Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Head Cluster: How to manage new roles between Search Head Cluster Members?

sat94541
Communicator
‎04-22-2015 02:16 PM

How do we add users or groups to roles in a Splunk search head cluster or create new roles?

Reply
1 Solution
Solved! Jump to solution
Solution

rbal_splunk
Splunk Employee
Splunk Employee
‎04-22-2015 02:20 PM

Roles are managed by authorization.conf.
authorization.conf is not replicated automatically between Search Head Cluster Member. So the new roles will need to be deployed from deployer.

View solution in original post

Reply
Solved! Jump to solution

rbal_splunk
Splunk Employee
Splunk Employee
‎05-05-2015 03:35 PM

As recommended in Splunk Documentation http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/AdduserstotheSHC, to add users to the search head cluster, use either LDAP or Splunk Enterprise built-in authentication.
If you use LDAP, recommendation will be to use Separate test instance, ensure that the authentication functions properly and going forwarder user this instance to test and deploy the Role related configuration.
Here I have used deployer to test my LDAP related testing and also use it to deploy changes to Search Head cluster Member.

Before you follow the below steps, you need to ensure that local authentication.conf on each SH should contain the LDAP strategy definition and are able to bind to LDAP, and because the password is hashed we can’t update this file form the deployer, but once we set it up the first time, you don't need to modify it anymore.

Following steps can be utilized to deploy new "roles", "role and index mapping" and "Splunk Role=LDAP Group mapping”.

Step 1: On search head deployer (SHCdeployer03) login to GUI and create new role and assign it to the LDAP group.

Step 2: On search head deployer (SHCdeployer03), move the authorize.conf and authentication.conf file from /opt/splunk/etc/system/local to /opt/splunk/etc/shcluster/apps/key_all_authentication/local

Step 3: On search head deployer (SHCdeployer03) cd /opt/splunk/etc/shcluster/apps/key_all_authentication/local

And vi authentication.conf file and remove the following line

bindDNpassword =

Make sure you only remove bindDNpassword line from this file and nothing else.

Step 4: On search head deployer (SHCdeployer03), run the following command:

splunk apply shcluster-bundle -target Captain URI

Step 5: On any search head member run the following command to check the status of the search member.

splunk show shcluster-status

Steps 6: Login to Any search Head to check the New role.

Reply
Solved! Jump to solution

rbal_splunk
Splunk Employee
Splunk Employee
‎05-07-2015 09:36 AM

Documentation Bug "SPL-100129:How are roles manged in Search head Cluster?" has been added to include this in documentation.

0 Karma
Reply
Solved! Jump to solution

aalanisr26
Path Finder
‎04-22-2015 02:43 PM

This is a tricky one, the authorize.conf is where the roles are defined, so what we do is create an application called
auth_dev

and we include in the default folder two files:
authorize.conf
authentication.conf

in authorize.conf we define the role:

[role_somethingnew]
srchIndexesAllowed = mynewindex
srchIndexesDefault = mynewindex
srchMaxTime = 0

in authentication.conf we define the map for ldap group:

[roleMap_MYCOMPANY-LDAP-DEV]
somethingnew = SOME_AD_GROUP

Then we push this app from the deployer.

The thing you need to consider is local authentication.conf on each SH should contain the LDAP strategy definition, and because the password is hashed we cant update this file form the deployer, but once we set it up the first time, we dont need to modify it anymore:

so in your etc/system/local/authentication.conf for all your search heads you will have something like:

[authentication]
authSettings = MYCOMPANY-LDAP-DEV
authType = LDAP

[MYCOMPANY-LDAP-DEV]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = cn=somuser,ou=people,dc=mycompanydomain,dc=com
bindDNpassword = ****$1$H#shedPasword=****
charset = utf8
groupBaseDN = ou=groups,dc=mycompanydomain,dc=com
groupBaseFilter = (cn=SOME_AD*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap.mycompany.com
nestedGroups = 1
network_timeout = 20
port = 636
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = ou=people,dc=mycompany,dc=com
userNameAttribute = cn
emailAttribute = mail

bindDN password will be different on each SH.
next time you need to add another role just modify the auth_dev app and that is it

Reply
Solved! Jump to solution
Solution

rbal_splunk
Splunk Employee
Splunk Employee
‎04-22-2015 02:20 PM

Roles are managed by authorization.conf.
authorization.conf is not replicated automatically between Search Head Cluster Member. So the new roles will need to be deployed from deployer.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎02-09-2016 02:20 PM

this is true for 6.0 6.1 6.2 6.3 but may be sync in future versions, check the release notes.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...