Deployment Architecture

Where do I change the capabilities for a role in a search head cluster?

Champion

Hi,

In a search head cluster, if I need to change the capabilities in a role, where should I do it?

0 Karma

Ultra Champion
0 Karma

Ultra Champion

Also, I think on 6.4 the role and user definitions became replicable. In prior releases changes to those items may not have replicated to other search head cluster members. Also, I thought I remember something about that config needing to live in system/local while in a SHC. If things look like they aren't working, try making the change in the UI and seeing where splunk throws that config? Spitballing here.

0 Karma

SplunkTrust
SplunkTrust

Depends upon how you're configuring your authorization.conf. If you're deploying it through Deployer server (SHC deployer), then you would need to update the role definition/authorize.conf there. If you're managing the authorize.conf directly on the SH, then either, update the role definition from Splunk Web UI from any one Search Head (it will get replicated to others), OR update the authorize.conf file on ALL search heads (updating file system directly doesn't trigger replication).

0 Karma

Champion

I have an authorize.conf pushed by the deployer, but it doesn't have anything listing capabilities.

0 Karma

SplunkTrust
SplunkTrust

That means, right now you're using the default capability list for your roles (Or in other words, using the default roles) as defined in your Search Head at $Splunk_Home/etc/system/default/authorize.conf. So, to override/update this, just add something like this in your authorize.conf available on Deployer.

[role_roleNameYouWantToUpdate]
capabilityName = enabled

See the authorize.conf specification here https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/authorizeconf#.5Brole_.3CroleName.3E.5D

0 Karma