Knowledge Management

How to migrate users to a search head cluster?

patng_nw
Communicator

I followed the instructions on https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads and thought that I could actually migrate users (not just their settings) from a standalone Splunk instance to a new Search Head Cluster. However, I now realize that only the users' settings were migrated, but not the actual users themselves. Is there a way to migrate users? I don't want to re-create every single on the new cluster which is extremely tedious.

Thanks.
- Patrick

0 Karma
1 Solution

patng_nw
Communicator

As an experiment, I did the following:
- On each search head, I made a backup of etc/passwd (which contains only the admin user)
- I then copied the etc/passwd file from my stand-alone Splunk to each search head
- On the copied passwd file, I replaced the admin entry with the one from my backup passwd
- I restarted all my search heads

Result:
- I can successfully login to my search head using the users (with their passwords) contained in the copied passwd.
- I can also login to my search head using the admin and its pwd which I specified when I setup the new search header cluster

Honestly I don't know why it works (since I know Splunk will encrypt the password and possibly using different key), but it works for me.

View solution in original post

0 Karma

patng_nw
Communicator

As an experiment, I did the following:
- On each search head, I made a backup of etc/passwd (which contains only the admin user)
- I then copied the etc/passwd file from my stand-alone Splunk to each search head
- On the copied passwd file, I replaced the admin entry with the one from my backup passwd
- I restarted all my search heads

Result:
- I can successfully login to my search head using the users (with their passwords) contained in the copied passwd.
- I can also login to my search head using the admin and its pwd which I specified when I setup the new search header cluster

Honestly I don't know why it works (since I know Splunk will encrypt the password and possibly using different key), but it works for me.

0 Karma

mayurr98
Super Champion

Do you mean user roles?

These are stored under authorize.conf file

so try copying /etc/users , /etc/system/local/authorize.conf , /etc/passwd

let me know if this helps!

0 Karma

patng_nw
Communicator

See my new comment on my own post. I did the copy (plus some merging), and somehow it works, although I don't fully understand how the encryption part worked out.

0 Karma

nickhills
Ultra Champion

I am not sure this is possible.
Assuming you are referring to 'Splunk Local' users (as opposed to LDAP/SAML users)

The issue is that Splunk uses its own encryption seed to secure passwords and other secrets. This seed is generated when Splunk first starts, and it can not (to my knowledge) be exported or copied.

This means that any configuration files which contain encrypted data will not be readable on your new system.
Whilst you could copy the ect/passwd files, I think you would be left needing to reset every users password, and since i doubt this approach would be supported anyway, may well be more hassle than its worth.

Your alternative approaches are to script the creation of new users via the rest API, or to consider using an external authentication system like LDAP/SAML - The latter would be my suggestion if available to you.

If my comment helps, please give it a thumbs up!
0 Karma

bangalorep
Communicator

Have you tried coping the /etc/users folder?

0 Karma

patng_nw
Communicator

Yes, but that only copy the user configurations. The actual user accounts themselves won't be migrated.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...