About pass-through authentication
To search a virtual index, Hunk requests MapReduce jobs and accesses HDFS files. By default, Hunk does this as the Hunk superuser. Using pass-through authentication, however, you can control which Hunk users submit MapReduce jobs and access HDFS files. You can also specify which queue the MapReduce jobs should use.
About Hunk Superusers, Hunk users, and Hadoop users
A Hunk Superuser is one (or all) of the following:
- The user used to install the Splunk search head.
- The Kerberos keytab user for a provider.
Hadoop users are users which a Hadoop cluster lets:
- Submit MapReduce jobs.
- Access HDFS, assuming it uses the operating system users/groups for your nodes, as Hadoop generally does by default. (It may work differently if you configured your Hadoop cluster differently.)
How pass-through authentication works with your users
Pass-through authentication lets you make the Hunk Superuser a proxy for any number of configured Hunk users. This way, Hunk users can act as Hadoop users to own the associated jobs, tasks, and files in Hadoop (and you can limit access to files in HDFS.)
Hunk users can be created via Hunk's native user functionality or LDAP , for more information about setting up users, see the following topics in the Splunk Enterprise Securing Splunk manual:
Ways you can use pass-through authentication
The following use cases describes common ways you might use pass-through authentication:
- One Hunk user to one Hadoop user: For example, you might want your Hunk user to act as a Hadoop user associated with a specific queue or data set. In this case you simply map your Hunk user to a specific user in Hadoop. For example, the Hunk user name is "msantos", but on the Hadoop cluster, the name is "mattsantos" and queue is "Products."
- Many Hunk user to one Hadoop Users: You might want multiple Hunk users to act as a Hadoop user. For example, all of the below Hunk users could run as the "Executive" user on Hadoop, and are assigned the queue "Products:"
- Hunk user(s) to same Hadoop user with different queues: You can also run Hunk users as the same Hadoop user, but assign them different queues. For example, the Hunk users in the last example run as the "Executive" user on Hadoop, and are assigned the queue "Products". But are respectively assigned to the following queues:
- jbartlett runs as user "Executive" and is assigned the queue "prod-admin."
- lmcgarry runs as user "Executive" and is assigned the queue "prod-staff."
- jlyman runs as user "Executive" and is assigned the queue "prod-staff."
Configure Hunk to use a streaming resource library
Configure pass-through authentication in the Hunk user interface
This documentation applies to the following versions of Hunk®(Legacy): 6.1, 6.1.1, 6.1.2, 6.1.3, 6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11