- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Re: How to achieve full tenant isolation?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to achieve full tenant isolation?
I would like to achieve full tenant isolation in Splunk. What is possible already is to split the indexed data and restrict access of a tenant to his index. However, I struggle to restrict access to reports, dashboards and other user created content (I think, those are called knowledge objects) to the given tenant.
For example:
Say, a user creates a dashboard. Then he can choose to share it within the entire app or to keep it private. If he shares it within the app, then all tenants' users will see the dashboard, even though it will show no data since the index is not accessible by other tenants.
I know that there is a possibility to have every tenant use its own app. Then, what is shared within the app is only accessible by the users of this app. But then, it would be necessary to create several instances of an app; say, if all tenants are to use the search app, there will be search_tenant1, search_tenant2, etc. Whenever a new tenant is added, it would be necessary to make another copy of the app folder and modify its configuration.
This sounds a bit cumbersome, I wonder if there is an easier way to achieve full tenant isolation?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@lukaslentner - What you are trying to achieve is not directly in line with how Splunk Cloud is designed. It would be a good idea to have a talk with both your regular Splunk sales representative and the OEM sales people, because there are different kinds of licensing depending on your relationship to your tenant organizations, and I'm not clear enough on the detail of the licenses, nor of your business model, to give you good advice.
I can tell you that it's hard enough to get the roles right when they are all internal to a single organization, and there is an inherent issue with the way that trust works in splunk. If a search head can get to an indexer, the search head can ask that indexer anything it wants. That means that a determined adversary (or curious participant) can probably get around any minor security you might try to put in place. Any data passed via the URL, for example, can be modified by the user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@DalJeanis Thanks for your reply! To be honest, I am just starting to make myself familiar with the way how Splunk works and it might well be that I underestimate the challenges that are awaiting us. So far I mostly rely on the information researched by an intern before diving deeper into this topic, since the project which Splunk would be used for is not top priority so far.
Let me try to clarify what we try to achieve and which ideas we had so far:
We would like to offer data visualizations to several client companies (tenants) running one instance of Splunk Cloud (managed service) such that each tenant has only access to his own index and knowledge objects. Basically, each tenant should not be aware of the existence of other tenants in the Splunk service.
So far we had the idea of using a proxy server which handles authentication and maps users from our internal user database to users within Splunk - this way none of the users would have access to the actual Splunk credentials and could only access the Splunk UI through the proxy. On the long run we might try to also give some limited access to the REST API again rooting all requests through a proxy.
This of course can only work if the Splunk authorization tools only allow a user to access the index which is specified in the role definition of the role which is assigned to him and has no possibility to access any other indices whatsoever. Is this assumption wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You pretty much have the technical answer there. If you remove all access to the default "search" app, and set each tenant up with their own default app, then the cross-visibility problem is avoided. Also, you hopefully are already assigning roles that are specific to each tenant,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see, so this is the only way... However, while I could make it work in a local Splunk Enterprise trial install, it looks like I would have no access to the app folders in a Splunk Cloud service, so it would be necessary to contact the support each time a new tenant is added. Is there no better way to make things work?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
