Roles are managed by authorization.conf.
authorization.conf is not replicated automatically between Search Head Cluster Member. So the new roles will need to be deployed from deployer.
this is true for 6.0 6.1 6.2 6.3 but may be sync in future versions, check the release notes.
This is a tricky one, the authorize.conf is where the roles are defined, so what we do is create an application called
and we include in the default folder two files:
in authorize.conf we define the role:
[role_somethingnew] srchIndexesAllowed = mynewindex srchIndexesDefault = mynewindex srchMaxTime = 0
in authentication.conf we define the map for ldap group:
[roleMap_MYCOMPANY-LDAP-DEV] somethingnew = SOME_AD_GROUP
Then we push this app from the deployer.
The thing you need to consider is local authentication.conf on each SH should contain the LDAP strategy definition, and because the password is hashed we cant update this file form the deployer, but once we set it up the first time, we dont need to modify it anymore:
so in your etc/system/local/authentication.conf for all your search heads you will have something like:
[authentication] authSettings = MYCOMPANY-LDAP-DEV authType = LDAP [MYCOMPANY-LDAP-DEV] SSLEnabled = 1 anonymous_referrals = 1 bindDN = cn=somuser,ou=people,dc=mycompanydomain,dc=com bindDNpassword = ****$1$H#shedPasword=**** charset = utf8 groupBaseDN = ou=groups,dc=mycompanydomain,dc=com groupBaseFilter = (cn=SOME_AD*) groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = ldap.mycompany.com nestedGroups = 1 network_timeout = 20 port = 636 realNameAttribute = displayname sizelimit = 1000 timelimit = 15 userBaseDN = ou=people,dc=mycompany,dc=com userNameAttribute = cn emailAttribute = mail
bindDN password will be different on each SH.
next time you need to add another role just modify the auth_dev app and that is it
As recommended in Splunk Documentation http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/AdduserstotheSHC, to add users to the search head cluster, use either LDAP or Splunk Enterprise built-in authentication.
If you use LDAP, recommendation will be to use Separate test instance, ensure that the authentication functions properly and going forwarder user this instance to test and deploy the Role related configuration.
Here I have used deployer to test my LDAP related testing and also use it to deploy changes to Search Head cluster Member.
Before you follow the below steps, you need to ensure that local authentication.conf on each SH should contain the LDAP strategy definition and are able to bind to LDAP, and because the password is hashed we can’t update this file form the deployer, but once we set it up the first time, you don't need to modify it anymore.
Following steps can be utilized to deploy new "roles", "role and index mapping" and "Splunk Role=LDAP Group mapping”.
Step 1: On search head deployer (SHCdeployer03) login to GUI and create new role and assign it to the LDAP group.
Step 2: On search head deployer (SHCdeployer03), move the authorize.conf and authentication.conf file from /opt/splunk/etc/system/local to /opt/splunk/etc/shcluster/apps/keyallauthentication/local
Step 3: On search head deployer (SHCdeployer03) cd /opt/splunk/etc/shcluster/apps/keyallauthentication/local
And vi authentication.conf file and remove the following line
Make sure you only remove bindDNpassword line from this file and nothing else.
Step 4: On search head deployer (SHCdeployer03), run the following command:
splunk apply shcluster-bundle -target Captain URI
Step 5: On any search head member run the following command to check the status of the search member.
splunk show shcluster-status
Steps 6: Login to Any search Head to check the New role.
Documentation Bug "SPL-100129:How are roles manged in Search head Cluster?" has been added to include this in documentation.