Splunk Cloud Platform

Search Manual

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

Service accounts and federated search security

Before you define a remote Splunk platform deployment as a federated provider, create a service account on that remote deployment. The service account enables secure communication between the federated search head on your local Splunk platform deployment and the federated provider.

For the purposes of federated search, an internal REST API endpoint on port 8089 facilitates communication between local and remote Splunk platform search heads using HTTPS with TLS 1.2 encryption. You can set up HTTPS proxy data transmission for federated search. Federated search does not support HTTP proxy data transmission.

Federated search security models

A service account enables different security models depending on whether or not Local Knowledge Objects is enabled or disabled for the federated provider.

Local Knowledge Objects setting Applies to Security model Description
Disabled Standard mode federated providers, by default. Data access privileges and restrictions derive from the service account role. Users running federated searches on the local deployment delegate their data access privileges and restrictions to the role held by the service account user.

This service account role is defined on the remote Splunk platform deployment.

The access privileges and restrictions for the service account role apply to all federated searches that you run over the federated provider.
Enabled
  • Standard mode federated providers, when you enable Local Knowledge Objects.
  • Transparent mode federated providers, always.
Data access privileges and restrictions derive from the role of the user running the federated search on the local Splunk platform deployment. Users running federated searches on the local deployment have their own role's data access privileges and restrictions applied to the federated search.

This application of user role-based access controls takes place only when the service account role on the remote Splunk platform deployment has the fsh_manage capability.

For more information about the standard and transparent federated provider modes, see About federated search.

For more information about the Local Knowledge Objects setting, see Determine which knowledge objects are applied to federated searches.

Step one: Create a role on the remote Splunk deployment

To set up a federated provider service account on a remote Splunk deployment, you must first create an appropriate service account role on that deployment. This task differs depending on whether the federated provider you are setting up the service account will have Local Knowledge Objects enabled or disabled.

If the federated provider will have Local Knowledge Objects disabled

Local knowledge objects is disabled by default for standard mode federated providers.

If the remote Splunk platform deployment you are defining as a standard mode federated provider will have Local Knowledge Objects disabled, create a new service account role on the remote deployment. This is the role you will give to the service account user for the federated provider. This role provides the access controls for all federated searches run over this federated provider.

See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.

  1. On the remote deployment, in Splunk Web, navigate to Settings > Roles.
  2. Click New Role.
  3. Give the role a unique Name.

    Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.

  4. Ensure that the role has appropriate access to data on the remote Splunk platform deployment for the federated searches your users will be running. Specify role inheritance, capabilities, searchable indexes, search restrictions, and search-related limits.
    To ensure that the service account role has the essential capabilities for running searches, make sure the role inherits its baseline capabilities from the User role.
  5. Click Save.

If the federated provider will have Local Knowledge Objects enabled

You can optionally enable Local Knowledge Objects for standard mode federated providers. Local Knowledge Objects is always enabled for transparent mode federated providers.

If the remote Splunk platform deployment you are defining as a federated provider will have Local Knowledge Objects enabled, create a new service account role on the remote deployment and give the role the fsh_manage capability. This is the role you will give to the service account user for the federated provider.

When you give the federated provider service account a role with the fsh_manage capability, you effectively grant the admin of the federated search head on the local Splunk deployment the privilege to authorize access to indexes on the remote deployment.

If you have Local Knowledge Objects enabled for a federated provider and that federated provider's service account does not have a role with the fsh_manage capability, that federated provider rejects all federated search requests that reach it.

See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.

  1. On the remote deployment, in Splunk Web, navigate to Settings > Roles.
  2. Click New Role.
  3. Give the role a unique Name.

    Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.

  4. Click 2. Capabilities to display the contents of the Capabilities tab.
  5. Select the fsh_manage capability.
    No other role settings are required. When you run a federated search over this provider, the remote search head applies the role of the user running the search. This service account role facilitates access to the federated provider, nothing more.
  6. Click Save.

Step two: Create a new service account user on the remote Splunk deployment and assign the role to it

The next step in creating a federated provider service account is creating a service account user on the remote deployment. This user is the service account for the federated provider. Assign the remote deployment role you identified or created in the first step to this service account user.

This step is the same whether or not you will have Local Knowledge Objects enabled for your federated provider.

See Create and manage users with Splunk Web, in the Securing the Splunk Platform manual.

  1. On the remote deployment, in Splunk Web, navigate to Settings > Users.
  2. Click New user.

    The service account user must be native to the remote Splunk deployment. Federated search does not support setup of service account users that are provisioned through identity providers like Active Directory and authentication schemes like Lightweight Directory Access Protocol (LDAP) or Security Assertion Markup Language (SAML).

  3. Give the service account user a name, password, and time zone. The name and password will be referenced when you create your federated provider definition.
  4. Give this user the remote deployment role you defined or identified in the previous task.
  5. Deselect the Require password change on first login option.
  6. Click Save.
  7. Save a record of the user name and password for the service account.
    You need these credentials for the Service Account Username and Service Account Password fields when you create the federated provider definition for the remote Splunk platform deployment.

See Define a federated provider.

Additional security for standard mode federated providers: Federated indexes

When you define a remote Splunk platform deployment as a standard mode federated provider, you also create federated indexes on the federated search head of your local deployment. See Create a federated index.

On your local deployment, you must define additional role-based access control rules that identify the federated indexes to which your users have access. Each federated index on your local deployment maps to a single dataset on a standard mode federated provider, so this practice ensures that specific roles have access only to specific remote datasets.

After you create federated indexes, follow these steps.

  1. On the local deployment, in Splunk Web, navigate to Settings > Roles.
  2. Select the name of a role that is associated with users who run federated searches.
  3. Click 3. Indexes to display the contents of the Indexes tab.
  4. Locate the federated indexes you have defined. All federated index names in the Indexes list begin with federated:.
  5. Select Included for a federated index to enable users with this role to see search results from that index.

    If you do not select Included for any federated indexes, users with this role cannot run federated searches over standard mode federated providers.

    Do not add any federated indexes to the Default index column for a role. Users who run standard mode federated searches must always reference federated indexes by name in those searches.

  6. To save all of the changes you have made and close the dialog box, click Save.

See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.

Last modified on 16 June, 2023
Migrate from hybrid search to federated search   Determine which knowledge objects are applied to federated searches

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters