Security

Permissions in cluster

seilemor
Engager

Hi,

from my old standalone Splunk system I'll migrate to an Splunk Cluster with the following Systems;
- 1 Searchhead
- 1 Masternode
- 3 Peernodes

In my old system I've multiple roles with different access permissions on base of indices. In the role configuration I can simple activate permission on an index or not.

In the new cluster the indices will been configured at the master node within "../etc/master-apps/*".

Here are my questions:
- Have I anywhere in Splunk an graphical interface to manage the indizes which will been replicated? Under Settings -> Indices I can only see the local indices but not the replicated ones.
- The permissions for the cluster will be configured at the searchhead, correct? If I must now configure a new role which have for example only permissions to the index "cluster_index_1" I can not simple activate the index in the role configuration because my system does not see all the available indices. Is it neccessary to create at the searchhead all the indices which are available in the cluster so that I can choose them in the role configuration?

For me the configuration of an Splunk cluster is currently not a straight forward thing. There are different locations where I must configure something.

Thanks and best regards
seilemor

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @seilemor,

1.) You mentioned that you are not able to see replicated indices Under Settings -> Indices, can you please define "replicated indices" and on which splunk server are you checking this?
2.) Yes, you can just assign index to existing role or create new role on search head with require indexes but as you mentioned that you are not able to see all indexes while configuring role, so can you please let us know how your search head is connected with indexers ? You need to configure search head so it will point to cluster master and search data from Indexer cluster. Please refer http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/Configuresearchheadwithserverconf

EDIT: 1.) I have provided wrong link to integrate standalone search head with Indexer cluster.
2.) Provided correct URL to configure search head with indexer lcuster.

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Hi @seilemor,

1.) You mentioned that you are not able to see replicated indices Under Settings -> Indices, can you please define "replicated indices" and on which splunk server are you checking this?
2.) Yes, you can just assign index to existing role or create new role on search head with require indexes but as you mentioned that you are not able to see all indexes while configuring role, so can you please let us know how your search head is connected with indexers ? You need to configure search head so it will point to cluster master and search data from Indexer cluster. Please refer http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/Configuresearchheadwithserverconf

EDIT: 1.) I have provided wrong link to integrate standalone search head with Indexer cluster.
2.) Provided correct URL to configure search head with indexer lcuster.

seilemor
Engager

Hi and thanks for the quick answer.

With an replicated index I mean these Indices which will been mirrored on my peernodes. I can see these indices within "Settings -> Distributed Environment -> Indexer Clustering -> Indexes". I search for the indices on the masternode.

Searching data from the searchhead is possible. It is only the question how can I restrict some roles and users to specific Indices which are replicated from my masternode to my peernodes. I think that this is only possible if I also create the Indices on my searchhead (only that they are available and can be choosen in the role configuration, for example with a size of 1MB because I only use them to control the permissions. ).

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

1.) Indexes which are showing on Cluster Master Settings -> Distributed Environment -> Indexer Clustering -> Indexes those indexes are available on Indexers and if you go to Settings -> Indexeson Cluster Master you will able to see only local indexes which are available on Cluster Master.

2.) Why you are applying role configuration from Cluster Master to Indexer ? Role configuration is only require on Search Head and when search head tries to search any data from indexers it will pass knowledge bundle which contains roles configuration and many other settings so you do not need to push role configuration from Cluster Master to Indexers.

0 Karma

seilemor
Engager

I don't want apply role configuration from the cluster master to my indexer.

The requirement:
I want to have a Role A and Role B. Role A have permissions to the Index 123 and Role B should have permission for the Index ABC. Both roles should not have permission to the other index.

Current configuration:
On my master node I have configured within $SPLUNKHOME/etc/master-apps/_cluster/local/indexes.conf the neccessary Index 123 and Index ABC. Both configurations have the configuration repFactor = auto so that these index configuration will be replicated to the peer nodes. On my peer nodes I can see the configuration regarding the indices within Settings -> Indexes.

To finalize my configuration I must now configure the roles at my searchhead regarding the described requirements.
Role A = Index 123
Role B = Index ABC

The problem:
Within my role configuration on my searchhead I don't see the available indices. That means that I can not choose within the role configuration for which index the role should been permitted.

Question:
How can I handle this problem?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

You need to configure search head so it will point to cluster master and search data from Indexer cluster. Please refer http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/Configuresearchheadwithserverconf

0 Karma

seilemor
Engager

Searching the data is not the problem. From the searchhead I can search all the data which are available on the peer nodes.

The problem is the permission of the users. I want that the user can only search within some dedicated indices. The user should not have the ability to search through all data which are available on the peer nodes.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

ok, so can you please let me know when you try to configure role on Search Head are you able to see any indexes which are present on Indexers ? If not then can you please try to create blank Index 123 on search head and then try again to configure role.

EDIT: If you are running Splunk 7 then you are hitting bug ref link https://answers.splunk.com/answers/583581/indexes-are-not-available-to-select-from-available-1.html

0 Karma

seilemor
Engager

Thats it. Thanks. I've the same issue as described in the linked question. I've also tested what happen if I manualy create the index as described from you. This will work for me. In my first question of this thread I only wanted to know if this is normal or if I have an issue in my configuration. Now I know that it is an bug.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Thanks, I have converted my comment to answer, if you are satisfied with the answer then please accept as answer and upvote.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...