Splunk® Enterprise

Search Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Service accounts and federated search security

Before you define a remote Splunk platform deployment as a federated provider, create a service account on that remote deployment. The service account enables secure communication between the federated search head on your local Splunk platform deployment and the federated provider.

This topic also discusses the fact that federated search supports HTTPS with TLS 1.2 encryption.

Federated search security models

A service account enables different security models depending on whether you define it on the remote search head of a standard mode federated provider or transparent mode federated provider.

Federated provider mode Security model
Standard mode The role-based access control permissions for the service account user on the federated provider determine what your local users can search on the federated provider.

In addition, access to federated indexes is role-based, which allows you to restrict your local users' ability to search remote datasets on the federated provider.
Transparent mode The role-based access control permissions for your local users determine what your users can search on the federated provider.

In addition, to activate transparent mode federated search capabilities for the federated provider, the service account must have the fsh_manage capability.

For more information about the standard and transparent federated provider modes, see About federated search.

Step one: Create a service account role on the remote deployment

To set up a federated provider service account on a remote deployment, you must first create an appropriate service account role on that deployment. This task differs depending on whether the federated provider you are setting up the service account for will use standard mode or transparent mode.

It is not necessary for service account roles to inherit capabilities from or be otherwise equivalent to the admin, sc_admin, or power roles. They need only to have the capabilities necessary to run searches, which are applied to the user role.

If the federated provider will use standard mode

If you plan to define the remote deployment as a standard mode federated provider, create a new service account role on the remote deployment. This is the role you'll give to the service account user for the federated provider in the following task. This role sets the data access privileges and restrictions for all federated searches run over this federated provider.

See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.

  1. On the remote deployment, in Splunk Web, navigate to Settings > Roles.
  2. Select New Role.
  3. Give the role a unique Name.

    Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.

  4. Select the role name to continue role setup.
  5. On the Inheritance tab of Edit Roles, ensure that the service account role has the essential capabilities for running searches by selecting the User role.

    Do not have the service account role inherit from the admin, sc_admin or power roles. Do not give the service account role capabilities that are equivalent to those roles.
  6. Use the other Edit Roles tabs to ensure that the role has appropriate access to data on the remote deployment for the federated searches your users will be running. Specify role capabilities, searchable indexes, search restrictions, and search-related limits.
  7. Select Save.

Service account roles for standard mode federated providers must also have read permissions for any remote datasets that you expect your federated search users to access through federated indexes. For example, if you are going to set up a federated index that maps to a data model on a federated provider, make sure that the service account role for that federated provider has read permissions for that data model.

For more information about setting permissions for knowledge objects like saved searches and data models, see Manage knowledge object permissions.

If the federated provider will use transparent mode

If you plan to define the remote deployment as a transparent mode federated provider, create a new service account role on the remote deployment and give the role the fsh_manage and search capabilities. This is the role you'll give to the service account user for the federated provider.

When you give the federated provider service account a role with the fsh_manage capability, you grant the admin of the federated search head on the local deployment the privilege to authorize access to indexes and data on the federated provider. The search capability ensures that searches can run over the transparent mode provider.

If the service account user for a transparent mode federated provider does not have a role with the fsh_manage and search capabilities, that federated provider rejects all federated search requests that reach it.

See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.

  1. On the remote deployment, in Splunk Web, navigate to Settings > Roles.
  2. Select New Role.
  3. Give the role a unique Name.

    Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.

  4. Select the role name to continue role setup.
  5. Open the Capabilities tab and select the fsh_manage and search capabilities.
    No other role settings are required. When you run a federated search over this provider, the remote search head applies the role of the user running the search. This service account role facilitates access to the federated provider, nothing more.
  6. Select Save.

Step two: Create a new service account user on the remote deployment and assign the role to it

The next step in creating a federated provider service account is creating a service account user on the remote deployment. This user is the service account for the federated provider. Assign the role you identified or created in the first step to this service account user.

This step is the same whether your federated provider will use standard mode or transparent mode.

See Create and manage users with Splunk Web, in the Securing the Splunk Platform manual.

  1. On the remote deployment, in Splunk Web, navigate to Settings > Users.
  2. Select New user.

    The service account user must be native to the remote Splunk deployment. Federated search does not support setup of service account users that are provisioned through identity providers like Active Directory and authentication schemes like Lightweight Directory Access Protocol (LDAP) or Security Assertion Markup Language (SAML).

  3. Give the service account user a name, password, and time zone.
  4. Give this user the remote deployment role you defined or identified in the previous task.
  5. Deselect the Require password change on first login option.
  6. Select Save.
  7. Save a record of the username and password for the service account.
    You need these credentials for the Service Account Username and Service Account Password fields when you create the federated provider definition for the remote deployment.

See Define a federated provider.

Additional security for standard mode federated providers: Federated indexes

When you define a remote deployment as a standard mode federated provider, you also create federated indexes on the federated search head of your local deployment. See Create a federated index.

On your local deployment, you must define additional role-based access control rules that identify the federated indexes to which your users have access. Each federated index on your local deployment maps to a single dataset on a standard mode federated provider, so this practice ensures that specific roles have access only to specific remote datasets.

After you create federated indexes, follow these steps.

  1. On the local deployment, in Splunk Web, navigate to Settings > Roles.
  2. Select the name of a role that you have associated to users who run federated searches.
  3. Select 3. Indexes to display the contents of the Indexes tab.
  4. Locate the federated indexes you have defined. All federated index names in the Indexes list begin with federated:.
  5. Select Included for a federated index to enable users with this role to see search results from that index.

    If you do not select Included for any federated indexes, users with this role cannot run federated searches over standard mode federated providers.

    Do not add any federated indexes to the Default index column for a role. Users who run standard mode federated searches must always reference federated indexes by name in those searches.

  6. To save all of the changes you have made and close the dialog box, select Save.

About HTTPS with TLS 1.2 encryption for federated search

For the purposes of federated search, an internal REST API endpoint on port 8089 facilitates communication between local and remote Splunk platform search heads using HTTPS with Transport Layer Security (TLS) 1.2 encryption. You can set up HTTPS proxy data transmission for federated search. Federated search does not support HTTP proxy data transmission.

For more information about configuring an HTTPS proxy server for a Splunk Enterprise deployment, see Configure splunkd to use your HTTP Proxy Server in the Splunk Enterprise Admin Manual.

For more information about configuring TLS encryption for a Splunk Enterprise deployment, see the following links in in Securing Splunk Enterprise.

To set up an HTTPS proxy server and TLS encryption for a Splunk Cloud Platform deployment, contact your Support representative.

Last modified on 16 June, 2023
PREVIOUS
Migrate from hybrid search to federated search
  NEXT
Set the app context for standard mode federated providers

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters