Deployment Architecture

How does metadata in a SAML world translate to a search head cluster?

kearaspoor
SplunkTrust
SplunkTrust

We have one stand-alone search head and then also a search head cluster.

On the stand-alone we just implemented SAML/SSO and one of the annoying pieces is that all saved objects (searches, macros, lookups, etc) are "owned" by the SAML ID # of the user who created them. Annoying that I have to then translate it to the user name but I can live with that.

More of a hassle is when our administrators want to publish something as being owned by the "admin" account. Since we can no longer sign on as that account to publish content, we have to go in and manually adjust the metadata files to change ownership. Again, hassle but at least it works.

What I haven't yet figured out, is how this will translate once we get SAML implemented in our search head cluster. I understand that when the cluster deployer pushes new configurations that the deployer /local directories get bundled into the /default directories on the search nodes. But I haven't found anything in the documentation to explain if default.meta and local.meta do the same thing since they're in their own /metadata directory.

Also... if the default.meta and local.meta DO successfully change the ownership of the objects, since this is a change at the deployer rather than on the nodes, does that mean we're going to lose the ability to delete these objects within the web interface on the nodes? I'm suspecting so, since they'd persist in the metadata on the deployer and would get re-created every time we do a new push. I'm also suspecting that they'd cause multiple errors since the metadata would exist but they would be missing whatever content was stored on the nodes. (ie: the search name would persist but the search properties would get removed)

Can anyone point me to more in-depth documentation on how metadata and search head clustering interact?
Or, does anyone have better ideas on how to adjust object ownership other than manually editing metadata files?

Thank you!

0 Karma

suarezry
Builder
On the stand-alone we just implemented SAML/SSO and one of the annoying pieces is that all saved objects (searches, macros, lookups, etc) are "owned" by the SAML ID # of the user who created them. Annoying that I have to then translate it to the user name but I can live with that. 

Can you elaborate more on this problem? I'm not sure why you're doing manual translations. Why not have your IdP pass splunk the username as the name identifier, instead of "SAML ID #"?

More of a hassle is when our administrators want to publish something as being owned by the "admin" account. Since we can no longer sign on as that account to publish content, we have to go in and manually adjust the metadata files to change ownership. Again, hassle but at least it works.

You can still login with local splunk accounts with this URL:
https://yoursplunk.yourdomain.com:8000/en-US/account/login?loginType=splunk

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...