Is it possible to have a cluster (1 master, 2 indexers, 1 search head, 1 deployer) and have an external search head connect to the indexer cluster and perform searches on them?
And is it possible to limit that search head to only perform searches on specific information, like a specific index?
External in the meaning "not part of the same deployment". It's configured seprately and not by me. It will be provided with correct information about my deployment that a search head needs, but wondering if it will be able to perform searches on the indexers that I've deployed.
It is possible to have another search head or search head cluster accessing an indexer cluster.
A search head is not able to filter out some results or block some indexes based on the search head. The indexers know which search heads are allowed to send searches, they accept any search from any attached search head. The whole authorization is performed on the search heads, so on a second search head you should possibly use the same identity provider (LDAP, SAML or whatever), otherwise you have to be very careful about your users, groups and roles.
Yes, the the authorization is done on the search head, so if there are nor roles which allow access to indexes, no search will be performed against this indexes. But you have to make certain this roles are maintained properly. In case someone is able to become admin on this search head, this person might change the roles, and in this case this person might then access anything on your indexer cluster.
This makes it not feasible to give for example developers a search head with admin privilege, which is connected to the indexer cluster.
In this case, you have to be aware of the fact that you have to trust the authority of the external search head to properly handle the role management. By allowing it to access the indexer cluster, you give it access to all date on the indexer cluster.