Deployment Architecture

Splunk Access Roles definition in Indexer Cluster / Search Head environment

Contributor

Hi there,

I have a question regarding the configuration of access roles.
My setup is as follows:
2 x Indexer in a singel side cluster
1 x Search Head / Deployment Server / Cluster Master

I created several indexes on the Cluster Master app and deploy this to the cluster members. From the Search Head I can search with the admin user accross all the defined indexes. Now I like to add some users who should only have access to special indexes.
In my old setup I could simply create some roles in the access controls menu. If I try this on the Search Head cluster, I do not see any of my created indexes!

Do I have to create a dedicated App and create there a authorize.conf and authentication.conf and deploy this to my cluster? Or do I have to create all the indexes in the Search Head to (local configration not cluster app)?

I'm a littel bit confused how to proceed.

0 Karma

Contributor

Does anybody else know how this work? Indexes are defined with the cluster, but the search head will not know about the indexes and therefore I'm not able to define some custom roles for these indexes.
There must be a solution for that, but so far I do not find the answers in the documentation.

Any help would be really nice and welcome.

Thanks.

0 Karma

Path Finder

I also have this issue.
The search peers (indexers) were added to the Search Head Cluster. They are all listed but the only indexes that are available are the default indexes that were available.

0 Karma

Builder

Hi,

Your indexers are in a cluster, not your SH - so you should be able to do it all from the UI just the same. However it may be best to create a separate authorise app if you plan to expand for later. Check this link out, at the bottom there is an example if you need it - https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/Addandeditroleswithauthorizeconf. If your admin user can see the indexes you created just fine then it means that its probably an issue with the way you set up the roles. It could be that something is just incorrectly defined in your conf file.

0 Karma

Contributor

Hi,
thanks for the link and your answer. I read the part of the documentation this morning and decided to create a dedicated app for the authorization.
Unfortunately I do not have as much knowledge about the indexer cluster and a dedicated SH. Therefore I have to ask again.
You wrote I should be able to manage the roles by the Web interface. But if I login to the SH with the admin account, I cannot see any custom indexes. I only see the defaults.
Just for your information. All the custom indexes are created with an indexes.conf file on the SH which is also the Cluster Master in the directory /opt/splunk/etc/master-apps/_cluster/local.
I pushed this information to the indexers by checking and pushing it with the web interface from the SH / CM.

My new authorization app is located on /opt/splunk/etc/shcluster/apps. Because I checked the configuration in the webgui and both indexers are defined as search peers. How can I deploy this app now to the search peers?

Is it correct that with this configuration, I'm not able anymore to use the webgui for the management of the roles?

Many thanks.

0 Karma

Builder

Hi,

Is the indexes.conf file present on the 2 indexers in the slave-apps directory ?.. Apps on the CM should be stored in etc/master-apps.. i havent seen them stored _cluster/local. They are then pushed to the slave-apps directory on its peers.

If even admin cannot see the indexes it may be that they dont exist on your indexers(EG - the conf file hasnt arrived).

0 Karma

Contributor

As i said, the indexes.conf file is located on the indexers in /opt/splunk/etc/slave-apps/_cluster/local.

The incomming events are correct indexed and are searchable over the indexers as well as on the SH.

So this configuration seems to be okay. It is only for the role setup. There I'm not able to select the different indexes for the roles.

0 Karma