Security

Pooling and authentication.conf

sanderso67
New Member

In my system I am attempting to do authenticaion via the roleMap in the authentication.conf file in the pooling space. To make this work I have 2 instances of the authentication.conf file, one in the pooling space containing all the data BUT the encrypted password, and one in etc/system/local which ONLY contains is the encrypted password.

When I start the server, it picks up all the values as I expect and runs as anticipated. BUT... when I look at the etc/system/local file immediately after the restart, it has been populated with roleMap data. Because of that, on subsequent restarts, the search head no longer picks up the pooled version of the roleMap, but the local one with the unwanted role stanza. I need to keep the etc/system/local file from being written to so that it only contains the password.

I would also note that using the gui for role modification in this configuration also creates a etc/system/local entry, but that is not what is happening in this case.

Any idea what is updating this file and how to keep it from doing that? I have tried to make the file read-only (chmod 400) but it gets modified anyway and the permissions reset to read-write (600).

Thanks for any suggestions -

0 Karma

vsingla1
Communicator

Hi sanderso67,
I am also trying to achieve the same thing.
The encrypted information in system/local and rolemap info in shared authentication.conf, but after the restart the local authentication.conf gets edited. Did you achieve a solution for your problem?
Do you mind sharing it here?

0 Karma

rmorlen
Splunk Employee
Splunk Employee

We do the same thing. Encrypted password in the ../splunk/etc/system/local/authentication.conf and the rest of the information in an app that is used by all the searchheads in the pooled are /sharednfs/splunk/etc/apps/searcheadapp. This has worked fine for us in version 4.2.x and 4.3.2. Once we do this we can no longer use the gui to update the information because everything is controlled by the app.

0 Karma

lmyrefelt
Builder

You could use something like a "staging server" / admin-server ? A splunk instanse where you define common / shared knowledge settings, like authentication, authorize.conf etc etc that you later on, distributes to the search-heads / indexers via a custom app.

0 Karma

Damien_Dallimor
Ultra Champion

In search head pooling, only etc/apps and etc/users on your shared storage are shared by the search heads on the pool.

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configuresearchheadpooling

Search heads still use their own local etc/system directorys.

0 Karma

sanderso67
New Member

Agreed. That is why the RoleMap information needs to be in the shared directory only. On startup, the system reads and combines the config files on both the local and shared directories, and the local copy RoleMap stanza trumps the shared one. The shared one is the one that is maintained so I need to keep the local one from getting a RoleMap value and the system on startup is determined to copy values locally. My question is how to avoid that.

Thanks -

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...