Security

Can i restrict users to use only one index from my indexer server ??

Motivator

Hi ..

I was doing the splunk Configuration for Security Appliances..Now my scenerio i have user SeachHead (SH) and a Indexer ( IN) . This Indexer is having multiple indexes in it say "A","B","C" and "D" and the SearchHead is purely under the control some external team , Now i dont want these external team guys have access to all indexes in my indexer server rather then to have access only for "A" index.

I know i can create a role and restrict the users to that role , but in this case since SH is not in my control , i cannot the tentative list of users that could be accessed via SH.

So I had thought of this plan.. At My indexer (IN) Level , I have created role with access to the index "A" say "Role A" , and create a User "securityUser" with this Role. and at the SH Level i have added my indexer server as Search Peer with this Username "securityUser" and Password.and this is the one time configuration i am allowed to at SH. from here on control Of SH would be in other team..

Now since i am restricting the search peer access based on the user with restricted role access ? Wil this work ?? Is the approach correct .. Please help..

Tags (3)
0 Karma

Splunk Employee
Splunk Employee

The permissions are enforced by the SH, based on the roles setup on the SH.
Not on the permissions setup on the indexers.

However in the process, the SH create a bundle with the configuration (including the authorize.conf)
that are deployed to the indexers before each search.
So a workaround may be to exclude those authorize.conf from the bundle in distsearch.conf
and setup a $SPLUNK_HOME/etc/system/local/authorize.conf on the indexers that will be applied instead.

0 Karma

Champion

Rakesh you can just create a group to add through LDAP. The search head will be administrated by some admin after you, end users will not be having access to everything if I am not wrong. Role wise/ App wise index creation will help in restricting the users and manage roles. You can't control it from indexer level without the search head. And administrator will always be able to access all the indexes if no separate role is created.

0 Karma

Motivator

hmm..but the problem here is ..that SH should be configured by me once and then from on ..its not in my control..so i cannot know how many users would be added there to search on the indexers index. 😞

0 Karma

Splunk Employee
Splunk Employee

I mean, you should enforce access with roles at search-head level.

If you cannot, then you have to dig into the rabbit hole.

0 Karma

Motivator

Hi Yannk..Thanks for the reply..So you mean role based restriction at the indexers is not possbile instead we need to do the bundle configuration authorize.conf at indexers ??

0 Karma

Motivator

even if they are having admin access i am creating role at Indexer level with a USER associated with it .. and this role i am using to connect to my indexer via SearchHead ( through Search peers ) . Will this not work ??? or not feasiable ??

0 Karma

Champion

if the other team are having admin access with all cababilities assigned nothing will work, If they are not admins one role with a SSO group should solve the problem

0 Karma