Deployment Architecture

Why is the clustering security key optional?

Ricapar
Communicator

When configuring a cluster, you're given a textbox to provide an optional security key.

The fact that this is an optional field is somewhat worrying. Given a scenario where one isn't provided, this essentially allows anyone to set up a new Search Head from another server, their desktop, etc, and just by knowing the URL of the Cluster Master, bypass any and all account and index security settings set up elsewhere.

Of course, no tool is foolproof, and someone clueless enough will always manage to create giant issues and security holes, but software should at least try to cover the obvious.

Back in the Splunk 4.x days, when setting up a Search Head to search multiple indexers, you would be required to provide an account that existed on the indexers for the SH to authenticate with. Going to an optional security key for a cluster of indexers seems like a step backwards.

Also, no where in the clustering documentation do I see an emphasis placed on the importance of having a good cluster security key. The most I could find was this, on the "Enable the cluster master node" doc page, where it even seems to indicate that leaving it empty is okay.

Security Key. This is the key that authenticates communication between the master and the peers and search heads. The key must be the same across all cluster instances. If you leave the field empty here, leave it empty on the peers and search heads as well.

Tags (3)

yannK
Splunk Employee
Splunk Employee

The clustering uses the pass4symkey to authenticate.
This is different from the admin user auth that was used in distributed search.

The problem is that putting a default value is like putting a blank value.
The Value is requested in the UI when you setup the cluster-master, and but you can leave the value blank.

I agree with you, and recommend to put a value to prevent unexpected persons to join your cluster with (a search-head, or a new cluster-slave)

Ricapar
Communicator

I agree with you on the default value part - a default is no better than a blank.

I just feel the importance of this is severely understated in the documentation. Actually, the whole clustering/search head setup in general. A rogue/mis-configured searchhead will undermine your entire security setup.

0 Karma

yannK
Splunk Employee
Splunk Employee

I agree, and reported it to the documentation writers to raise the attention in the docs on this setting.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...