Installation

Capabilities needed to Add Search Head to Cluster

amat
Explorer

I am trying to create a new process to have a service (non-admin) account adding new Search Heads into a cluster. Specifically, need enough capabilities to to have the service account initialize and add a search head to a cluster. I want to avoid giving "admin-all-objects" as its too much privilege and want to adhere to least-priv policy.

 

I created a new local account and added it to the deployer, SH cluster, and the new SH. I then added capabilities related to SH clustering so that i can have this service account initialize and add SH to a cluster. However, i am getting errors related to permissions.

Capabilities added:

edit_restmap
edit_search_head_clustering
edit_search_server
edit_server
list_search_head_clustering
rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set
restart_splunkd

 

 

Error when trying to initialize SH: 

 

/opt/splunk/bin/splunk init shcluster-config  <CLUSTER INFO>> 

User 'shcluster_config' with roles { shcluster_config, user-shcluster_config } cannot write: /nobody/system/server { read : [ * ], write : [ admin ] }, removable: no

 

 

 

Anybody know what capability i need to give this service account enough access to add new SHs to a cluster?

 

Thank you

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The answer is in the error message.

 

write : [ admin ]

 

means only an admin can write to that service.  In this case, admin is least-priv.

---
If this reply helps you, Karma would be appreciated.
0 Karma

amat
Explorer

Is there anyway we can add another role to have write to that service?

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm pretty sure admin means admin.  You can try setting individual capabilities in a custom role until you hit upon the right combination if you want, though.

---
If this reply helps you, Karma would be appreciated.
0 Karma

amat
Explorer

yes that makes sense. But do you know if its possible if we can change the write permission so it can include another role ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That I don't know.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...