Deployment Architecture

what changes are there to scripted auth from 3.4.x to 4.1?

zscgeek
Path Finder

Are there are any critical changes to be aware of when migrating a complex distributed scripted auth setup on 3.4.x to 4.1?

For example:

  • Do we still need the auth script on both the search heads and search/indexer boxes?
  • If so does the user and password get sent from the search head to all the nodes?
  • Any changes to auth caching from 3.X?
Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Authentication changed between 3.4 and 4.0, and even more between 4.0 and 4.1:

  • No you don't need it on both, just on the search head.
  • Passwords are not sent.
  • I'm not sure what you specifically mean by "auth caching". If you mean the need to "reload auth" of a user when groups memberships have changed in the external source, then this has changed for LDAP and is now reloaded for each user when they log in. However, I do not know if it has changed for scripted authentication, but I suspect not.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Authentication changed between 3.4 and 4.0, and even more between 4.0 and 4.1:

  • No you don't need it on both, just on the search head.
  • Passwords are not sent.
  • I'm not sure what you specifically mean by "auth caching". If you mean the need to "reload auth" of a user when groups memberships have changed in the external source, then this has changed for LDAP and is now reloaded for each user when they log in. However, I do not know if it has changed for scripted authentication, but I suspect not.

jrodman
Splunk Employee
Splunk Employee

Auth cacheing meant that we cached the answer to the question "is this a valid user" or "is this user an admin" and suchlike for x seconds, so that we didn't run the script hundreds of times a second, or whatever silliness.

0 Karma

zscgeek
Path Finder

So the first thing I see so far is that search filters seem to have changed. Sadly on 4.1 so far setting scriptSearchFilters=1 in my auth config does not seem to fix it...

0 Karma
Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...