Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Capabilities needed to Add Search Head to Cluster

amat
Explorer
‎08-03-2021 01:26 PM

I am trying to create a new process to have a service (non-admin) account adding new Search Heads into a cluster. Specifically, need enough capabilities to to have the service account initialize and add a search head to a cluster. I want to avoid giving "admin-all-objects" as its too much privilege and want to adhere to least-priv policy.

 

I created a new local account and added it to the deployer, SH cluster, and the new SH. I then added capabilities related to SH clustering so that i can have this service account initialize and add SH to a cluster. However, i am getting errors related to permissions.

Capabilities added:

edit_restmap
edit_search_head_clustering
edit_search_server
edit_server
list_search_head_clustering
rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set
restart_splunkd

 

 

Error when trying to initialize SH: 

 

/opt/splunk/bin/splunk init shcluster-config  <CLUSTER INFO>> 

User 'shcluster_config' with roles { shcluster_config, user-shcluster_config } cannot write: /nobody/system/server { read : [ * ], write : [ admin ] }, removable: no

 

 

 

Anybody know what capability i need to give this service account enough access to add new SHs to a cluster?

 

Thank you

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2021 05:23 PM

The answer is in the error message.

 

write : [ admin ]

 

means only an admin can write to that service.  In this case, admin is least-priv.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

amat
Explorer
‎08-05-2021 07:20 AM

Is there anyway we can add another role to have write to that service?

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-05-2021 08:52 AM

I'm pretty sure admin means admin.  You can try setting individual capabilities in a custom role until you hit upon the right combination if you want, though.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

amat
Explorer
‎08-05-2021 08:54 AM

yes that makes sense. But do you know if its possible if we can change the write permission so it can include another role ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-05-2021 09:46 AM

That I don't know.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...