Solved: After adding a user to only one search head in a s... - Page 2

ishaanshekhar · ‎01-19-2016

I have a search head cluster and have created a custom role (authorize.conf), which has been deployed to each SH through a custom app.

I added a user "xyz" to only one SH so that the user only uses a particular SH. Everything seems fine except that the user is not able to see all the saved search results.

Error message when I use loadjob command:

Error in 'SearchOperator:loadjob': error accessing https://127.0.0.1:8089/services/search/jobs/scheduler__admin__search__RMD5fc0cc9974bfd0925_at_145320..., statusCode=403, description=Forbidden

However, when I added the user to all the SHs, there were no errors.

My question is, did the issue happen because of not adding the user to all SHs, or because of a capability issue in authorize.conf?

Thanks
Ishaan

renjith_nair · ‎01-19-2016

In a search head cluster, if you are using local splunk authentication, then the users should be created separately on each member. The user on a search head is local to that node and its same as with the objects created by the user unless the user has admin privileges.
It's always advisable to configure a central user base/authentication system like LDAP in a search head cluster.

http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/AdduserstotheSHC

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

After adding a user to only one search head in a search head cluster, why is the user unable to see all saved search results?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...