I am migrating from a stand-alone Splunk machine to a search head cluster + indexer cluster architecture. I read many articles but still couldn't figure out the proper way to migrate the roles (authorize.conf) to my new Search Head Cluster.
Questions:
$SPLUNK_HOME/etc/shcluster/system/local
on my deployer machine? The official doc (https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads) only mentions the apps/
and users/
subfolder under etc/shcluster
, so I got a feeling that only these two subfolders will get pushed when I apply the config bundle.Thanks.
- Patrick
1.) It depends. - You can certainly use a deployer to push the athorize.conf file to your index peers, however you need to be mindful of the fact that if you choose to make changes to roles via the UI, these will not get copied back to the deployer.
This is not an issue as long as you realize that you may need to check in more than one place for these configuration changes in the future, and you frequently 'merge' your local setting (from SHC members) with the master copy on the deployer. This is one of the management overheads SHC brings.
You are of course able to make all your user and role changes on the SHC members, but the drawback of that approach is if ever your SHC disastrously falls over, you may have to start from scratch and add each role again manually.
Personally, I push roles from the deployer, and manage them all from there. I get sad if people make changes to roles on the UI without letting me know!