Solved: How to migrate users to a search head cluster?

patng_nw · ‎01-12-2019

I followed the instructions on https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads and thought that I could actually migrate users (not just their settings) from a standalone Splunk instance to a new Search Head Cluster. However, I now realize that only the users' settings were migrated, but not the actual users themselves. Is there a way to migrate users? I don't want to re-create every single on the new cluster which is extremely tedious.

Thanks.
- Patrick

patng_nw · ‎01-29-2019

As an experiment, I did the following:
- On each search head, I made a backup of etc/passwd (which contains only the admin user)
- I then copied the etc/passwd file from my stand-alone Splunk to each search head
- On the copied passwd file, I replaced the admin entry with the one from my backup passwd
- I restarted all my search heads

Result:
- I can successfully login to my search head using the users (with their passwords) contained in the copied passwd.
- I can also login to my search head using the admin and its pwd which I specified when I setup the new search header cluster

Honestly I don't know why it works (since I know Splunk will encrypt the password and possibly using different key), but it works for me.

View solution in original post

patng_nw · ‎01-29-2019

As an experiment, I did the following:
- On each search head, I made a backup of etc/passwd (which contains only the admin user)
- I then copied the etc/passwd file from my stand-alone Splunk to each search head
- On the copied passwd file, I replaced the admin entry with the one from my backup passwd
- I restarted all my search heads

Result:
- I can successfully login to my search head using the users (with their passwords) contained in the copied passwd.
- I can also login to my search head using the admin and its pwd which I specified when I setup the new search header cluster

Honestly I don't know why it works (since I know Splunk will encrypt the password and possibly using different key), but it works for me.

mayurr98 · ‎01-14-2019

Do you mean user roles?

These are stored under authorize.conf file

so try copying /etc/users , /etc/system/local/authorize.conf , /etc/passwd

let me know if this helps!

patng_nw · ‎01-14-2019

See my new comment on my own post. I did the copy (plus some merging), and somehow it works, although I don't fully understand how the encryption part worked out.

nickhills · ‎01-14-2019

I am not sure this is possible.
Assuming you are referring to 'Splunk Local' users (as opposed to LDAP/SAML users)

The issue is that Splunk uses its own encryption seed to secure passwords and other secrets. This seed is generated when Splunk first starts, and it can not (to my knowledge) be exported or copied.

This means that any configuration files which contain encrypted data will not be readable on your new system.
Whilst you could copy the ect/passwd files, I think you would be left needing to reset every users password, and since i doubt this approach would be supported anyway, may well be more hassle than its worth.

Your alternative approaches are to script the creation of new users via the rest API, or to consider using an external authentication system like LDAP/SAML - The latter would be my suggestion if available to you.

If my comment helps, please give it a thumbs up!

bangalorep · ‎01-14-2019

Have you tried coping the /etc/users folder?

patng_nw · ‎01-14-2019

Yes, but that only copy the user configurations. The actual user accounts themselves won't be migrated.

How to migrate users to a search head cluster?

Index This | How many sides does a circle have?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?