Splunk Enterprise

How to manage authorize.conf and authentication.conf in a SHC?

Jamie
Explorer

Hello.

I am running 8.2.2 on Linux.  I have a SHC with three members.

I have three indexes.  I would like to restrict the searchable index for each role and I would like to understand the best way to distribute that change.

I used the web GUI to create the roles, which the cluster replicated.  However, the GUI does not permit non-internal indexes to be deselected.  Therefore, I have edited authorize.conf on each member.  I am using srchIndexesDisallowed.  An account with role_user_a should only be able to search index_a.   The configuration below works, but how should I manage changes like this given the GUI limitation -- should I continue to edit the file directly (along with authentication.conf) going forward (and not use the GUI)?

$ splunk btool --debug authorize list role_user_a
/opt/splunk/etc/system/local/authorize.conf [role_user_a]
/opt/splunk/etc/system/local/authorize.conf cumulativeRTSrchJobsQuota = 0
/opt/splunk/etc/system/local/authorize.conf cumulativeSrchJobsQuota = 0
/opt/splunk/etc/system/local/authorize.conf importRoles = user
/opt/splunk/etc/system/default/authorize.conf rtSrchJobsQuota = 6
/opt/splunk/etc/system/default/authorize.conf run_collect = enabled
/opt/splunk/etc/system/default/authorize.conf run_mcollect = enabled
/opt/splunk/etc/system/default/authorize.conf schedule_rtsearch = enabled
/opt/splunk/etc/system/default/authorize.conf srchDiskQuota = 100
/opt/splunk/etc/system/default/authorize.conf srchFilterSelecting = true
/opt/splunk/etc/system/local/authorize.conf srchIndexesAllowed = index_a
/opt/splunk/etc/system/local/authorize.conf srchIndexesDefault = index_a
/opt/splunk/etc/system/local/authorize.conf srchIndexesDisallowed = index_b;index_c
/opt/splunk/etc/system/default/authorize.conf srchJobsQuota = 3

Thanks for your help.

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Move the settings from etc/system/local/ to an app then deploy the app from the SHC deployer.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Jamie
Explorer

@richgalloway,

Thanks for the quick response.  I had considered that, but given that both files are included in the SHC replication I thought that might lead to problems.  Do you manage the files that way and does that mean further GUI edits of both files need to be avoided, do you know?  Thanks again.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The fact that the GUI doesn't let you do all you need to do should be enough to steer you toward another method.  IMO, clusters should be managed as clusters, with the deployer as the Source of Truth for what the configuration should be.  Configuration changes should be made at the deployer and then deployed to SHC members.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Move the settings from etc/system/local/ to an app then deploy the app from the SHC deployer.

---
If this reply helps you, an upvote would be appreciated.
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!