I was doing the splunk Configuration for Security Appliances..Now my scenerio i have user SeachHead (SH) and a Indexer ( IN) . This Indexer is having multiple indexes in it say "A","B","C" and "D" and the SearchHead is purely under the control some external team , Now i dont want these external team guys have access to all indexes in my indexer server rather then to have access only for "A" index.
I know i can create a role and restrict the users to that role , but in this case since SH is not in my control , i cannot the tentative list of users that could be accessed via SH.
So I had thought of this plan.. At My indexer (IN) Level , I have created role with access to the index "A" say "Role A" , and create a User "securityUser" with this Role. and at the SH Level i have added my indexer server as Search Peer with this Username "securityUser" and Password.and this is the one time configuration i am allowed to at SH. from here on control Of SH would be in other team..
Now since i am restricting the search peer access based on the user with restricted role access ? Wil this work ?? Is the approach correct .. Please help..
The permissions are enforced by the SH, based on the roles setup on the SH.
Not on the permissions setup on the indexers.
However in the process, the SH create a bundle with the configuration (including the authorize.conf)
that are deployed to the indexers before each search.
So a workaround may be to exclude those authorize.conf from the bundle in distsearch.conf
and setup a $SPLUNK_HOME/etc/system/local/authorize.conf on the indexers that will be applied instead.
Rakesh you can just create a group to add through LDAP. The search head will be administrated by some admin after you, end users will not be having access to everything if I am not wrong. Role wise/ App wise index creation will help in restricting the users and manage roles. You can't control it from indexer level without the search head. And administrator will always be able to access all the indexes if no separate role is created.
hmm..but the problem here is ..that SH should be configured by me once and then from on ..its not in my control..so i cannot know how many users would be added there to search on the indexers index. 😞
even if they are having admin access i am creating role at Indexer level with a USER associated with it .. and this role i am using to connect to my indexer via SearchHead ( through Search peers ) . Will this not work ??? or not feasiable ??