Splunk® Enterprise

Search Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Service accounts and federated search security

Before you define a remote Splunk platform deployment as a federated provider, create a service account on that remote deployment. The service account enables secure communication between the federated search head on your local Splunk platform deployment and the federated provider.

For the purposes of federated search, an internal REST API endpoint on port 8089 facilitates communication between local and remote Splunk platform search heads using HTTPS with TLS 1.2 encryption. You can set up HTTPS proxy data transmission for federated search. Federated search does not support HTTP proxy data transmission.

For more information about configuring a Splunk Enterprise deployment to use an HTTP proxy server, see Configure splunkd to use your HTTP Proxy Server.

Federated search security models

A service account enables different security models depending on whether you define it on the remote search head of a standard mode federated provider or transparent mode federated provider.

Federated provider mode Security model Description
Standard mode Access control is on the side of the remote deployment. Data access privileges and restrictions for the portion of a federated search running on the remote search head derive from the service account role on the standard mode federated provider. Users running federated searches on the local deployment delegate their data access privileges and restrictions to the role of this remote service account.
Transparent mode Access control is on the side of the local deployment. Data access privileges and restrictions for the portion of a federated search running on the remote search head derive from the role of the user running the search on the local deployment.

Application of local user data access privileges and restrictions to federated searches takes place only when the service account role on the transparent mode federated provider has the fsh_manage capability.

For more information about the standard and transparent federated provider modes, see About federated search.

Step one: Create a service account role on the remote deployment

To set up a federated provider service account on a remote deployment, you must first create an appropriate service account role on that deployment. This task differs depending on whether the federated provider you are setting up the service account for will use standard mode or transparent mode.

If the federated provider will use standard mode

If you plan to define the remote deployment as a standard mode federated provider, create a new service account role on the remote deployment. This is the role you'll give to the service account user for the federated provider in the following task. This role sets the data access privileges and restrictions for all federated searches run over this federated provider.

See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.

  1. On the remote deployment, in Splunk Web, navigate to Settings > Roles.
  2. Select New Role.
  3. Give the role a unique Name.

    Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.

  4. Ensure that the role has appropriate access to data on the remote deployment for the federated searches your users will be running. Specify role inheritance, capabilities, searchable indexes, search restrictions, and search-related limits.
    To ensure that the service account role has the essential capabilities for running searches, make sure the role inherits its baseline capabilities from the User role.
  5. Select Save.

Service account roles for standard mode federated providers must also have read permissions for any remote datasets that you expect your federated search users to access through federated indexes. For example, if you are going to set up a federated index that maps to a data model on a federated provider, make sure that the service account role for that federated provider has read permissions for that data model.

For more information about setting permissions for knowledge objects like saved searches and data models, see Manage knowledge object permissions.

If the federated provider will use transparent mode

If you plan to define the remote deployment as a transparent mode federated provider, create a new service account role on the remote deployment and give the role the fsh_manage and search capabilities. This is the role you'll give to the service account user for the federated provider.

When you give the federated provider service account a role with the fsh_manage capability, you grant the admin of the federated search head on the local deployment the privilege to authorize access to indexes and data on the federated provider. The search capability ensures that searches can run over the transparent mode provider.

If the service account user for a transparent mode federated provider does not have a role with the fsh_manage and search capabilities, that federated provider rejects all federated search requests that reach it.

See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.

  1. On the remote deployment, in Splunk Web, navigate to Settings > Roles.
  2. Select New Role.
  3. Give the role a unique Name.

    Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.

  4. Select 2. Capabilities to display the contents of the Capabilities tab.
  5. Select the fsh_manage and search capabilities.
    No other role settings are required. When you run a federated search over this provider, the remote search head applies the role of the user running the search. This service account role facilitates access to the federated provider, nothing more.
  6. Select Save.

Step two: Create a new service account user on the remote deployment and assign the role to it

The next step in creating a federated provider service account is creating a service account user on the remote deployment. This user is the service account for the federated provider. Assign the role you identified or created in the first step to this service account user.

This step is the same whether your federated provider will use standard mode or transparent mode.

See Create and manage users with Splunk Web, in the Securing the Splunk Platform manual.

  1. On the remote deployment, in Splunk Web, navigate to Settings > Users.
  2. Select New user.
  3. Give the service account user a name, password, and time zone.
  4. Give this user the remote deployment role you defined or identified in the previous task.
  5. Deselect the Require password change on first login option.
  6. Select Save.
  7. Save a record of the username and password for the service account.
    You need these credentials for the Service Account Username and Service Account Password fields when you create the federated provider definition for the remote deployment.

See Define a federated provider.

Additional security for standard mode federated providers: Federated indexes

When you define a remote deployment as a standard mode federated provider, you also create federated indexes on the federated search head of your local deployment. See Create a federated index.

On your local deployment, you must define additional role-based access control rules that identify the federated indexes to which your users have access. Each federated index on your local deployment maps to a single dataset on a standard mode federated provider, so this practice ensures that specific roles have access only to specific remote datasets.

After you create federated indexes, follow these steps.

  1. On the local deployment, in Splunk Web, navigate to Settings > Roles.
  2. Select the name of a role that you have associated to users who run federated searches.
  3. Select 3. Indexes to display the contents of the Indexes tab.
  4. Locate the federated indexes you have defined. All federated index names in the Indexes list begin with federated:.
  5. Select Included for a federated index to enable users with this role to see search results from that index.

    If Included is not selected for any federated indexes, users with this role cannot run federated searches over standard mode federated providers.

  6. To save all of the changes you have made and close the dialog box, select Save.

See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.

Last modified on 26 September, 2022
PREVIOUS
Migrate from hybrid search to federated search
  NEXT
Set the app context for standard mode federated providers

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters