I'm building a cluster which will be authenticated and AD via LDAP. We will also be permitting a 3rd party to query the indexers from their own search head. How would user authentication work in this model? On the indexers we restrict certain roles to certain indexes, but I'm unclear what level of authentication will be inspected for the queries from the remote SH, which will manage its own users independently. How would an admin user be indentified by the indexes compared to a normal user? Will we have to duplicate their users into our AD for account lookups and presume they are legitimately pre-authenticated? does the search call also send the roles that user has from their Search Head?
All Splunk user authentication is handled on the search heads. If you grant a third party controlled search head access to your indexers, they will have full and complete access to your data, and it will be totally up to them to control access to indexes.
Two ways that you might approach this problem. The first is if it's a friendly third party, you could provide them your set of roles, and then ask that they do their authentication in alignment with that. In some situations, I've heard of the central org taking ownership of the remote search head, and just managing it.
The second way is that you could segment your indexers into two groups -- one that has sensitive data and one that doesn't. This adds more complexity to the environment because you have to route either hosts to different sets of indexers (e.g., web servers to one, internal servers to another) or route based on different data sources (e.g., PCI data to a couple of dedicated indexers, all other data to the normal sets). More complexity, but by controlling where the data is sent you get to control what indexers the third party search head is allowed to hit, and thus what data they can see.