Deployment Architecture

default_namespace in an LDAP, multi-tenant, SHC

twinspop
Influencer

We have different groups in our company. Each group gets an app, say acme_search. There are roles associated with the app, for example acme_user. This role is then mapped to an LDAP group. One of the template files included with the base app install is acme_search/default/user-prefs.conf which contains:

[role_acme_user]
default_namespace = acme_search

I've noticed just recently that all users are being sent to the search app by default. I swear this used to work as expected. This really sucks because newbs start creating artifacts, reports, alerts, dashboards, etc in search instead of their "Acme" app. And untangling that mess is not trivial. Not to mention the confusion it sows in the user base.

It appears that the (relatively new?) default app user-prefs is overriding my per app config file. In a standalone SH env, if I put that stanza into user-prefs/local/user-prefs.conf it works. Doing that in an SHC env is tricky/hacky/gross. I presume it would work in system/local as well, while also presenting SHC problems. More to the point, I need it to be bundled with the app. Trying to manage a common user-prefs.conf file for 400+ different roles is not something I want to tackle.

FWIW, btool shows good, but this setting has no impact on actual use.

> splunk btool user-prefs list role_acme
[role_acme_user]
default_namespace = acme_search

Am I missing something? Any workarounds?

Linux
Splunk 6.5.1 (tested on 6.5.2 as well)
SHC and indexer cluster

Thanks,
jon

0 Karma
1 Solution

twinspop
Influencer

Until there's a better option I've scripted out a little job to concatenate the various default/user-prefs.conf from my template-based apps into one file for the user-prefs app. Not pretty but it works.

#!/bin/bash

# where are our apps?
SPLUNKAPPS=/app/splunk/etc/apps

# if in SHC env, use this instead
#SPLUNKAPPS=/app/splunk/etc/shcluster/apps

# the file we want to write to
FILE=$SPLUNKAPPS/user-prefs/local/user-prefs.conf

# back it up
cp $FILE $FILE.$(date +"%Y%m%d%H%M%S")

# start with a clean slate
echo '[general_default]
default_earliest_time = -60m@m
default_latest_time = now

' > $FILE

# collect up the default/user-prefs, which should only include the bit we want
for n in $(find $SPLUNKAPPS -name user-prefs.conf | grep default | grep -v /user-prefs/)
do
    echo "### $n" >> $FILE
    cat $n >> $FILE
    echo "###" >> $FILE
done

View solution in original post

0 Karma

twinspop
Influencer

Until there's a better option I've scripted out a little job to concatenate the various default/user-prefs.conf from my template-based apps into one file for the user-prefs app. Not pretty but it works.

#!/bin/bash

# where are our apps?
SPLUNKAPPS=/app/splunk/etc/apps

# if in SHC env, use this instead
#SPLUNKAPPS=/app/splunk/etc/shcluster/apps

# the file we want to write to
FILE=$SPLUNKAPPS/user-prefs/local/user-prefs.conf

# back it up
cp $FILE $FILE.$(date +"%Y%m%d%H%M%S")

# start with a clean slate
echo '[general_default]
default_earliest_time = -60m@m
default_latest_time = now

' > $FILE

# collect up the default/user-prefs, which should only include the bit we want
for n in $(find $SPLUNKAPPS -name user-prefs.conf | grep default | grep -v /user-prefs/)
do
    echo "### $n" >> $FILE
    cat $n >> $FILE
    echo "###" >> $FILE
done
0 Karma

DATEVeG
Path Finder

Any news here?
Is there still no better solution?

SHC seems not so easy to manage ...

0 Karma

harsmarvania57
Ultra Champion

Does acme_user role has access to acme_search app?

Thanks,
Harshil

0 Karma

twinspop
Influencer

Yes. They can manually switch to the app, and save artifacts there. But I want them to START in the app by default. Not Launcher.

0 Karma

harsmarvania57
Ultra Champion

ok, we are also running SHC but we are pushing user-prefs/local/user-prefs.conf from Deployer to all SH for all the apps to manage it centrally.

0 Karma

twinspop
Influencer

Trying to avoid that. (Also, the Deployer only pushes default. Anything in local on the Deployer is reconciled with default and pushed to the SHC as default. FYI.)

0 Karma

harsmarvania57
Ultra Champion

Yes I know that is default behaviour when you deploy app from deployer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...