Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

User authentication with remote search heads

acidkewpie
Path Finder
‎02-05-2015 03:35 AM

Hi,

I'm building a cluster which will be authenticated and AD via LDAP. We will also be permitting a 3rd party to query the indexers from their own search head. How would user authentication work in this model? On the indexers we restrict certain roles to certain indexes, but I'm unclear what level of authentication will be inspected for the queries from the remote SH, which will manage its own users independently. How would an admin user be indentified by the indexes compared to a normal user? Will we have to duplicate their users into our AD for account lookups and presume they are legitimately pre-authenticated? does the search call also send the roles that user has from their Search Head?

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎02-05-2015 07:15 AM

All Splunk user authentication is handled on the search heads. If you grant a third party controlled search head access to your indexers, they will have full and complete access to your data, and it will be totally up to them to control access to indexes.

Two ways that you might approach this problem. The first is if it's a friendly third party, you could provide them your set of roles, and then ask that they do their authentication in alignment with that. In some situations, I've heard of the central org taking ownership of the remote search head, and just managing it.

The second way is that you could segment your indexers into two groups -- one that has sensitive data and one that doesn't. This adds more complexity to the environment because you have to route either hosts to different sets of indexers (e.g., web servers to one, internal servers to another) or route based on different data sources (e.g., PCI data to a couple of dedicated indexers, all other data to the normal sets). More complexity, but by controlling where the data is sent you get to control what indexers the third party search head is allowed to hit, and thus what data they can see.

Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...