Security

Access Control for Clustered Deployments

dlofstrom
Path Finder

Can someone direct me to a good resource that explains how role-based access control functions for clustered or distributed deployments and what the best practices are? All the documentation seems to assume a single instance server.

I'm curious as to the technical details, such as how the search head determines access to indices on peer indexers. We had deployed apps on our search heads omitting indexes.conf since it's sort of irrelevant on these systems. Also, without a centralized access control strategy, do I have to deploy the same configurations on each of my Splunk components, or is it typically performed on the search heads and perhaps only the indexers for administrative management?

Lots of questions, and having difficulty uncovering the answers since the clustering documentation seems to omit this topic.

Tags (2)
0 Karma
1 Solution

linu1988
Champion

Hello,
In a distributed environment you just need to control the search head capabilities provided to the users.

  • If you have indexers then , it's best practice to make them alike and make them load balanced.
  • Create roles specific to your user's requirements. Allow the roles to the Apps, Indexes they can search.
  • Only on Search head you configure the access control as the splunk web Interactive UI is only visible to the end user. So it depends on the admin which are the capabilities/objects being provided to the users.

If you go to the Manager->Access Control page you can play around a bit and get to know how you can create users/roles.

May also take a look in Authorize.conf.
_http://docs.splunk.com/Documentation/Splunk/4.3.5/Deploy/Howauthorizationworksindistributedsearches

View solution in original post

0 Karma

linu1988
Champion

Hello,
In a distributed environment you just need to control the search head capabilities provided to the users.

  • If you have indexers then , it's best practice to make them alike and make them load balanced.
  • Create roles specific to your user's requirements. Allow the roles to the Apps, Indexes they can search.
  • Only on Search head you configure the access control as the splunk web Interactive UI is only visible to the end user. So it depends on the admin which are the capabilities/objects being provided to the users.

If you go to the Manager->Access Control page you can play around a bit and get to know how you can create users/roles.

May also take a look in Authorize.conf.
_http://docs.splunk.com/Documentation/Splunk/4.3.5/Deploy/Howauthorizationworksindistributedsearches

0 Karma

linu1988
Champion

the apps will give you the ready made dashboards, search, alerts. But if your search head is also containing the indexes that is fine. If you go to the distributed search option you could see the search peer. Each App also need not have the indexes.conf file to define their index, it may have been defined at some other place which will be used for the entire cluster.

0 Karma

dlofstrom
Path Finder

My understanding is that aside from name alone, search heads and peers are both able to index and search content. I have not found any way to further restrict them to only the actions relevant to their roles, at least not without a lot of heavy lifting. Correct me if I'm wrong. Hence why I create separate bundles for our Splunk apps, for example a bundle that is deployed to search head(s) does not contain indexes.conf files (to prevent the event where an unknowing admin start directing data to the wrong Splunk server).

0 Karma

linu1988
Champion

index will be resided in indexer if they are not the standalone indexer/search head on same machine. Generally the search peer i.e. the indexers will have indices, whose access you actually control from the search head. if you add it later your authorize.conf come to picture. Try keeping it in local directory.

0 Karma

dlofstrom
Path Finder

Awesome, thanks for your help. After toying around a bit, I found that despite some indexes being undefined on the search heads, I can still specify them in authorize.conf and searches will behave as expected.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...