- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- How does precedence work for authorize.conf?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the deployer server we have the authorize.conf under /opt/splunk/etc/shcluster/apps/key_all_authentication/local and on the search heads we ended up having authorize.conf under etc/system/local. Apparently the one under etc/system/local takes precedence, which seems to me a bit strange as search time precedence order starts usually with the apps...
What am I missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, Splunk applies different precedence for the configuration files in global context vs app/user context. Below link should explain in detail. Since authorize.conf is a system configuration file and not a user/app context.
http://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Wheretofindtheconfigurationfiles
Precedence order within global context:
When the context is global (that is, where there's no app/user context), directory priority descends in this order:
- System local directory -- highest priority
- App local directories
- App default directories
- System default directory -- lowest priority
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, Splunk applies different precedence for the configuration files in global context vs app/user context. Below link should explain in detail. Since authorize.conf is a system configuration file and not a user/app context.
http://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Wheretofindtheconfigurationfiles
Precedence order within global context:
When the context is global (that is, where there's no app/user context), directory priority descends in this order:
- System local directory -- highest priority
- App local directories
- App default directories
- System default directory -- lowest priority
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect - thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configs under system/local always gets precedence over the apps//system/local.
In regards to authorize.conf, since these are clustered search heads and you use deployer, would be better to use under apps to avoid confusion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fair enough. Since it's search time the following, in my mind, should apply
It says
Precedence order within app or user context
When there's an app/user context, directory priority descends from user to app to system:
- User directories for current user -- highest priority
- App directories for currently running app (local, followed by default)
- App directories for all other apps (local, followed by default) -- for exported settings only
- System directories (local, followed by default) -- lowest priority
An attribute in savedsearches.conf, for example, might be set at all three levels: the user, the app, and the system. Splunk will always use the value of the user-level attribute, if any, in preference to a value for that same attribute set at the app or system level.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
