consider using an external authentication system like LDAP/SAML - The latter would be my suggestion if available to you.

0 Karma

Communicator

Have you tried coping the /etc/users folder?

0 Karma

Path Finder

Yes, but that only copy the user configurations. The actual user accounts themselves won't be migrated.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!