When configuring a cluster, you're given a textbox to provide an optional security key.
The fact that this is an optional field is somewhat worrying. Given a scenario where one isn't provided, this essentially allows anyone to set up a new Search Head from another server, their desktop, etc, and just by knowing the URL of the Cluster Master, bypass any and all account and index security settings set up elsewhere.
Of course, no tool is foolproof, and someone clueless enough will always manage to create giant issues and security holes, but software should at least try to cover the obvious.
Back in the Splunk 4.x days, when setting up a Search Head to search multiple indexers, you would be required to provide an account that existed on the indexers for the SH to authenticate with. Going to an optional security key for a cluster of indexers seems like a step backwards.
Also, no where in the clustering documentation do I see an emphasis placed on the importance of having a good cluster security key. The most I could find was this, on the "Enable the cluster master node" doc page, where it even seems to indicate that leaving it empty is okay.
Security Key. This is the key that authenticates communication between the master and the peers and search heads. The key must be the same across all cluster instances. If you leave the field empty here, leave it empty on the peers and search heads as well.
... View more