Re: Authorized.conf in indexer or Search head

nadid · ‎11-14-2016

Hi all,

I'm planning a distributed installation of splunk with the search head and the indexers in different servers.

To my understanding the authorized.conf goes into the search head and defines to which indexes a group of users has access. I was wondering how to ensure that somebody else does not create his own search head and puts in his authorized.conf access to all the indexes in his own search head, avoiding the rules that you created in the general search head.

Is there a way to ensure that somebody does not add a search head and has access to all my indexes? how is this ensured?

Thank you,
Joan

somesoni2 · ‎11-14-2016

In Distributed Search environment, the authorization.conf is setup on Search Head only. The search peer/indexers uses the authorize.conf from the knowledge bundle it gets from Search Head and authenticates search requests. See this link for more information:-

http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Howauthorizationworksindistributedsearc...

Regarding someone adding it's own search head, they would need the authentication credentials for the search peers to be able to add them as search peer, so if you've that one secured (not using any generic credentials which anyone can guess), then you should be good.

Authorized.conf in indexer or Search head

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!