Security

multi-tenant set up with two Johns

Path Finder

Setup

  1. index defined (client1indexmobileevent, client2indexmobileevent)
  2. roles defined (client1role, client2role)
  3. users defined (bob, john, peter)
  4. role to index mapping (client1role -- > client1indexmobileevent, client2role -- > client2indexmobileevent)
  5. role to user mapping (client1role -- > bob, john ; client2role -- > peter)

What it achieves

• When bob or john login, they see the data from client1indexmobileevent
• When peter logs in, he sees data from client2
indexmobileevent

For the same query of search index=*indexmobileevent | head 10

Need-1

How to configure a scenario where client1 has user called John and client2 also has user called John, so that

• John from client1 has access to data from client1indexmobileevent
• John from client2 has access to data from client2
indexmobileevent

Need-2

I’ve an external system that maintains the data in client: username : password format e.g. for the above mentioned scenario of john, it will have information like

Client1: john:
Client2: john:

If I want to use that system for login (to provide a seamless experience to end user and off-load password management to that system) , WHAT ARE my steps to achieve this so that John from client1 still sees only clien1 data and John2 from client2 sees only for client2 index data

Any pointers would be highly appreciated.

0 Karma

Communicator

you might consider using an email address instead of the first name for the users.

0 Karma

Path Finder

That's a good suggestion Monzy ...any input on my previous comment/question about not having userID in splunk, but only the role?

0 Karma

SplunkTrust
SplunkTrust

Two users in one system can't have the same name.
I see two solutions: Change your user names to client_user to mitigate conflicts, or set up two search heads and connect one to client1's ldap and the other to client2's ldap to avoid conflicts entirely.

SplunkTrust
SplunkTrust

I'm pretty sure Splunk will require a user context. There's preferences to store, private knowledge objects, user-created dashboards, auditing of user activity, and so on.

0 Karma

SplunkTrust
SplunkTrust

If both Johns log in to the same system using the login name "john" then there's no way for the system to distinguish the two.
I don't see how custom scripted external authentication could solve this because the key problem remains the same - both type the same user name into the same box.

You'll need either different names or different systems.

0 Karma

Path Finder

In splunk setup, when I use external system for authentication - is defining a username within Splunk a must ? What I mean is -

  • my username - pwd - role combination resides in external database
  • In Splunk, I define role (e.g. cleint1role, client2role etc..) and associate appropriate indexes to it
  • now user logs into external system which based on context will get the role
  • the external system will make a call to Splunk passing the role information (client1role or client2role) and open a dashboard
  • the user who logged in to external system, can now browse thru the dashboard with relevant data

In this, I don't define John in Splunk at all...

Is that feasible option ?

0 Karma

Path Finder

Martin -

You are correct that , client_user is an option; but it is not a good user experience as I'll have to ask clients to suffix client_ to every use

I've search head clustering to have scalability of the setup.

Any pointers/steps for external system integration? The external system (NOT AD or LADAP, but a custom database) will maintain table with four columns - clientname, username, role, password .. how can splunk use that system to authenticate user and have right role associated with the log in?

Any pointers..?

0 Karma