-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] Dynamically Configurable Tenancy Feature #5853
Comments
Why should we make these features Dynamic? As mentioned earlier, right now we can enable/disable multi-tenancy and private-tenant by changing YAML file & restarting Dashboard environment of each data node. But this has some drawbacks like:
With our new approach, we will change tenancy properties using Patch SecurityConfig API, eg:
We will further read this value from authinfo API in backend and use it in Dashboards plugin. These API changes will be dynamic and will only require a dashboards page refresh instead of a node restart. |
Scope of the Project:
|
Earlier we were planning to change dynamic section of SecurityConfig and use these values to implement our changes dynamically. |
Tagging teams/people who have put some thought into multitenancy, to make sure they lay eyes on this RFC: @opensearch-project/security @jimishsh @shanilpa @kgcreative @cliu123 @zengyan-amazon @seraphjiang |
Hi @abhivka7, I really like the direction you are going with this. I wanted to leave a few comments for consideration as you design and implement things:
Great work! |
Thanks @scrawfor99
Default tenant is a configuration setting only for the initial login or if the user starts a new browser session. Once the user logs in and selects a different tenant, that tenant will be remembered for subsequent user logins. |
Since this feature has launched, can we close this RFC? |
Is your feature request related to a problem? Please describe.
Feature request: opensearch-project/security-dashboards-plugin#1302
Dashboards security plugin offers customers the feature to have multiple tenants for each user. This feature is called multi-tenancy. Under this feature, users can have global tenant, private tenant and custom tenants. But having so many tenant options can cause confusion among users if they don't want to use multi-tenancy feature. Therefore there should be an option to enable/disable multi-tenancy and private-tenant to avoid confusion and save space on unwanted indexes.
Right now we have the option to change these options in opensearch_dashboards.yml, but that requires a restart of Dashboards env. We want to make these changes dynamic from Dashboards page.
Also whenever user logs in, dashboard security plugin uses the last used tenant from previous session to login. But there is no way to choose a default tenant whenever a user logins for the first time. There should be an option to set a Default-Tenant out of all available tenants for better user experience.
How does Multi-Tenancy work?
Dashboards stores each visualisation setting as a document. Now for each domain, there will be a common Global tenant, and each Dashboards user will have their own private tenant. Besides that, users can also create custom tenants. Each of these tenants will have a Dashboards index of their own which are uniquely named.
Each private tenant can only be accessed by the corresponding user, whereas sharing of global and custom tenants is role based controlled by Admin.
When using Dashboards , users can switch between tenants and based on selected tenants, visualisation is loaded from the corresponding index.
Describe the solution you'd like
Security Config of Security plugin already has the property: config.dynamic.kibana.multitenancy_enabled.
Wen will introduce 2 new properties:
We will also make changes in authInfo api to have three new properties:
We can set these new properties using authInfo API and these will be used to enable/disable multi_tenancy and private_tenancy and set default_tenant. If multi_tenancy is disabled, we can remove the option to switch tenants from Dashboards page and set default tenant to Global tenant. If only private_tenant is disabled, we can grey-out the private_tenant option from tenant switch panel. We are also working on how the UI should look like to choose default_tenant.
cc: @varun-lodaya @prabhat-chaturvedi @devardee
The text was updated successfully, but these errors were encountered: