Splunk Search

Search Head Cluster: How to manage new roles between Search Head Cluster Members?

sat94541
Communicator

How do we add users or groups to roles in a Splunk search head cluster or create new roles?

1 Solution

rbal_splunk
Splunk Employee
Splunk Employee

Roles are managed by authorization.conf.
authorization.conf is not replicated automatically between Search Head Cluster Member. So the new roles will need to be deployed from deployer.

View solution in original post

rbal_splunk
Splunk Employee
Splunk Employee

As recommended in Splunk Documentation http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/AdduserstotheSHC, to add users to the search head cluster, use either LDAP or Splunk Enterprise built-in authentication.
If you use LDAP, recommendation will be to use Separate test instance, ensure that the authentication functions properly and going forwarder user this instance to test and deploy the Role related configuration.
Here I have used deployer to test my LDAP related testing and also use it to deploy changes to Search Head cluster Member.

Before you follow the below steps, you need to ensure that local authentication.conf on each SH should contain the LDAP strategy definition and are able to bind to LDAP, and because the password is hashed we can’t update this file form the deployer, but once we set it up the first time, you don't need to modify it anymore.

Following steps can be utilized to deploy new "roles", "role and index mapping" and "Splunk Role=LDAP Group mapping”.

Step 1: On search head deployer (SHCdeployer03) login to GUI and create new role and assign it to the LDAP group.

Step 2: On search head deployer (SHCdeployer03), move the authorize.conf and authentication.conf file from /opt/splunk/etc/system/local to /opt/splunk/etc/shcluster/apps/key_all_authentication/local

Step 3: On search head deployer (SHCdeployer03) cd /opt/splunk/etc/shcluster/apps/key_all_authentication/local

And vi authentication.conf file and remove the following line

bindDNpassword =

Make sure you only remove bindDNpassword line from this file and nothing else.

Step 4: On search head deployer (SHCdeployer03), run the following command:

splunk apply shcluster-bundle -target Captain URI

Step 5: On any search head member run the following command to check the status of the search member.

splunk show shcluster-status

Steps 6: Login to Any search Head to check the New role.

rbal_splunk
Splunk Employee
Splunk Employee

Documentation Bug "SPL-100129:How are roles manged in Search head Cluster?" has been added to include this in documentation.

0 Karma

aalanisr26
Path Finder

This is a tricky one, the authorize.conf is where the roles are defined, so what we do is create an application called
auth_dev

and we include in the default folder two files:
authorize.conf
authentication.conf

in authorize.conf we define the role:

[role_somethingnew]
srchIndexesAllowed = mynewindex
srchIndexesDefault = mynewindex
srchMaxTime = 0

in authentication.conf we define the map for ldap group:

[roleMap_MYCOMPANY-LDAP-DEV]
somethingnew = SOME_AD_GROUP

Then we push this app from the deployer.

The thing you need to consider is local authentication.conf on each SH should contain the LDAP strategy definition, and because the password is hashed we cant update this file form the deployer, but once we set it up the first time, we dont need to modify it anymore:

so in your etc/system/local/authentication.conf for all your search heads you will have something like:

[authentication]
authSettings = MYCOMPANY-LDAP-DEV
authType = LDAP

[MYCOMPANY-LDAP-DEV]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = cn=somuser,ou=people,dc=mycompanydomain,dc=com
bindDNpassword = ****$1$H#shedPasword=****
charset = utf8
groupBaseDN = ou=groups,dc=mycompanydomain,dc=com
groupBaseFilter = (cn=SOME_AD*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap.mycompany.com
nestedGroups = 1
network_timeout = 20
port = 636
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = ou=people,dc=mycompany,dc=com
userNameAttribute = cn
emailAttribute = mail

bindDN password will be different on each SH.
next time you need to add another role just modify the auth_dev app and that is it

rbal_splunk
Splunk Employee
Splunk Employee

Roles are managed by authorization.conf.
authorization.conf is not replicated automatically between Search Head Cluster Member. So the new roles will need to be deployed from deployer.

yannK
Splunk Employee
Splunk Employee

this is true for 6.0 6.1 6.2 6.3 but may be sync in future versions, check the release notes.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...