Can someone direct me to a good resource that explains how role-based access control functions for clustered or distributed deployments and what the best practices are? All the documentation seems to assume a single instance server.
I'm curious as to the technical details, such as how the search head determines access to indices on peer indexers. We had deployed apps on our search heads omitting indexes.conf since it's sort of irrelevant on these systems. Also, without a centralized access control strategy, do I have to deploy the same configurations on each of my Splunk components, or is it typically performed on the search heads and perhaps only the indexers for administrative management?
Lots of questions, and having difficulty uncovering the answers since the clustering documentation seems to omit this topic.
In a distributed environment you just need to control the search head capabilities provided to the users.
If you go to the Manager->Access Control page you can play around a bit and get to know how you can create users/roles.
May also take a look in Authorize.conf.
Awesome, thanks for your help. After toying around a bit, I found that despite some indexes being undefined on the search heads, I can still specify them in authorize.conf and searches will behave as expected.
index will be resided in indexer if they are not the standalone indexer/search head on same machine. Generally the search peer i.e. the indexers will have indices, whose access you actually control from the search head. if you add it later your authorize.conf come to picture. Try keeping it in local directory.
My understanding is that aside from name alone, search heads and peers are both able to index and search content. I have not found any way to further restrict them to only the actions relevant to their roles, at least not without a lot of heavy lifting. Correct me if I'm wrong. Hence why I create separate bundles for our Splunk apps, for example a bundle that is deployed to search head(s) does not contain indexes.conf files (to prevent the event where an unknowing admin start directing data to the wrong Splunk server).
the apps will give you the ready made dashboards, search, alerts. But if your search head is also containing the indexes that is fine. If you go to the distributed search option you could see the search peer. Each App also need not have the indexes.conf file to define their index, it may have been defined at some other place which will be used for the entire cluster.