Splunk Enterprise

How to manage authorize.conf and authentication.conf in a SHC?

Jamie
Path Finder

Hello.

I am running 8.2.2 on Linux.  I have a SHC with three members.

I have three indexes.  I would like to restrict the searchable index for each role and I would like to understand the best way to distribute that change.

I used the web GUI to create the roles, which the cluster replicated.  However, the GUI does not permit non-internal indexes to be deselected.  Therefore, I have edited authorize.conf on each member.  I am using srchIndexesDisallowed.  An account with role_user_a should only be able to search index_a.   The configuration below works, but how should I manage changes like this given the GUI limitation -- should I continue to edit the file directly (along with authentication.conf) going forward (and not use the GUI)?

$ splunk btool --debug authorize list role_user_a
/opt/splunk/etc/system/local/authorize.conf [role_user_a]
/opt/splunk/etc/system/local/authorize.conf cumulativeRTSrchJobsQuota = 0
/opt/splunk/etc/system/local/authorize.conf cumulativeSrchJobsQuota = 0
/opt/splunk/etc/system/local/authorize.conf importRoles = user
/opt/splunk/etc/system/default/authorize.conf rtSrchJobsQuota = 6
/opt/splunk/etc/system/default/authorize.conf run_collect = enabled
/opt/splunk/etc/system/default/authorize.conf run_mcollect = enabled
/opt/splunk/etc/system/default/authorize.conf schedule_rtsearch = enabled
/opt/splunk/etc/system/default/authorize.conf srchDiskQuota = 100
/opt/splunk/etc/system/default/authorize.conf srchFilterSelecting = true
/opt/splunk/etc/system/local/authorize.conf srchIndexesAllowed = index_a
/opt/splunk/etc/system/local/authorize.conf srchIndexesDefault = index_a
/opt/splunk/etc/system/local/authorize.conf srchIndexesDisallowed = index_b;index_c
/opt/splunk/etc/system/default/authorize.conf srchJobsQuota = 3

Thanks for your help.

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Move the settings from etc/system/local/ to an app then deploy the app from the SHC deployer.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

pbrinkman
Path Finder

thanks @dural_yyz  do you have an example of the actual configuration.  Thanks what I am struggling with at the moment, knowing what the config should look like in authorise.conf

 

cheers

0 Karma

dural_yyz
Builder

I can't show how my configuration is exactly so here is a mock up of general rules.

[role_user-clone]
<omitted but all default user capabilities should be here as well>
## Validate upgrades don't change default capabilities, keep in sync post upgrade
srchIndexesAllowed = main; index-1; index-n
srchIndexesDefault = main

[role_custom]
srchIndexesAllowed = index-A; index-B
importRoles = user-clone

 

Here the custom user will inherit all rights of the user-clone for search Indexes Allow which doesn't include wild cards so is restrictive, but often environments may have index(es) which all users can view.

Post upgrades in our environment we audit all Splunk Default roles against our cloned roles for any capability changes.  We use this more to ensure restricted access to indexes than any other capability control (ex: we don't mess with capabilities for sharing or report building).

Just make sure that your custom roles do not import default roles or they will inherit default search indexes.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

my 2 cents for this.

You definitely should manage all configurations (which you can) by Deployer on SHC. Otherwise you will have huge mesh quite soon 😞

Don't mix access and capabilities on one role!!! Those should be always in separate roles. Otherwise you will get really hard times to debug why something works or not on users.

Don't do inheritance chains like 

role1 -> role2 -> role3 -> role4

It's much easies debug/know what you have when when you do only one level inheritance

role1 -> role4
role2 -> role4
role3 -> role4

 Try to create your own base roles instead of use splunk's user/power/admin where inherit to another. Then you always know what capabilities those have instead of guessing what has changes when Splunk versions has updated.

r. Ismo

isoutamo
SplunkTrust
SplunkTrust

One more. I haven't ever understand why there should be 

srchIndexesDefault

My advice is don't use it! With this your users never learn to define index=abc and then you need to debug why one can see data and other cannot! Much better to force them to use indexes on search.

Another is

srchFilter

 that will generate much more issues than solve those if you have environment with several roles etc.

dural_yyz
Builder

You already have your answer that work for you which is great.

 

In our environment we cloned the default user and removed the allowed=* from the clone.  We build all roles to inherit the cloned user account.  That way you have all the same capabilities but don't inherit the allowed=* for indexes.

 

Food for thought.

pbrinkman
Path Finder

hi @dural_yyz  many thanks for the response.

Do you have an example of what the config likes. I know what I am trying to achieve but struggling with what the actual config should look like

0 Karma

pbrinkman
Path Finder

Agree with @richgalloway  the gui doesnt allow the flexibility to manage users / roles.  Although it would be nice to see some clear documentation as to how to set this up from a deployer server correctly.  Does anyone have any configuration examples ?

0 Karma

Jamie
Path Finder

@richgalloway,

Thanks for the quick response.  I had considered that, but given that both files are included in the SHC replication I thought that might lead to problems.  Do you manage the files that way and does that mean further GUI edits of both files need to be avoided, do you know?  Thanks again.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The fact that the GUI doesn't let you do all you need to do should be enough to steer you toward another method.  IMO, clusters should be managed as clusters, with the deployer as the Source of Truth for what the configuration should be.  Configuration changes should be made at the deployer and then deployed to SHC members.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

Move the settings from etc/system/local/ to an app then deploy the app from the SHC deployer.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...