We have one stand-alone search head and then also a search head cluster.
On the stand-alone we just implemented SAML/SSO and one of the annoying pieces is that all saved objects (searches, macros, lookups, etc) are "owned" by the SAML ID # of the user who created them. Annoying that I have to then translate it to the user name but I can live with that.
More of a hassle is when our administrators want to publish something as being owned by the "admin" account. Since we can no longer sign on as that account to publish content, we have to go in and manually adjust the metadata files to change ownership. Again, hassle but at least it works.
What I haven't yet figured out, is how this will translate once we get SAML implemented in our search head cluster. I understand that when the cluster deployer pushes new configurations that the deployer /local directories get bundled into the /default directories on the search nodes. But I haven't found anything in the documentation to explain if default.meta and local.meta do the same thing since they're in their own /metadata directory.
Also... if the default.meta and local.meta DO successfully change the ownership of the objects, since this is a change at the deployer rather than on the nodes, does that mean we're going to lose the ability to delete these objects within the web interface on the nodes? I'm suspecting so, since they'd persist in the metadata on the deployer and would get re-created every time we do a new push. I'm also suspecting that they'd cause multiple errors since the metadata would exist but they would be missing whatever content was stored on the nodes. (ie: the search name would persist but the search properties would get removed)
Can anyone point me to more in-depth documentation on how metadata and search head clustering interact?
Or, does anyone have better ideas on how to adjust object ownership other than manually editing metadata files?
Thank you!
On the stand-alone we just implemented SAML/SSO and one of the annoying pieces is that all saved objects (searches, macros, lookups, etc) are "owned" by the SAML ID # of the user who created them. Annoying that I have to then translate it to the user name but I can live with that.
Can you elaborate more on this problem? I'm not sure why you're doing manual translations. Why not have your IdP pass splunk the username as the name identifier, instead of "SAML ID #"?
More of a hassle is when our administrators want to publish something as being owned by the "admin" account. Since we can no longer sign on as that account to publish content, we have to go in and manually adjust the metadata files to change ownership. Again, hassle but at least it works.
You can still login with local splunk accounts with this URL:
https://yoursplunk.yourdomain.com:8000/en-US/account/login?loginType=splunk