Service accounts and security for Federated Search for Splunk

Before you define a remote Splunk platform deployment as a federated provider, create a service account on that remote deployment. The service account facilitates secure communication between the federated search head on your local Splunk platform deployment and the federated provider.

This topic also discusses the fact that federated search supports HTTPS with TLS 1.2 encryption.

If you need to secure communication between federated search heads and remote search heads using mTLS, see Configure mutually authenticated transport layer security (mTLS) on the Splunk platform.

Security models for Federated Search for Splunk

A service account activates different security models depending on whether your federated provider uses standard or transparent mode.

Federated provider mode Security model
Standard mode The role-based access control permissions for the service account user on the federated provider determine what your local users can search on the federated provider.
In addition, access to federated indexes is based on the roles of your local users, which allows you to restrict your local users' ability to search remote datasets on the federated provider. See Give your users role-based access control of federated indexes.
Transparent mode

The role-based access control (RBAC) permissions for your local users help determine what those users can search on the federated provider. However, local RBAC permissions are not enough to grant access to remote indexes on the remote search head.

For a transparent mode federated search to access a remote index, permissions must be configured in the following places:

  • On the local federated search head, the role assigned to the local user who runs the search must include permission to search the index.
  • On the remote search head, the role assigned to the federated provider service account must include permission to search the corresponding remote index.
  • On the remote search head, the role assigned to the federated provider service account must also have the fsh_manage capability. This capability activates transparent mode federated search capabilities for the federated provider.
For example, if a local user runs a transparent mode federated search against index=web_access, the user’s role on the local federated search head must allow searches of index=web_access. On the remote search head, the federated provider service account’s role must have the fsh_manage capability and allow searches of index=web_access. These permission and capability checks validate that both the local and remote search heads allow the local user to access the remote data through transparent mode federated search.

For more information about the standard and transparent federated provider modes, see About Federated Search for Splunk.

Remote index access requirements for transparent mode federated search

For transparent federated searches, access to remote indexes is controlled by role-based access control (RBAC) through both the user’s role on the federated search head and the remote federated provider service account.

To determine whether a user has permission to access a remote index, Splunk checks access in two places:

  • On the remote search head, the federated provider service account must exist and must have access to the remote index.
  • On the local federated search head, the user’s role must allow access to the same index name. In Splunk Web, this means that the Included setting on the Indexes tab for the user’s role must include the name of the remote index that the transparent search targets.

If the remote index name is not included in the user’s role on the federated search head, a user with a low-privilege role can’t access that remote index through transparent mode federated search. This can happen when the index exists on the remote search head, but an index with the same name doesn’t exist on the federated search head. In that case, the index might not appear in the list of indexes on the role’s Indexes tab on the local federated search head. That means that an administrator can’t select the index in Splunk Web, in order to add it to the Included setting for the user’s role.

Users with the admin role are not restricted in the same way, because the admin role can access all indexes in the deployment. As a result, an admin user can run a transparent mode federated search against a remote index even if an index with the same name does not exist locally on the federated search head.

For low-privilege users, if the remote index does not exist locally on the federated search head, an administrator can create a local placeholder index on the federated search head with the same name as the index on the remote search head. The placeholder index does not need to contain data. Its purpose is to make the index name available on the federated search head so that the administrator can add it to the Included setting for the role in Splunk Web. After the index name is included in the user’s role on the local federated search head, and the federated provider service account has access to the index on the remote search head, the low-privilege user can run transparent mode federated searches against that remote index.

For example, suppose the finance index exists on the remote search head, but a finance index doesn’t exist on the local federated search head. If you want a low-privilege user to run transparent mode federated searches such as index=finance, create an empty placeholder index named finance on the federated search head. Then update the user’s role on the federated search head so that finance appears in the Included setting on the Indexes tab for that role. Also make sure that the federated provider service account on the remote search head has access to the finance index. After both conditions are met, the user can search the remote finance index through transparent mode federated search.

Note:

Creating a placeholder index is primarily a workaround for configuring index access through Splunk Web. If the user’s role already allows access to the remote index name through another method, such as a matching regular expression in the srchIndexesAllowed setting in the authorize.conf file or a role update made through the Splunk platform REST API, you do not need to create a placeholder index on the federated search head.

Step one: Create a service account role on the remote deployment

To set up a federated provider service account on a remote deployment, you must first create an appropriate service account role on that deployment. This task differs depending on whether the federated provider you are setting up the service account for will use standard mode or transparent mode.

If the federated provider will use standard mode

If you plan to define your remote deployment as a standard mode federated provider, create a new service account role on the remote deployment. This is the role you'll give to the service account user for the federated provider in the following task. This role sets the data access privileges and restrictions for all federated searches run over this federated provider.

See Create and manage roles with Splunk Web, in the Securing the Splunk Platform manual.

  1. On the remote deployment, in Splunk Web, select Settings, then Roles.
  2. Select New Role.
  3. Give the role a unique Name.
    Note: Role names must use only lowercase characters. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.
  4. On the Inheritance tab, ensure that the service account role has the essential capabilities for running searches by selecting the User role.
    Do not have the service account role inherit from the admin, sc_admin or power roles. Do not give the service account role capabilities that are equivalent to those roles. The service account role needs only to have the ability to run searches.
  5. Use the other New Role tabs to ensure that the role has appropriate access to data on the remote deployment for the federated searches your users will be running. Specify role capabilities, searchable indexes, search restrictions, and search-related limits.
  6. Select Save.
Note: Service account roles for standard mode federated providers must also have read permissions for any remote datasets that you expect your federated search users to access through federated indexes. For example, if you plan to set up a federated index that maps to a data model on a federated provider, make sure that the service account role for that federated provider has read permissions for that data model.

For more information about setting permissions for knowledge objects like saved searches and data models, see Manage knowledge object permissions in the Knowledge Manager Manual.

If the federated provider will use transparent mode

If you plan to define your remote deployment as a transparent mode federated provider, create a new service account role on the remote deployment. You must give the role the fsh_manage and search capabilities, and you must identify Included indexes for the service account role. This is the role you give to the service account user for the federated provider.

Note: Do not have the service account role inherit from the admin, sc_admin or power roles. Do not give the service account role capabilities that are equivalent to those roles.

See Create and manage roles with Splunk Web, in Securing the Splunk Platform.

  1. On the remote deployment, in Splunk Web, select Settings, then Roles.
  2. Select New Role.
  3. Give the role a unique Name.
    Note: Role names must use only lowercase characters. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.
  4. Open the Capabilities tab and select the fsh_manage and search capabilities.
    When you give the federated provider service account a role with the fsh_manage capability, you turn on transparent mode federated search for federated provider. The search capability ensures that searches can run over the transparent mode provider.
    If the service account user for a transparent mode federated provider does not have a role with the fsh_manage and search capabilities, that federated provider rejects all federated search requests that reach it.
  5. Open the Indexes tab, and select Included for the remote indexes on this federated provider that users on your local Splunk deployment can search with transparent mode federated searches.
    To successfully run a transparent mode federated search, both the role of the user running the search on the local Splunk deployment and the service account role on the remote Splunk deployment must have role-based access to the same list of index names. For example, if you have the User role, and you want to run a federated search over an index named OnlineSales on a transparent mode federated provider, the following things must be true:
    • Your User role must have role-based access to an index on your local Splunk platform deployment named OnlineSales.
    • The service account role must have role-based access to an index on the federated provider named OnlineSales.
    If the service account role and your users' roles do not provide role-based access to the indexes on the transparent mode federated provider, your users cannot run federated searches over that provider.
  6. (Optional) In the Indexes tab, select Default indexes for the service account role. Default indexes return results for transparent mode federated searches that do not identify an index.
    Note: If you do not select a Default index, your users must identify an Included index in their federated searches to get search results from the transparent mode federated provider.
  7. Select Save.

Step two: Create a new service account user on the remote deployment and assign the role to it

The next step in creating a federated provider service account is creating a service account user on the remote deployment. This user is the service account for the federated provider. Assign the role you identified or created in the first step to this service account user.

Note: This step is the same whether your federated provider will use standard mode or transparent mode.

See Create and manage users with Splunk Web, in the Securing the Splunk Platform manual.

  1. On the remote deployment, in Splunk Web, select Settings, then Users.
  2. Select New user.
    Note: The service account user must be native to the remote Splunk deployment. Federated search does not support setup of service account users that are provisioned through identity providers like Active Directory and authentication schemes like Lightweight Directory Access Protocol (LDAP) or Security Assertion Markup Language (SAML).
  3. Give the service account user a name, password, and time zone.
  4. Give this user the remote deployment role you defined or identified in the previous task.
  5. Deselect the Require password change on first login option.
  6. Select Save.
  7. Save a record of the username and password for the service account.
    You need these credentials for the Service Account Username and Service Account Password fields when you create the federated provider definition for the remote deployment.

See Define a Splunk platform federated provider.

About HTTPS with TLS 1.2 encryption for federated search

For the purposes of federated search, an internal REST API endpoint on port 8089 facilitates communication between local and remote Splunk platform search heads using HTTPS with Transport Layer Security (TLS) 1.2 encryption. You can set up HTTPS proxy data transmission for federated search. Federated search does not support HTTP proxy data transmission.

For more information about configuring an HTTPS proxy server for a Splunk Enterprise deployment, see Configure splunkd to use your HTTP Proxy Server in the Splunk Enterprise Admin Manual.

For more information about configuring TLS encryption for a Splunk Enterprise deployment, see the following links in Securing Splunk Enterprise.

Note: To set up an HTTPS proxy server and TLS encryption for a Splunk Cloud Platform deployment, contact your Support representative.