Service accounts and security for Federated Search for Splunk
Before you define a remote Splunk platform deployment as a federated provider, create a service account on that remote deployment. The service account facilitates secure communication between the federated search head on your local Splunk platform deployment and the federated provider.
This topic also discusses the fact that federated search supports HTTPS with TLS 1.2 encryption.
Security models for Federated Search for Splunk
A service account activates different security models depending on whether your federated provider uses standard or transparent mode.
Federated provider mode | Security model |
---|---|
Standard mode | The role-based access control permissions for the service account user on the federated provider determine what your local users can search on the federated provider. In addition, access to federated indexes is based on the roles of your local users, which allows you to restrict your local users' ability to search remote datasets on the federated provider. See Give your users role-based access control of federated indexes. |
Transparent mode | The role-based access control permissions for your local users determine what your users can search on the federated provider, with the exception of remote indexes, the access to which is governed by the remote federated provider service account. In addition, to activate transparent mode federated search capabilities for the federated provider, the service account must have the fsh_manage capability. |
For more information about the standard and transparent federated provider modes, see About Federated Search for Splunk.
Step one: Create a service account role on the remote deployment
To set up a federated provider service account on a remote deployment, you must first create an appropriate service account role on that deployment. This task differs depending on whether the federated provider you are setting up the service account for will use standard mode or transparent mode.
If the federated provider will use standard mode
If you plan to define your remote deployment as a standard mode federated provider, create a new service account role on the remote deployment. This is the role you'll give to the service account user for the federated provider in the following task. This role sets the data access privileges and restrictions for all federated searches run over this federated provider.
See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.
- On the remote deployment, in Splunk Web, select Settings, then Roles.
- Select New Role.
- Give the role a unique Name.
Role names must use only lowercase characters. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.
- On the Inheritance tab, ensure that the service account role has the essential capabilities for running searches by selecting the User role.
Do not have the service account role inherit from the admin, sc_admin or power roles. Do not give the service account role capabilities that are equivalent to those roles. The service account role needs only to have the ability to run searches. - Use the other New Role tabs to ensure that the role has appropriate access to data on the remote deployment for the federated searches your users will be running. Specify role capabilities, searchable indexes, search restrictions, and search-related limits.
- Select Save.
Service account roles for standard mode federated providers must also have read permissions for any remote datasets that you expect your federated search users to access through federated indexes. For example, if you plan to set up a federated index that maps to a data model on a federated provider, make sure that the service account role for that federated provider has read permissions for that data model.
For more information about setting permissions for knowledge objects like saved searches and data models, see Manage knowledge object permissions in the Knowledge Manager Manual.
If the federated provider will use transparent mode
If you plan to define your remote deployment as a transparent mode federated provider, create a new service account role on the remote deployment. You must give the role the fsh_manage and search capabilities, and you must identify Included indexes for the service account role. This is the role you give to the service account user for the federated provider.
Do not have the service account role inherit from the admin, sc_admin or power roles. Do not give the service account role capabilities that are equivalent to those roles.
See Create and manage roles with Splunk Web, in Securing the Splunk Platform.
- On the remote deployment, in Splunk Web, select Settings, then Roles.
- Select New Role.
- Give the role a unique Name.
Role names must use only lowercase characters. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.
- Open the Capabilities tab and select the fsh_manage and search capabilities.
When you give the federated provider service account a role with the fsh_manage capability, you turn on transparent mode federated search for federated provider. The search capability ensures that searches can run over the transparent mode provider.
If the service account user for a transparent mode federated provider does not have a role with the fsh_manage and search capabilities, that federated provider rejects all federated search requests that reach it. - Open the Indexes tab, and select Included for the remote indexes on this federated provider that users on your local Splunk deployment can search with transparent mode federated searches.
To successfully run a transparent mode federated search, both the role of the user running the search on the local Splunk deployment and the service account role on the remote Splunk deployment must have role-based access to the same list of index names. For example, if you have the User role, and you want to run a federated search over an index named OnlineSales on a transparent mode federated provider, the following things must be true:- Your User role must have role-based access to an index on your local Splunk platform deployment named OnlineSales.
- The service account role must have role-based access to an index on the federated provider named OnlineSales.
- (Optional) In the Indexes tab, select Default indexes for the service account role. Default indexes return results for transparent mode federated searches that do not identify an index.
If you do not select a Default index, your users must identify an Included index in their federated searches to get search results from the transparent mode federated provider.
- Select Save.
Step two: Create a new service account user on the remote deployment and assign the role to it
The next step in creating a federated provider service account is creating a service account user on the remote deployment. This user is the service account for the federated provider. Assign the role you identified or created in the first step to this service account user.
This step is the same whether your federated provider will use standard mode or transparent mode.
See Create and manage users with Splunk Web, in the Securing the Splunk Platform manual.
- On the remote deployment, in Splunk Web, select Settings, then Users.
- Select New user.
The service account user must be native to the remote Splunk deployment. Federated search does not support setup of service account users that are provisioned through identity providers like Active Directory and authentication schemes like Lightweight Directory Access Protocol (LDAP) or Security Assertion Markup Language (SAML).
- Give the service account user a name, password, and time zone.
- Give this user the remote deployment role you defined or identified in the previous task.
- Deselect the Require password change on first login option.
- Select Save.
- Save a record of the username and password for the service account.
You need these credentials for the Service Account Username and Service Account Password fields when you create the federated provider definition for the remote deployment.
See Define a Splunk platform federated provider.
About HTTPS with TLS 1.2 encryption for federated search
For the purposes of federated search, an internal REST API endpoint on port 8089 facilitates communication between local and remote Splunk platform search heads using HTTPS with Transport Layer Security (TLS) 1.2 encryption. You can set up HTTPS proxy data transmission for federated search. Federated search does not support HTTP proxy data transmission.
For more information about configuring an HTTPS proxy server for a Splunk Enterprise deployment, see Configure splunkd to use your HTTP Proxy Server in the Splunk Enterprise Admin Manual.
For more information about configuring TLS encryption for a Splunk Enterprise deployment, see the following links in in Securing Splunk Enterprise.
- About TLS encryption and cipher suites
- Introduction to securing the Splunk platform with TLS
- Configure TLS certificates for inter-Splunk communication for details on activating mutually-authenticated TLS, or mTLS.
To set up an HTTPS proxy server and TLS encryption for a Splunk Cloud Platform deployment, contact your Support representative.
Migrate from hybrid search to Federated Search for Splunk | Set the app context for standard mode federated providers |
This documentation applies to the following versions of Splunk® Enterprise: 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!