I am trying to create a new process to have a service (non-admin) account adding new Search Heads into a cluster. Specifically, need enough capabilities to to have the service account initialize and add a search head to a cluster. I want to avoid giving "admin-all-objects" as its too much privilege and want to adhere to least-priv policy.
I created a new local account and added it to the deployer, SH cluster, and the new SH. I then added capabilities related to SH clustering so that i can have this service account initialize and add SH to a cluster. However, i am getting errors related to permissions.
Capabilities added:
edit_restmap |
edit_search_head_clustering |
edit_search_server |
edit_server |
list_search_head_clustering |
rest_apps_management |
rest_apps_view |
rest_properties_get |
rest_properties_set |
restart_splunkd |
Error when trying to initialize SH:
/opt/splunk/bin/splunk init shcluster-config <CLUSTER INFO>>
User 'shcluster_config' with roles { shcluster_config, user-shcluster_config } cannot write: /nobody/system/server { read : [ * ], write : [ admin ] }, removable: no
Anybody know what capability i need to give this service account enough access to add new SHs to a cluster?
Thank you
The answer is in the error message.
write : [ admin ]
means only an admin can write to that service. In this case, admin is least-priv.
I'm pretty sure admin means admin. You can try setting individual capabilities in a custom role until you hit upon the right combination if you want, though.
yes that makes sense. But do you know if its possible if we can change the write permission so it can include another role ?
That I don't know.