Security

multi-tenant set up with two Johns

ronak
Path Finder

Setup

  1. index defined (client1_index_mobile_event, client2_index_mobile_event)
  2. roles defined (client1_role, client2_role)
  3. users defined (bob, john, peter)
  4. role to index mapping (client1_role -- > client1_index_mobile_event, client2_role -- > client2_index_mobile_event)
  5. role to user mapping (client1_role -- > bob, john ; client2_role -- > peter)

What it achieves

• When bob or john login, they see the data from client1_index_mobile_event
• When peter logs in, he sees data from client2_index_mobile_event

For the same query of search index=*index_mobile_event | head 10

Need-1

How to configure a scenario where client1 has user called John and client2 also has user called John, so that

• John from client1 has access to data from client1_index_mobile_event
• John from client2 has access to data from client2_index_mobile_event

Need-2

I’ve an external system that maintains the data in client: username : password format e.g. for the above mentioned scenario of john, it will have information like

Client1: john:
Client2: john:

If I want to use that system for login (to provide a seamless experience to end user and off-load password management to that system) , WHAT ARE my steps to achieve this so that John from client1 still sees only clien1 data and John2 from client2 sees only for client2 index data

Any pointers would be highly appreciated.

0 Karma

monzy
Communicator

you might consider using an email address instead of the first name for the users.

0 Karma

ronak
Path Finder

That's a good suggestion Monzy ...any input on my previous comment/question about not having userID in splunk, but only the role?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Two users in one system can't have the same name.
I see two solutions: Change your user names to client_user to mitigate conflicts, or set up two search heads and connect one to client1's ldap and the other to client2's ldap to avoid conflicts entirely.

martin_mueller
SplunkTrust
SplunkTrust

I'm pretty sure Splunk will require a user context. There's preferences to store, private knowledge objects, user-created dashboards, auditing of user activity, and so on.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If both Johns log in to the same system using the login name "john" then there's no way for the system to distinguish the two.
I don't see how custom scripted external authentication could solve this because the key problem remains the same - both type the same user name into the same box.

You'll need either different names or different systems.

0 Karma

ronak
Path Finder

In splunk setup, when I use external system for authentication - is defining a username within Splunk a must ? What I mean is -

  • my username - pwd - role combination resides in external database
  • In Splunk, I define role (e.g. cleint1_role, client2_role etc..) and associate appropriate indexes to it
  • now user logs into external system which based on context will get the role
  • the external system will make a call to Splunk passing the role information (client1_role or client2_role) and open a dashboard
  • the user who logged in to external system, can now browse thru the dashboard with relevant data

In this, I don't define John in Splunk at all...

Is that feasible option ?

0 Karma

ronak
Path Finder

Martin -

You are correct that , client_user is an option; but it is not a good user experience as I'll have to ask clients to suffix client_ to every use

I've search head clustering to have scalability of the setup.

Any pointers/steps for external system integration? The external system (NOT AD or LADAP, but a custom database) will maintain table with four columns - client_name, user_name, role, password .. how can splunk use that system to authenticate user and have right role associated with the log in?

Any pointers..?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...