Cluster Licensing and Monitoring Dashboard Permiss...

shocko · ‎12-04-2020

I have Splunk 8.0.5:

One cluster master
One Search head
Two indexers to host clustered indexes

I am logged into the UI of the search head and have the admin role but I cannot do any of the following:

View any of the clustered custom indexes
View the licensing usage in the monitoring console

So on the cluster master we are no t using LDAP for auth but just Splunk accounts and the account i have as the power role. I still cannot see the licensing dashboards.

What level of role/capability to I need (as a minimum) to see this info dash board or is there a read-only type role I could create or use to delegate this capability?

ivanreis · ‎12-21-2020

Hi @shocko , the power use role has a lot of privileges. My suggestion is to create a custom user role with only _internal index enabled and assign to the group of users you need to. Or you can only add _internal index to the default user role, but it will be granted to all users to search _internal index, be carefully if you decide to use this option since we avoid to grant access to _internal index to regular users.

To customise your role, please check this document : https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Rolesandcapabilities

ivanreis · ‎12-06-2020

Hi @shocko ,

it is not required to setup the Ldap into your cluster environment, you can continue using the current authentication method.

answering your questions:

View any of the clustered custom indexes
- To have index visibility, you have to login into Cluster master as admin user to see all the default/custom indexes. This is the default configuration for admin user.
View the licensing usage in the monitoring console
- The same happen with licensing information, this is a default configuration for admin user.

For both cases, I would recommend to keep those capabilities assigned to admin user, because the admin users should have the required knowledge to handle the configuration/administration tasks.

if you really want to take the risk and have both capabilities assigned to your role, I recommend to create a new role at a sandbox/dev environment with those capabilities enabled and assign this role to your user only for you to run your tests. If it worked as expected, so replicate to the production environment.

For further information about the roles and capabilities assigned by default to each user, check the link below

https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Rolesandcapabilities

I hope my answer can help you, if so, please accept this answer.

shocko · ‎12-07-2020

Thanks @ivanreis for taking time to reply. I do agree that its important to keep the cluster admin role assigned to true admins but that said, a common request from teams is to allow them to see how much License their apps are consuming as this is dynamic based on event logging etc.

ivanreis · ‎12-07-2020

Hi @shocko,

Now is more clear about what you want to achieve. My suggestion is :

- create a new power user role and add _internal index to be searchable on this role. Splunk _internal index provide license information.

- create a dashboard to get the license data from _internal or check this app to see if does fit to your needs https://splunkbase.splunk.com/app/3178/

I hope this help you solve your need.

shocko · ‎12-20-2020

Thanks for the reply @ivanreis . Power user though seems more privileges than needed though. is there no read role for this?

Cluster Licensing and Monitoring Dashboard Permissions Required to View

permissions

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024