Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation for dynamic configuration of tenancy in Dashboards #3694

Merged
merged 18 commits into from
Apr 21, 2023

Conversation

cwillum
Copy link
Contributor

@cwillum cwillum commented Apr 6, 2023

Description

This adds documentation for dynamic configuration of certain tenancy features including enabling or disabling tenancy, disabling or enabling private tenants, and setting the default tenant for all users. The documentation also includes new APIs that provide another option for configuring the same dynamic settings.

Issues Resolved

Fixes #2562

Checklist

  • By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and subject to the Developers Certificate of Origin.
    For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@cwillum cwillum added dashboards API 2 - In progress Issue/PR: The issue or PR is in progress. security release-notes PR: Include this PR in the automated release notes v2.7.0 labels Apr 6, 2023
@cwillum cwillum requested a review from a team as a code owner April 6, 2023 00:23
@cwillum cwillum self-assigned this Apr 6, 2023
* Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and have an impact on tenant-to-tenant functionality.
* Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and can have an impact on tenant-to-tenant functionality.

While aggregate view is enabled, a loss of saved objects and impact to tenant-to-tenant functionality can also occur when the larger multi-tenancy feature is disabled. This includes disabling multi-tenancy in the security `config.yml` file settings or by using dynamic configuration. Keep this in mind before enabling aggregate view for your test cluster.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RyanL1997 I don't think there will be a loss of saved objects with respect to Aggregation view feature when multi-tenancy is disabled. Can you confirm?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@abhivka7 @RyanL1997 I understood that some changes needed to be made so that aggregate view was compatible with dynamic configuration. The result of those changes was that disabling multi-tenancy would also disable the aggregate view feature. And once both were disabled, it made the last bullet above a concern:
"Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. ..."
Let's clarify this so I can make changes to the warning note if necessary. Thanks.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cwillum Basically aggregation view is only shown when multitenancy is enabled. If we disable multitenancy then there is no point in showing aggregation view. So aggregation view as a feature in itself can not be disabled once it has been enabled. But it still needs multitenancy to be enabled as a pre-requisite.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @abhivka7 and @cwillum . I will just move some of our conversation over here for references:

  1. This potential risk / known limitation existed since the launch of the aggregation view feature, referencing to the previous documentation here (https://opensearch.org/docs/latest/security/multi-tenancy/mt-agg-view/#known-limitations):

Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and have an impact on tenant-to-tenant functionality.

  1. According to the new feature of Dynamically Configurable Multi-tenancy, it didn't change any previous technical design of both aggregation view feature and tenancy feature. However, it does change some accessibility of multi-tenancy configuration. That's reason of @cwillum is helping us to summarizing and emphasizing some specific details of these potential user behaviors, so that we can warn user about the above risks even with a non-production environment

All in all, big thanks to both of you for the follow-ups. I think we have sorted everything clear.

Copy link

@RyanL1997 RyanL1997 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @cwillum, thanks for putting this together! Your summary of these potential behaviors is clear and accurate.

@@ -36,7 +36,7 @@ In this first experimental phase of development, there are some limitations that

* The feature can only be used in a new cluster. At this time, the feature is not suported by clusters already in use.
* Also, the feature should be used only in a test environment, not in production.
* Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and have an impact on tenant-to-tenant functionality.
* Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and can have an impact on tenant-to-tenant functionality. This can occur when disabling the feature in any one of three ways: disabling the aggregate view feature with the [feature flag]({{site.url}}{{site.baseurl}}/security/multi-tenancy/mt-agg-view/#enabling-aggregate-view-for-saved-objects/); disabling multi-tenancy with the traditional [multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) setting; or disabling multi-tenancy with [dynamic configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/dynamic-config/) settings.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is correct! Thanks for summarizing this up! @cwillum

Copy link
Contributor

@hdhalter hdhalter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, Chris, with a couple of suggestions. Thanks!


# Dynamic configuration in OpenSearch Dashboards

Dynamic configuration of multi-tenancy in OpenSearch Dashboards provides options to make common settings for tenancy without having to make changes to the configuration YAML files on each node and then restart the cluster. You can take advantage of this functionality by using the Dashboards interface or the REST API. The following list includes description of the options currently covered by dynamic configuration:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we avoid making this into a feature by calling out the functionality? For example, "You can dynamically configure your multi-tenancy settings in OpenSearch Dashboards without making changes to the configuration YAML files on each note and then restarting the cluster."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see your point. But I don't want to lead out a new section with "You can...". How about ...
"Multi-tenancy includes dynamic configuration options in OpenSearch Dashboards so you can make common settings for tenancy without having to make changes to the configuration YAML files on each node and then restart the cluster."
I've revised the sentence like so.

_security/multi-tenancy/dynamic-config.md Outdated Show resolved Hide resolved
Copy link
Collaborator

@natebower natebower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cwillum Please see my comments and changes and let me know if you have any questions. Thanks!

_security/multi-tenancy/dynamic-config.md Outdated Show resolved Hide resolved
_security/multi-tenancy/dynamic-config.md Outdated Show resolved Hide resolved
_security/multi-tenancy/dynamic-config.md Outdated Show resolved Hide resolved
_security/multi-tenancy/dynamic-config.md Outdated Show resolved Hide resolved
_security/multi-tenancy/dynamic-config.md Outdated Show resolved Hide resolved
_security/multi-tenancy/tenant-index.md Outdated Show resolved Hide resolved
_security/multi-tenancy/tenant-index.md Outdated Show resolved Hide resolved
_security/multi-tenancy/tenant-index.md Outdated Show resolved Hide resolved
_security/multi-tenancy/multi-tenancy-config.md Outdated Show resolved Hide resolved
_security/multi-tenancy/multi-tenancy-config.md Outdated Show resolved Hide resolved
Copy link
Contributor Author

@cwillum cwillum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick review.

_security/multi-tenancy/dynamic-config.md Outdated Show resolved Hide resolved
_security/multi-tenancy/dynamic-config.md Outdated Show resolved Hide resolved
_security/multi-tenancy/dynamic-config.md Show resolved Hide resolved
_security/multi-tenancy/dynamic-config.md Outdated Show resolved Hide resolved
_security/multi-tenancy/dynamic-config.md Outdated Show resolved Hide resolved
_security/multi-tenancy/dynamic-config.md Outdated Show resolved Hide resolved
_security/multi-tenancy/tenant-index.md Outdated Show resolved Hide resolved
@cwillum cwillum removed the 2 - In progress Issue/PR: The issue or PR is in progress. label Apr 21, 2023
@cwillum cwillum merged commit e3c6bbd into main Apr 21, 2023
vagimeli pushed a commit that referenced this pull request Apr 25, 2023
…3694)

* fix#2562 start for dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 start for dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

---------

Signed-off-by: cwillum <[email protected]>
vagimeli added a commit that referenced this pull request Apr 25, 2023
vagimeli pushed a commit that referenced this pull request May 4, 2023
…3694)

* fix#2562 start for dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 start for dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

---------

Signed-off-by: cwillum <[email protected]>
vagimeli added a commit that referenced this pull request May 4, 2023
harshavamsi pushed a commit to harshavamsi/documentation-website that referenced this pull request Oct 31, 2023
…pensearch-project#3694)

* fix#2562 start for dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 start for dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

* fix#2562 dynamic config

Signed-off-by: cwillum <[email protected]>

---------

Signed-off-by: cwillum <[email protected]>
@hdhalter hdhalter deleted the fix#2562-dynamic-config-tenants branch March 28, 2024 21:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
API dashboards release-notes PR: Include this PR in the automated release notes security v2.7.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[DOC] Document new multi-tenancy UI for management and configuration
6 participants