From 1473e58c29860a16b3c219141d603c08b1f927f7 Mon Sep 17 00:00:00 2001 From: cwillum Date: Wed, 5 Apr 2023 17:16:24 -0700 Subject: [PATCH 01/17] fix#2562 start for dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/dynamic-config.md | 55 +++++++++++++++++++++++ _security/multi-tenancy/tenant-index.md | 5 ++- 2 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 _security/multi-tenancy/dynamic-config.md diff --git a/_security/multi-tenancy/dynamic-config.md b/_security/multi-tenancy/dynamic-config.md new file mode 100644 index 0000000000..79b1097b92 --- /dev/null +++ b/_security/multi-tenancy/dynamic-config.md @@ -0,0 +1,55 @@ +--- +layout: default +title: Dynamic configuration in OpenSearch Dashboards +parent: OpenSearch Dashboards multi-tenancy +nav_order: 147 +--- + + +# Dynamic configuration in OpenSearch Dashboards + +Multi-tenancy is enabled by default, but you can disable it or change its settings using `config/opensearch-security/config.yml`: + +```yml +config: + dynamic: + kibana: + multitenancy_enabled: true + server_username: kibanaserver + index: '.kibana' + do_not_fail_on_forbidden: false +``` + +Setting | Description +:--- | :--- +`multitenancy_enabled` | Enable or disable multi-tenancy. Default is true. +`server_username` | Must match the name of the OpenSearch Dashboards server user from `opensearch_dashboards.yml`. Default is `kibanaserver`. +`index` | Must match the name of the OpenSearch Dashboards index from `opensearch_dashboards.yml`. Default is `.kibana`. +`do_not_fail_on_forbidden` | If true, the security plugin removes any content that a user is not allowed to see from search results. If false, the plugin returns a security exception. Default is false. + +`opensearch_dashboards.yml` has some additional settings: + +```yml +opensearch.username: kibanaserver +opensearch.password: kibanaserver +opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] +opensearch_security.multitenancy.enabled: true +opensearch_security.multitenancy.tenants.enable_global: true +opensearch_security.multitenancy.tenants.enable_private: true +opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"] +opensearch_security.multitenancy.enable_filter: false +``` + +Setting | Description +:--- | :--- +`opensearch.requestHeadersAllowlist` | OpenSearch Dashboards requires that you add all HTTP headers to the allow list so that the headers pass to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not on the allow list, OpenSearch Dashboards starts with a red status. +`opensearch_security.multitenancy.enabled` | Enables or disables multi-tenancy in OpenSearch Dashboards. Default is true. +`opensearch_security.multitenancy.tenants.enable_global` | Enables or disables the global tenant. Default is true. +`opensearch_security.multitenancy.tenants.enable_private` | Enables or disables the private tenant. Default is true. +`opensearch_security.multitenancy.tenants.preferred` | Lets you change ordering in the **Tenants** tab of OpenSearch Dashboards. By default, the list starts with global and private (if enabled) and then proceeds alphabetically. You can add tenants here to move them to the top of the list. +`opensearch_security.multitenancy.enable_filter` | If you have many tenants, you can add a search bar to the top of the list. Default is false. + + +## Add tenants + +To create tenants, use OpenSearch Dashboards, the REST API, or `tenants.yml`. \ No newline at end of file diff --git a/_security/multi-tenancy/tenant-index.md b/_security/multi-tenancy/tenant-index.md index 755ca9725e..e21ac2a960 100644 --- a/_security/multi-tenancy/tenant-index.md +++ b/_security/multi-tenancy/tenant-index.md @@ -12,8 +12,9 @@ redirect_from: *Tenants* in OpenSearch Dashboards are spaces for saving index patterns, visualizations, dashboards, and other OpenSearch Dashboards objects. Tenants are useful for safely sharing your work with other OpenSearch Dashboards users. You can control which roles have access to a tenant and whether those roles have read or write access. By default, all OpenSearch Dashboards users have access to two independent tenants: -- **Private** - This tenant is exclusive to each user and can't be shared. You can't use it to access routes or index patterns made by the user's global tenant. -- **Global** - This tenant is shared between every OpenSearch Dashboards user. +- **Private** - This tenant is exclusive to each user and can't be shared. It does not allow you to access routes or index patterns made by the user's global tenant. +- **Global** - This tenant is shared between every OpenSearch Dashboards user. It does allow for sharing objects among users who have access to it. +- **Custom** - Custom tenants are created by administrators and assigned to specific roles. Once created, these tenants provide spaces for specific groups of users. The global tenant is not a *primary* tenant such that any action done within the global tenant is not replicated to a user's private tenant. If you make a change to your global tenant, you won't see that change reflected in your private tenant. Some example changes include, but are not limited to: From f7cdb2131101aba508995c903e2ae5c456be962c Mon Sep 17 00:00:00 2001 From: cwillum Date: Fri, 7 Apr 2023 14:05:44 -0700 Subject: [PATCH 02/17] fix#2562 start for dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/dynamic-config.md | 18 +++++++++++++++++- _security/multi-tenancy/tenant-index.md | 8 ++++---- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/_security/multi-tenancy/dynamic-config.md b/_security/multi-tenancy/dynamic-config.md index 79b1097b92..5135510359 100644 --- a/_security/multi-tenancy/dynamic-config.md +++ b/_security/multi-tenancy/dynamic-config.md @@ -8,7 +8,23 @@ nav_order: 147 # Dynamic configuration in OpenSearch Dashboards -Multi-tenancy is enabled by default, but you can disable it or change its settings using `config/opensearch-security/config.yml`: +Dynamic configuration of multi-tenancy in OpenSearch Dashboards provides options to make common settings for tenancy without having to make changes to the configuration YAML files on each node and then restart the cluster. You can take advantage of this functionality by using the Dashboards interface or the REST API. Dynamic settings include the ability to set the default tenant for all users, disable or enable private tenants, and disable or enable tenancy entirely for all users. The following table includes further description for the options covered by dynamic configuration: + +| Option | Description | +| :--- | :--- | +| Disable or enable multi-tenancy | Administrators can dynamically disable or enable multi-tenancy for all users. Disabling multi-tenancy poses no risk for loss of data. If and when an administrator chooses to re-enable tenancy, all previously saved objects are preserved and made available. | +| Disable or enable private tenant | This option allows administrators to disable private tenants. As with multi-tenancy as a whole, when private tenants are re-enabled all previously saved objects are preserved and made available. | +| Default tenant | This option allows an administrator to choose either a global, private, or custom tenant as the default when users sign on. In the case where a user doesn't have access to the default tenant (for example, if a custom tenant was specified as the default), the default transitions to the next preferred tenant or to the global tenant. | + +## Configuring multi-tenancy in OpenSearch Dashboards + + + + + +## Configuring multi-tenancy with the REST API + + ```yml config: diff --git a/_security/multi-tenancy/tenant-index.md b/_security/multi-tenancy/tenant-index.md index e21ac2a960..8307a27d9c 100644 --- a/_security/multi-tenancy/tenant-index.md +++ b/_security/multi-tenancy/tenant-index.md @@ -10,19 +10,19 @@ redirect_from: # OpenSearch Dashboards multi-tenancy -*Tenants* in OpenSearch Dashboards are spaces for saving index patterns, visualizations, dashboards, and other OpenSearch Dashboards objects. Tenants are useful for safely sharing your work with other OpenSearch Dashboards users. You can control which roles have access to a tenant and whether those roles have read or write access. By default, all OpenSearch Dashboards users have access to two independent tenants: +*Tenants* in OpenSearch Dashboards are spaces for saving index patterns, visualizations, dashboards, and other OpenSearch Dashboards objects. OpenSearch allows users to create multiple tenants for multiple uses. Tenants are useful for safely sharing your work with other OpenSearch Dashboards users. You can control which roles have access to a tenant and whether those roles have read or write access. By default, all OpenSearch Dashboards users have access to two independent tenants: private and global. Multi-tenancy also provides the option to create custom tenants. - **Private** - This tenant is exclusive to each user and can't be shared. It does not allow you to access routes or index patterns made by the user's global tenant. - **Global** - This tenant is shared between every OpenSearch Dashboards user. It does allow for sharing objects among users who have access to it. -- **Custom** - Custom tenants are created by administrators and assigned to specific roles. Once created, these tenants provide spaces for specific groups of users. +- **Custom** - Administrators can create custom tenants and assign them to specific roles. Once created, these tenants can then provide spaces for specific groups of users. -The global tenant is not a *primary* tenant such that any action done within the global tenant is not replicated to a user's private tenant. If you make a change to your global tenant, you won't see that change reflected in your private tenant. Some example changes include, but are not limited to: +The global tenant is not a *primary* tenant that replicates its content in a private tenant. To the contrary, if you make a change to your global tenant, you won't see that change reflected in your private tenant. Some example changes include, but are not limited to: - Change advanced settings - Create visualizations - Create index patterns -You might use the private tenant for exploratory work, create detailed visualizations with your team in an `analysts` tenant, and maintain a summary dashboard for corporate leadership in an `executive` tenant. +To provide a practical example, you might use the private tenant for exploratory work, create detailed visualizations with your team in an `analysts` tenant, and maintain a summary dashboard for corporate leadership in an `executive` tenant. If you share a visualization or dashboard with someone, you can see that the URL includes the tenant: From b4ca35306732310612b7836d7af8edec996b73b5 Mon Sep 17 00:00:00 2001 From: cwillum Date: Wed, 12 Apr 2023 17:51:11 -0700 Subject: [PATCH 03/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/dynamic-config.md | 96 +++++++++---------- .../multi-tenancy/multi-tenancy-config.md | 2 +- _security/multi-tenancy/tenant-index.md | 6 +- 3 files changed, 52 insertions(+), 52 deletions(-) diff --git a/_security/multi-tenancy/dynamic-config.md b/_security/multi-tenancy/dynamic-config.md index 5135510359..41c999b045 100644 --- a/_security/multi-tenancy/dynamic-config.md +++ b/_security/multi-tenancy/dynamic-config.md @@ -8,64 +8,62 @@ nav_order: 147 # Dynamic configuration in OpenSearch Dashboards -Dynamic configuration of multi-tenancy in OpenSearch Dashboards provides options to make common settings for tenancy without having to make changes to the configuration YAML files on each node and then restart the cluster. You can take advantage of this functionality by using the Dashboards interface or the REST API. Dynamic settings include the ability to set the default tenant for all users, disable or enable private tenants, and disable or enable tenancy entirely for all users. The following table includes further description for the options covered by dynamic configuration: +Dynamic configuration of multi-tenancy in OpenSearch Dashboards provides options to make common settings for tenancy without having to make changes to the configuration YAML files on each node and then restart the cluster. You can take advantage of this functionality by using the Dashboards interface or the REST API. The following list includes description of the options currently covered by dynamic configuration: -| Option | Description | -| :--- | :--- | -| Disable or enable multi-tenancy | Administrators can dynamically disable or enable multi-tenancy for all users. Disabling multi-tenancy poses no risk for loss of data. If and when an administrator chooses to re-enable tenancy, all previously saved objects are preserved and made available. | -| Disable or enable private tenant | This option allows administrators to disable private tenants. As with multi-tenancy as a whole, when private tenants are re-enabled all previously saved objects are preserved and made available. | -| Default tenant | This option allows an administrator to choose either a global, private, or custom tenant as the default when users sign on. In the case where a user doesn't have access to the default tenant (for example, if a custom tenant was specified as the default), the default transitions to the next preferred tenant or to the global tenant. | +- **Disable or enable multi-tenancy** - Administrators can disable and enable multi-tenancy dynamically. Disabling multi-tenancy does not pose a risk for loss of data. If and when an administrator chooses to re-enable tenancy, all previously saved objects are preserved and made available. The default is `true`. + This setting does not have an impact on the global tenant, which always remains enabled. + {: .note } +- **Disable or enable private tenant** - This option allows administrators to disable and enable private tenants. As with the enable multi-tenancy setting, when private tenants are re-enabled all previously saved objects are preserved and made available. +- **Default tenant** - This option allows an administrator to choose either a global, private, or custom tenant as the default when users sign on. In the case where a user doesn't have access to the default tenant (for example, if a custom tenant was specified as the default), the default transitions to the next preferred tenant for that user, or ultimately to the global tenant. + +Once you make changes to multi-tenancy with dynamic configuration and save, users are logged out of their sessions and must log back in. +{: .note } ## Configuring multi-tenancy in OpenSearch Dashboards +To make settings for multi-tenancy in Dashboards, Begin by selecting **Security** in the Dashboards home page menu. Then select **Tenancy** from the Security menu on the left side of the screen. The **Multi-tenancy** page is displayed. + +By default, the **Manage** tab is displayed. Select the **Configure** tab to display the dynamic settings for multi-tenancy. + +* In the **Multi-tenancy** field, select the **Enable tenancy** check box to enable multi-tenancy. Clear the check box to disable the feature. The default is `true`. +* In the **Tenants** field, you can enable or disable private tenants for users. By default the check box is selected and the feature is enabled. +* In the **Default tenant** field, use the dropdown menu to select a default tenant. The menu includes Global, Private, and any other custom tenants that are available to users. + + ## Configuring multi-tenancy with the REST API +GET /_plugins/_security/api/tenancy/config + +PUT /_plugins/_security/api/tenancy/config +{ + "multitenancy_enabled": true, + "private_tenant_enabled": true, + "default_tenant": "global tenant" +} + +PATCH /_plugins/_security/api/tenancy/config +{ + "private_tenant_enabled": false, +} + + +GET /_plugins/_security/authinfo + +PUT /_plugins/_security/authinfo +{ + "mulitenancy_enabled": true, + "private_tenant_enabled": true, + "default_tenant": "global tenant" +} + +PATCH /_plugins/_security/authinfo +{ + "private_tenant_enabled": false +} + -```yml -config: - dynamic: - kibana: - multitenancy_enabled: true - server_username: kibanaserver - index: '.kibana' - do_not_fail_on_forbidden: false -``` - -Setting | Description -:--- | :--- -`multitenancy_enabled` | Enable or disable multi-tenancy. Default is true. -`server_username` | Must match the name of the OpenSearch Dashboards server user from `opensearch_dashboards.yml`. Default is `kibanaserver`. -`index` | Must match the name of the OpenSearch Dashboards index from `opensearch_dashboards.yml`. Default is `.kibana`. -`do_not_fail_on_forbidden` | If true, the security plugin removes any content that a user is not allowed to see from search results. If false, the plugin returns a security exception. Default is false. - -`opensearch_dashboards.yml` has some additional settings: - -```yml -opensearch.username: kibanaserver -opensearch.password: kibanaserver -opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] -opensearch_security.multitenancy.enabled: true -opensearch_security.multitenancy.tenants.enable_global: true -opensearch_security.multitenancy.tenants.enable_private: true -opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"] -opensearch_security.multitenancy.enable_filter: false -``` - -Setting | Description -:--- | :--- -`opensearch.requestHeadersAllowlist` | OpenSearch Dashboards requires that you add all HTTP headers to the allow list so that the headers pass to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not on the allow list, OpenSearch Dashboards starts with a red status. -`opensearch_security.multitenancy.enabled` | Enables or disables multi-tenancy in OpenSearch Dashboards. Default is true. -`opensearch_security.multitenancy.tenants.enable_global` | Enables or disables the global tenant. Default is true. -`opensearch_security.multitenancy.tenants.enable_private` | Enables or disables the private tenant. Default is true. -`opensearch_security.multitenancy.tenants.preferred` | Lets you change ordering in the **Tenants** tab of OpenSearch Dashboards. By default, the list starts with global and private (if enabled) and then proceeds alphabetically. You can add tenants here to move them to the top of the list. -`opensearch_security.multitenancy.enable_filter` | If you have many tenants, you can add a search bar to the top of the list. Default is false. - - -## Add tenants - -To create tenants, use OpenSearch Dashboards, the REST API, or `tenants.yml`. \ No newline at end of file diff --git a/_security/multi-tenancy/multi-tenancy-config.md b/_security/multi-tenancy/multi-tenancy-config.md index 02b64af387..af510e76c3 100644 --- a/_security/multi-tenancy/multi-tenancy-config.md +++ b/_security/multi-tenancy/multi-tenancy-config.md @@ -27,7 +27,7 @@ Setting | Description `index` | Must match the name of the OpenSearch Dashboards index from `opensearch_dashboards.yml`. Default is `.kibana`. `do_not_fail_on_forbidden` | If true, the security plugin removes any content that a user is not allowed to see from search results. If false, the plugin returns a security exception. Default is false. -`opensearch_dashboards.yml` has some additional settings: +The `opensearch_dashboards.yml` file includes additional settings: ```yml opensearch.username: kibanaserver diff --git a/_security/multi-tenancy/tenant-index.md b/_security/multi-tenancy/tenant-index.md index 8307a27d9c..7d4ec1620d 100644 --- a/_security/multi-tenancy/tenant-index.md +++ b/_security/multi-tenancy/tenant-index.md @@ -16,7 +16,7 @@ redirect_from: - **Global** - This tenant is shared between every OpenSearch Dashboards user. It does allow for sharing objects among users who have access to it. - **Custom** - Administrators can create custom tenants and assign them to specific roles. Once created, these tenants can then provide spaces for specific groups of users. -The global tenant is not a *primary* tenant that replicates its content in a private tenant. To the contrary, if you make a change to your global tenant, you won't see that change reflected in your private tenant. Some example changes include, but are not limited to: +The global tenant is not a *primary* tenant in the sense that it replicates its content in a private tenant. To the contrary, if you make a change to your global tenant, you won't see that change reflected in your private tenant. Some example changes include, but are not limited to: - Change advanced settings - Create visualizations @@ -32,5 +32,7 @@ http://:5601/app/opensearch-dashboards?security_tena ## Next steps -To get started with tenants, see [Multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) for information on enabling multi-tenancy, adding tenants, and assigning roles to tenants. +To get started with tenants, see [Multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) for information about enabling multi-tenancy, adding tenants, and assigning roles to tenants. + +To see information about making dynamic changes to the multi-tenancy configuration, see [Dynamic configuration in OpenSearch Dashboards]({{site.url}}{{site.baseurl}}/security/multi-tenancy/dynamic-config/). From c13e4a770174931521b3cb29eabe9b784d208039 Mon Sep 17 00:00:00 2001 From: cwillum Date: Thu, 13 Apr 2023 10:39:39 -0700 Subject: [PATCH 04/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/dynamic-config.md | 27 ++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/_security/multi-tenancy/dynamic-config.md b/_security/multi-tenancy/dynamic-config.md index 41c999b045..ffd91200bf 100644 --- a/_security/multi-tenancy/dynamic-config.md +++ b/_security/multi-tenancy/dynamic-config.md @@ -11,8 +11,10 @@ nav_order: 147 Dynamic configuration of multi-tenancy in OpenSearch Dashboards provides options to make common settings for tenancy without having to make changes to the configuration YAML files on each node and then restart the cluster. You can take advantage of this functionality by using the Dashboards interface or the REST API. The following list includes description of the options currently covered by dynamic configuration: - **Disable or enable multi-tenancy** - Administrators can disable and enable multi-tenancy dynamically. Disabling multi-tenancy does not pose a risk for loss of data. If and when an administrator chooses to re-enable tenancy, all previously saved objects are preserved and made available. The default is `true`. - This setting does not have an impact on the global tenant, which always remains enabled. - {: .note } + + This setting does not have an impact on the global tenant, which always remains enabled. + {: .note } + - **Disable or enable private tenant** - This option allows administrators to disable and enable private tenants. As with the enable multi-tenancy setting, when private tenants are re-enabled all previously saved objects are preserved and made available. - **Default tenant** - This option allows an administrator to choose either a global, private, or custom tenant as the default when users sign on. In the case where a user doesn't have access to the default tenant (for example, if a custom tenant was specified as the default), the default transitions to the next preferred tenant for that user, or ultimately to the global tenant. @@ -29,12 +31,31 @@ By default, the **Manage** tab is displayed. Select the **Configure** tab to dis * In the **Tenants** field, you can enable or disable private tenants for users. By default the check box is selected and the feature is enabled. * In the **Default tenant** field, use the dropdown menu to select a default tenant. The menu includes Global, Private, and any other custom tenants that are available to users. +After making selections, select **Save** in the lower right corner of the window. The changes are implemented dynamically. +## Configuring multi-tenancy with the REST API +In addition to the Dashboards interface, dynamic configurations can be made using the REST API. +```json +GET /_plugins/_security/authinfo +``` +```json +PUT /_plugins/_security/authinfo +{ + "mulitenancy_enabled": true, + "private_tenant_enabled": true, + "default_tenant": "global tenant" +} +``` -## Configuring multi-tenancy with the REST API +```json +PATCH /_plugins/_security/authinfo +{ + "private_tenant_enabled": false +} +``` GET /_plugins/_security/api/tenancy/config From 4002722a02e4a0d1ff9e76468f6099f381c8df35 Mon Sep 17 00:00:00 2001 From: cwillum Date: Tue, 18 Apr 2023 11:36:44 -0700 Subject: [PATCH 05/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/dynamic-config.md | 66 ++++++++++++------- _security/multi-tenancy/mt-agg-view.md | 5 +- .../multi-tenancy/multi-tenancy-config.md | 32 +++++---- 3 files changed, 63 insertions(+), 40 deletions(-) diff --git a/_security/multi-tenancy/dynamic-config.md b/_security/multi-tenancy/dynamic-config.md index ffd91200bf..fff3ea516d 100644 --- a/_security/multi-tenancy/dynamic-config.md +++ b/_security/multi-tenancy/dynamic-config.md @@ -16,7 +16,7 @@ Dynamic configuration of multi-tenancy in OpenSearch Dashboards provides options {: .note } - **Disable or enable private tenant** - This option allows administrators to disable and enable private tenants. As with the enable multi-tenancy setting, when private tenants are re-enabled all previously saved objects are preserved and made available. -- **Default tenant** - This option allows an administrator to choose either a global, private, or custom tenant as the default when users sign on. In the case where a user doesn't have access to the default tenant (for example, if a custom tenant was specified as the default), the default transitions to the next preferred tenant for that user, or ultimately to the global tenant. +- **Default tenant** - This option allows an administrator to choose either a global, private, or custom tenant as the default when users sign on. In the case where a user doesn't have access to the default tenant (for example, if a custom tenant unavailable to the user was specified as the default), the default transitions to the preferred tenant, which is specified by the `opensearch_security.multitenancy.tenants.preferred` setting in the `opensearch-dashboards.yml` file. See [Multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) for details about this setting. Once you make changes to multi-tenancy with dynamic configuration and save, users are logged out of their sessions and must log back in. {: .note } @@ -37,12 +37,18 @@ After making selections, select **Save** in the lower right corner of the window In addition to the Dashboards interface, dynamic configurations can be made using the REST API. +### Get tenancy configuration + +Retrieves settings for the dynamic configuration. + ```json -GET /_plugins/_security/authinfo +GET /_plugins/_security/api/tenancy/config ``` +{% include copy-curl.html %} + +#### Example response ```json -PUT /_plugins/_security/authinfo { "mulitenancy_enabled": true, "private_tenant_enabled": true, @@ -50,41 +56,51 @@ PUT /_plugins/_security/authinfo } ``` +### Update tenant configuration + +Updates settings for dynamic configuration. + ```json -PATCH /_plugins/_security/authinfo +PUT /_plugins/_security/api/tenancy/config { - "private_tenant_enabled": false + "default_tenant": "custom tenant 1", + "private_tenant_enabled": false, + "mulitenancy_enabled": true } ``` +{% include copy-curl.html %} -GET /_plugins/_security/api/tenancy/config +### Example response -PUT /_plugins/_security/api/tenancy/config +```json { - "multitenancy_enabled": true, - "private_tenant_enabled": true, - "default_tenant": "global tenant" + "mulitenancy_enabled": true, + "private_tenant_enabled": false, + "default_tenant": "custom tenant 1" } +``` -PATCH /_plugins/_security/api/tenancy/config -{ - "private_tenant_enabled": false, -} +### Dashboardsinfo API +You can also use the Dashboardsinfo API to retrieve the status of multi-tenancy settings for the user logged in to Dashboards. -GET /_plugins/_security/authinfo +```json +GET /_plugins/_security/dashboardsinfo +``` +{% include copy-curl.html %} -PUT /_plugins/_security/authinfo -{ - "mulitenancy_enabled": true, - "private_tenant_enabled": true, - "default_tenant": "global tenant" -} +### Example response -PATCH /_plugins/_security/authinfo +```json { - "private_tenant_enabled": false + "user_name" : "admin", + "not_fail_on_forbidden_enabled" : false, + "opensearch_dashboards_mt_enabled" : true, + "opensearch_dashboards_index" : ".kibana", + "opensearch_dashboards_server_user" : "kibanaserver", + "multitenancy_enabled" : true, + "private_tenant_enabled" : true, + "default_tenant" : "Private" } - - +``` diff --git a/_security/multi-tenancy/mt-agg-view.md b/_security/multi-tenancy/mt-agg-view.md index 640be105d7..34acefc045 100644 --- a/_security/multi-tenancy/mt-agg-view.md +++ b/_security/multi-tenancy/mt-agg-view.md @@ -36,7 +36,10 @@ In this first experimental phase of development, there are some limitations that * The feature can only be used in a new cluster. At this time, the feature is not suported by clusters already in use. * Also, the feature should be used only in a test environment, not in production. -* Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and have an impact on tenant-to-tenant functionality. +* Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and can have an impact on tenant-to-tenant functionality. + + While aggregate view is enabled, a loss of saved objects and impact to tenant-to-tenant functionality can also occur when the larger multi-tenancy feature is disabled. This includes disabling multi-tenancy in the security `config.yml` file settings or by using dynamic configuration. Keep this in mind before enabling aggregate view for your test cluster. + {: .important } These limitations will be addressed in upcoming releases. diff --git a/_security/multi-tenancy/multi-tenancy-config.md b/_security/multi-tenancy/multi-tenancy-config.md index af510e76c3..817458cd3b 100644 --- a/_security/multi-tenancy/multi-tenancy-config.md +++ b/_security/multi-tenancy/multi-tenancy-config.md @@ -15,17 +15,21 @@ config: dynamic: kibana: multitenancy_enabled: true + private_tenant_enabled: true + default_tenant: global tenant server_username: kibanaserver index: '.kibana' do_not_fail_on_forbidden: false ``` -Setting | Description -:--- | :--- -`multitenancy_enabled` | Enable or disable multi-tenancy. Default is true. -`server_username` | Must match the name of the OpenSearch Dashboards server user from `opensearch_dashboards.yml`. Default is `kibanaserver`. -`index` | Must match the name of the OpenSearch Dashboards index from `opensearch_dashboards.yml`. Default is `.kibana`. -`do_not_fail_on_forbidden` | If true, the security plugin removes any content that a user is not allowed to see from search results. If false, the plugin returns a security exception. Default is false. +| Setting | Description | +| :--- | :--- | +| `multitenancy_enabled` | Enable or disable multi-tenancy. Default is true. | +| `private_tenant_enabled` | Enable or disable the private tenant. Default is true. | +| `default_tenant` | Use to set the tenant that is available when users log in. | +| `server_username` | Must match the name of the OpenSearch Dashboards server user from `opensearch_dashboards.yml`. Default is `kibanaserver`. | +| `index` | Must match the name of the OpenSearch Dashboards index from `opensearch_dashboards.yml`. Default is `.kibana`. | +| `do_not_fail_on_forbidden` | If true, the security plugin removes any content that a user is not allowed to see from search results. If false, the plugin returns a security exception. Default is false. | The `opensearch_dashboards.yml` file includes additional settings: @@ -40,14 +44,14 @@ opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"] opensearch_security.multitenancy.enable_filter: false ``` -Setting | Description -:--- | :--- -`opensearch.requestHeadersAllowlist` | OpenSearch Dashboards requires that you add all HTTP headers to the allow list so that the headers pass to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not on the allow list, OpenSearch Dashboards starts with a red status. -`opensearch_security.multitenancy.enabled` | Enables or disables multi-tenancy in OpenSearch Dashboards. Default is true. -`opensearch_security.multitenancy.tenants.enable_global` | Enables or disables the global tenant. Default is true. -`opensearch_security.multitenancy.tenants.enable_private` | Enables or disables the private tenant. Default is true. -`opensearch_security.multitenancy.tenants.preferred` | Lets you change ordering in the **Tenants** tab of OpenSearch Dashboards. By default, the list starts with global and private (if enabled) and then proceeds alphabetically. You can add tenants here to move them to the top of the list. -`opensearch_security.multitenancy.enable_filter` | If you have many tenants, you can add a search bar to the top of the list. Default is false. +| Setting | Description | +| :--- | :--- | +| `opensearch.requestHeadersAllowlist` | OpenSearch Dashboards requires that you add all HTTP headers to the allow list so that the headers pass to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not on the allow list, OpenSearch Dashboards starts with a red status. +| `opensearch_security.multitenancy.enabled` | Enables or disables multi-tenancy in OpenSearch Dashboards. Default is true. | +| `opensearch_security.multitenancy.tenants.enable_global` | Enables or disables the global tenant. Default is true. | +| `opensearch_security.multitenancy.tenants.enable_private` | Enables or disables the private tenant. Default is true. | +| `opensearch_security.multitenancy.tenants.preferred` | Lets you change ordering in the **Tenants** tab of OpenSearch Dashboards. By default, the list starts with global and private (if enabled) and then proceeds alphabetically. You can add tenants here to move them to the top of the list. | +| `opensearch_security.multitenancy.enable_filter` | If you have many tenants, you can add a search bar to the top of the list. Default is false. | ## Add tenants From 5ee3cf7a25dc584f31107d83b3b8c744aee040fd Mon Sep 17 00:00:00 2001 From: cwillum Date: Tue, 18 Apr 2023 11:48:26 -0700 Subject: [PATCH 06/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/dynamic-config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_security/multi-tenancy/dynamic-config.md b/_security/multi-tenancy/dynamic-config.md index fff3ea516d..e9619127aa 100644 --- a/_security/multi-tenancy/dynamic-config.md +++ b/_security/multi-tenancy/dynamic-config.md @@ -31,7 +31,7 @@ By default, the **Manage** tab is displayed. Select the **Configure** tab to dis * In the **Tenants** field, you can enable or disable private tenants for users. By default the check box is selected and the feature is enabled. * In the **Default tenant** field, use the dropdown menu to select a default tenant. The menu includes Global, Private, and any other custom tenants that are available to users. -After making selections, select **Save** in the lower right corner of the window. The changes are implemented dynamically. +After making selections, select **Save changes** in the lower right corner of the window. The changes are implemented dynamically. ## Configuring multi-tenancy with the REST API From 831a8e4d970ced1faed62c134cb5135cae9aa79f Mon Sep 17 00:00:00 2001 From: cwillum Date: Wed, 19 Apr 2023 18:58:27 -0700 Subject: [PATCH 07/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/dynamic-config.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/_security/multi-tenancy/dynamic-config.md b/_security/multi-tenancy/dynamic-config.md index e9619127aa..67a28be9f1 100644 --- a/_security/multi-tenancy/dynamic-config.md +++ b/_security/multi-tenancy/dynamic-config.md @@ -18,20 +18,21 @@ Dynamic configuration of multi-tenancy in OpenSearch Dashboards provides options - **Disable or enable private tenant** - This option allows administrators to disable and enable private tenants. As with the enable multi-tenancy setting, when private tenants are re-enabled all previously saved objects are preserved and made available. - **Default tenant** - This option allows an administrator to choose either a global, private, or custom tenant as the default when users sign on. In the case where a user doesn't have access to the default tenant (for example, if a custom tenant unavailable to the user was specified as the default), the default transitions to the preferred tenant, which is specified by the `opensearch_security.multitenancy.tenants.preferred` setting in the `opensearch-dashboards.yml` file. See [Multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) for details about this setting. -Once you make changes to multi-tenancy with dynamic configuration and save, users are logged out of their sessions and must log back in. -{: .note } +Depending on the specific changes made to multi-tenancy using dynamic configuration, some users may be logged out of their session once the changes are saved. For example, if an admin user disables multi-tenancy, users with either a private or custom tenant as their selected tenant will be logged out and will need to log back in. Similarly, if an admin user disables private tenants, users with the private tenant selected will be logged out and will need to log back in. The global tenant, however, is a special case. Since this tenant is never disabled, users with global tenant selected as their active tenant will experience no interruption to their session. Furthermore, changing the default tenant has no impact on users working with tenants. ## Configuring multi-tenancy in OpenSearch Dashboards -To make settings for multi-tenancy in Dashboards, Begin by selecting **Security** in the Dashboards home page menu. Then select **Tenancy** from the Security menu on the left side of the screen. The **Multi-tenancy** page is displayed. +To make settings for multi-tenancy in Dashboards, follow these steps. -By default, the **Manage** tab is displayed. Select the **Configure** tab to display the dynamic settings for multi-tenancy. +1. Begin by selecting **Security** in the Dashboards home page menu. Then select **Tenancy** from the Security menu on the left side of the screen. The **Multi-tenancy** page is displayed. +1. By default, the **Manage** tab is displayed. Select the **Configure** tab to display the dynamic settings for multi-tenancy. -* In the **Multi-tenancy** field, select the **Enable tenancy** check box to enable multi-tenancy. Clear the check box to disable the feature. The default is `true`. -* In the **Tenants** field, you can enable or disable private tenants for users. By default the check box is selected and the feature is enabled. -* In the **Default tenant** field, use the dropdown menu to select a default tenant. The menu includes Global, Private, and any other custom tenants that are available to users. + * In the **Multi-tenancy** field, select the **Enable tenancy** check box to enable multi-tenancy. Clear the check box to disable the feature. The default is `true`. + * In the **Tenants** field, you can enable or disable private tenants for users. By default the check box is selected and the feature is enabled. + * In the **Default tenant** field, use the dropdown menu to select a default tenant. The menu includes Global, Private, and any other custom tenants that are available to users. -After making selections, select **Save changes** in the lower right corner of the window. The changes are implemented dynamically. +1, After making your preferred changes, select **Save changes** in the lower right corner of the window. A popup window appears listing the configuration items you've changed and asks you to review your changes. +1. Select the checkboxes beside the items you want to confirm and then select **Apply changes**. The changes are implemented dynamically. ## Configuring multi-tenancy with the REST API From 74685ed8bd2c74d9409448309f46942895f33a5d Mon Sep 17 00:00:00 2001 From: cwillum Date: Wed, 19 Apr 2023 19:09:20 -0700 Subject: [PATCH 08/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/dynamic-config.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/_security/multi-tenancy/dynamic-config.md b/_security/multi-tenancy/dynamic-config.md index 67a28be9f1..840d2db978 100644 --- a/_security/multi-tenancy/dynamic-config.md +++ b/_security/multi-tenancy/dynamic-config.md @@ -18,7 +18,9 @@ Dynamic configuration of multi-tenancy in OpenSearch Dashboards provides options - **Disable or enable private tenant** - This option allows administrators to disable and enable private tenants. As with the enable multi-tenancy setting, when private tenants are re-enabled all previously saved objects are preserved and made available. - **Default tenant** - This option allows an administrator to choose either a global, private, or custom tenant as the default when users sign on. In the case where a user doesn't have access to the default tenant (for example, if a custom tenant unavailable to the user was specified as the default), the default transitions to the preferred tenant, which is specified by the `opensearch_security.multitenancy.tenants.preferred` setting in the `opensearch-dashboards.yml` file. See [Multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) for details about this setting. -Depending on the specific changes made to multi-tenancy using dynamic configuration, some users may be logged out of their session once the changes are saved. For example, if an admin user disables multi-tenancy, users with either a private or custom tenant as their selected tenant will be logged out and will need to log back in. Similarly, if an admin user disables private tenants, users with the private tenant selected will be logged out and will need to log back in. The global tenant, however, is a special case. Since this tenant is never disabled, users with global tenant selected as their active tenant will experience no interruption to their session. Furthermore, changing the default tenant has no impact on users working with tenants. +Depending on the specific changes made to multi-tenancy using dynamic configuration, some users may be logged out of their Dashboards session once the changes are saved. For example, if an admin user disables multi-tenancy, users with either a private or custom tenant as their selected tenant will be logged out and will need to log back in. Similarly, if an admin user disables private tenants, users with the private tenant selected will be logged out and will need to log back in. + +The global tenant, however, is a special case. Since this tenant is never disabled, users with global tenant selected as their active tenant will experience no interruption to their session. Furthermore, changing the default tenant has no impact on a user's session. ## Configuring multi-tenancy in OpenSearch Dashboards @@ -26,12 +28,10 @@ To make settings for multi-tenancy in Dashboards, follow these steps. 1. Begin by selecting **Security** in the Dashboards home page menu. Then select **Tenancy** from the Security menu on the left side of the screen. The **Multi-tenancy** page is displayed. 1. By default, the **Manage** tab is displayed. Select the **Configure** tab to display the dynamic settings for multi-tenancy. - - * In the **Multi-tenancy** field, select the **Enable tenancy** check box to enable multi-tenancy. Clear the check box to disable the feature. The default is `true`. - * In the **Tenants** field, you can enable or disable private tenants for users. By default the check box is selected and the feature is enabled. - * In the **Default tenant** field, use the dropdown menu to select a default tenant. The menu includes Global, Private, and any other custom tenants that are available to users. - -1, After making your preferred changes, select **Save changes** in the lower right corner of the window. A popup window appears listing the configuration items you've changed and asks you to review your changes. + * In the **Multi-tenancy** field, select the **Enable tenancy** check box to enable multi-tenancy. Clear the check box to disable the feature. The default is `true`. + * In the **Tenants** field, you can enable or disable private tenants for users. By default the check box is selected and the feature is enabled. + * In the **Default tenant** field, use the dropdown menu to select a default tenant. The menu includes Global, Private, and any other custom tenants that are available to users. +1. After making your preferred changes, select **Save changes** in the lower right corner of the window. A popup window appears listing the configuration items you've changed and asks you to review your changes. 1. Select the checkboxes beside the items you want to confirm and then select **Apply changes**. The changes are implemented dynamically. ## Configuring multi-tenancy with the REST API From b0283d874141619dd97339e048d5b94984db0eea Mon Sep 17 00:00:00 2001 From: cwillum Date: Wed, 19 Apr 2023 19:11:05 -0700 Subject: [PATCH 09/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/dynamic-config.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/_security/multi-tenancy/dynamic-config.md b/_security/multi-tenancy/dynamic-config.md index 840d2db978..018c028956 100644 --- a/_security/multi-tenancy/dynamic-config.md +++ b/_security/multi-tenancy/dynamic-config.md @@ -22,6 +22,7 @@ Depending on the specific changes made to multi-tenancy using dynamic configurat The global tenant, however, is a special case. Since this tenant is never disabled, users with global tenant selected as their active tenant will experience no interruption to their session. Furthermore, changing the default tenant has no impact on a user's session. + ## Configuring multi-tenancy in OpenSearch Dashboards To make settings for multi-tenancy in Dashboards, follow these steps. @@ -34,6 +35,7 @@ To make settings for multi-tenancy in Dashboards, follow these steps. 1. After making your preferred changes, select **Save changes** in the lower right corner of the window. A popup window appears listing the configuration items you've changed and asks you to review your changes. 1. Select the checkboxes beside the items you want to confirm and then select **Apply changes**. The changes are implemented dynamically. + ## Configuring multi-tenancy with the REST API In addition to the Dashboards interface, dynamic configurations can be made using the REST API. From ba61e636d82430dee5eb3b793608c8ecd1b43cd0 Mon Sep 17 00:00:00 2001 From: cwillum Date: Thu, 20 Apr 2023 11:26:52 -0700 Subject: [PATCH 10/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/mt-agg-view.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/_security/multi-tenancy/mt-agg-view.md b/_security/multi-tenancy/mt-agg-view.md index 34acefc045..6a0ee71836 100644 --- a/_security/multi-tenancy/mt-agg-view.md +++ b/_security/multi-tenancy/mt-agg-view.md @@ -38,9 +38,6 @@ In this first experimental phase of development, there are some limitations that * Also, the feature should be used only in a test environment, not in production. * Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and can have an impact on tenant-to-tenant functionality. - While aggregate view is enabled, a loss of saved objects and impact to tenant-to-tenant functionality can also occur when the larger multi-tenancy feature is disabled. This includes disabling multi-tenancy in the security `config.yml` file settings or by using dynamic configuration. Keep this in mind before enabling aggregate view for your test cluster. - {: .important } - These limitations will be addressed in upcoming releases. ## Enabling aggregate view for saved objects From 51876875d7a81aa83714f5fa73722ba4e9bd4961 Mon Sep 17 00:00:00 2001 From: cwillum Date: Thu, 20 Apr 2023 12:27:29 -0700 Subject: [PATCH 11/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/mt-agg-view.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_security/multi-tenancy/mt-agg-view.md b/_security/multi-tenancy/mt-agg-view.md index 6a0ee71836..810bccb835 100644 --- a/_security/multi-tenancy/mt-agg-view.md +++ b/_security/multi-tenancy/mt-agg-view.md @@ -36,7 +36,7 @@ In this first experimental phase of development, there are some limitations that * The feature can only be used in a new cluster. At this time, the feature is not suported by clusters already in use. * Also, the feature should be used only in a test environment, not in production. -* Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and can have an impact on tenant-to-tenant functionality. +* Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and can have an impact on tenant-to-tenant functionality. This can occur when disabling the feature in any one of three ways: disabling the aggregate view feature with the [feature flag]({{site.url}}{{site.baseurl}}/security/multi-tenancy/mt-agg-view/#enabling-aggregate-view-for-saved-objects/); disabling multi-tenancy with the traditional [multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) setting; or disabling multi-tenancy with [dynamic configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/dynamic-config/) settings. These limitations will be addressed in upcoming releases. From b6ad513edfdc3b740ca3c9c48ebb443773e5e8bc Mon Sep 17 00:00:00 2001 From: cwillum Date: Thu, 20 Apr 2023 15:16:03 -0700 Subject: [PATCH 12/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/dynamic-config.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_security/multi-tenancy/dynamic-config.md b/_security/multi-tenancy/dynamic-config.md index 018c028956..cd1f989004 100644 --- a/_security/multi-tenancy/dynamic-config.md +++ b/_security/multi-tenancy/dynamic-config.md @@ -8,7 +8,7 @@ nav_order: 147 # Dynamic configuration in OpenSearch Dashboards -Dynamic configuration of multi-tenancy in OpenSearch Dashboards provides options to make common settings for tenancy without having to make changes to the configuration YAML files on each node and then restart the cluster. You can take advantage of this functionality by using the Dashboards interface or the REST API. The following list includes description of the options currently covered by dynamic configuration: +Multi-tenancy includes dynamic configuration options in OpenSearch Dashboards so you can make common settings for tenancy without having to make changes to the configuration YAML files on each node and then restart the cluster. You can take advantage of this functionality by using the Dashboards interface or the REST API. The following list includes description of the options currently covered by dynamic configuration: - **Disable or enable multi-tenancy** - Administrators can disable and enable multi-tenancy dynamically. Disabling multi-tenancy does not pose a risk for loss of data. If and when an administrator chooses to re-enable tenancy, all previously saved objects are preserved and made available. The default is `true`. @@ -25,7 +25,7 @@ The global tenant, however, is a special case. Since this tenant is never disabl ## Configuring multi-tenancy in OpenSearch Dashboards -To make settings for multi-tenancy in Dashboards, follow these steps. +To configure multi-tenancy in Dashboards, follow these steps. 1. Begin by selecting **Security** in the Dashboards home page menu. Then select **Tenancy** from the Security menu on the left side of the screen. The **Multi-tenancy** page is displayed. 1. By default, the **Manage** tab is displayed. Select the **Configure** tab to display the dynamic settings for multi-tenancy. From 045e3107dbeb323afb1f580ebc0f0d296fabc5bc Mon Sep 17 00:00:00 2001 From: cwillum Date: Fri, 21 Apr 2023 09:06:48 -0700 Subject: [PATCH 13/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/mt-agg-view.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_security/multi-tenancy/mt-agg-view.md b/_security/multi-tenancy/mt-agg-view.md index 810bccb835..7917abfba8 100644 --- a/_security/multi-tenancy/mt-agg-view.md +++ b/_security/multi-tenancy/mt-agg-view.md @@ -36,7 +36,7 @@ In this first experimental phase of development, there are some limitations that * The feature can only be used in a new cluster. At this time, the feature is not suported by clusters already in use. * Also, the feature should be used only in a test environment, not in production. -* Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and can have an impact on tenant-to-tenant functionality. This can occur when disabling the feature in any one of three ways: disabling the aggregate view feature with the [feature flag]({{site.url}}{{site.baseurl}}/security/multi-tenancy/mt-agg-view/#enabling-aggregate-view-for-saved-objects/); disabling multi-tenancy with the traditional [multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) setting; or disabling multi-tenancy with [dynamic configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/dynamic-config/) settings. +* Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and can have an impact on tenant-to-tenant functionality. This can occur when disabling the feature in any one of three ways: disabling the aggregate view feature with the [feature flag](#enabling-aggregate-view-for-saved-objects); disabling multi-tenancy with the traditional [multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) setting; or disabling multi-tenancy with [dynamic configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/dynamic-config/) settings. These limitations will be addressed in upcoming releases. From f9f31e105f7721772373bea5ecc09cb6c661fc17 Mon Sep 17 00:00:00 2001 From: cwillum Date: Fri, 21 Apr 2023 09:32:44 -0700 Subject: [PATCH 14/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/mt-agg-view.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_security/multi-tenancy/mt-agg-view.md b/_security/multi-tenancy/mt-agg-view.md index 7917abfba8..3206236bf3 100644 --- a/_security/multi-tenancy/mt-agg-view.md +++ b/_security/multi-tenancy/mt-agg-view.md @@ -34,7 +34,7 @@ In subsequent releases, we plan to expand the functionality of this feature to i In this first experimental phase of development, there are some limitations that should be observed before enabling the feature and using it in a test environment: -* The feature can only be used in a new cluster. At this time, the feature is not suported by clusters already in use. +* The feature can only be used in a new cluster. At this time, the feature is not supported by clusters already in use. * Also, the feature should be used only in a test environment, not in production. * Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and can have an impact on tenant-to-tenant functionality. This can occur when disabling the feature in any one of three ways: disabling the aggregate view feature with the [feature flag](#enabling-aggregate-view-for-saved-objects); disabling multi-tenancy with the traditional [multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) setting; or disabling multi-tenancy with [dynamic configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/dynamic-config/) settings. From 37b0e37f92af1e3148503145815f90b317e70dc5 Mon Sep 17 00:00:00 2001 From: cwillum Date: Fri, 21 Apr 2023 09:47:42 -0700 Subject: [PATCH 15/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/dynamic-config.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_security/multi-tenancy/dynamic-config.md b/_security/multi-tenancy/dynamic-config.md index cd1f989004..b3f5766636 100644 --- a/_security/multi-tenancy/dynamic-config.md +++ b/_security/multi-tenancy/dynamic-config.md @@ -29,8 +29,8 @@ To configure multi-tenancy in Dashboards, follow these steps. 1. Begin by selecting **Security** in the Dashboards home page menu. Then select **Tenancy** from the Security menu on the left side of the screen. The **Multi-tenancy** page is displayed. 1. By default, the **Manage** tab is displayed. Select the **Configure** tab to display the dynamic settings for multi-tenancy. - * In the **Multi-tenancy** field, select the **Enable tenancy** check box to enable multi-tenancy. Clear the check box to disable the feature. The default is `true`. - * In the **Tenants** field, you can enable or disable private tenants for users. By default the check box is selected and the feature is enabled. + * In the **Multi-tenancy** field, select the **Enable tenancy** checkbox to enable multi-tenancy. Clear the checkbox to disable the feature. The default is `true`. + * In the **Tenants** field, you can enable or disable private tenants for users. By default the checkbox is selected and the feature is enabled. * In the **Default tenant** field, use the dropdown menu to select a default tenant. The menu includes Global, Private, and any other custom tenants that are available to users. 1. After making your preferred changes, select **Save changes** in the lower right corner of the window. A popup window appears listing the configuration items you've changed and asks you to review your changes. 1. Select the checkboxes beside the items you want to confirm and then select **Apply changes**. The changes are implemented dynamically. From 966668f77a2391263c45d7c6a05c242acaf91f80 Mon Sep 17 00:00:00 2001 From: cwillum Date: Fri, 21 Apr 2023 12:45:50 -0700 Subject: [PATCH 16/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/dynamic-config.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/_security/multi-tenancy/dynamic-config.md b/_security/multi-tenancy/dynamic-config.md index b3f5766636..78136afc81 100644 --- a/_security/multi-tenancy/dynamic-config.md +++ b/_security/multi-tenancy/dynamic-config.md @@ -8,37 +8,37 @@ nav_order: 147 # Dynamic configuration in OpenSearch Dashboards -Multi-tenancy includes dynamic configuration options in OpenSearch Dashboards so you can make common settings for tenancy without having to make changes to the configuration YAML files on each node and then restart the cluster. You can take advantage of this functionality by using the Dashboards interface or the REST API. The following list includes description of the options currently covered by dynamic configuration: +Multi-tenancy includes dynamic configuration options in OpenSearch Dashboards so you can manage common settings for tenancy without having to make changes to the configuration YAML files on each node and then restart the cluster. You can take advantage of this functionality by using the Dashboards interface or the REST API. The following list includes descriptions of the options currently covered by dynamic configuration: -- **Disable or enable multi-tenancy** - Administrators can disable and enable multi-tenancy dynamically. Disabling multi-tenancy does not pose a risk for loss of data. If and when an administrator chooses to re-enable tenancy, all previously saved objects are preserved and made available. The default is `true`. +- **Disable or enable multi-tenancy** - Administrators can disable and enable multi-tenancy dynamically. Disabling multi-tenancy does not pose a risk of data loss. If and when an administrator chooses to reenable tenancy, all previously saved objects are preserved and made available. The default is `true`. This setting does not have an impact on the global tenant, which always remains enabled. {: .note } -- **Disable or enable private tenant** - This option allows administrators to disable and enable private tenants. As with the enable multi-tenancy setting, when private tenants are re-enabled all previously saved objects are preserved and made available. -- **Default tenant** - This option allows an administrator to choose either a global, private, or custom tenant as the default when users sign on. In the case where a user doesn't have access to the default tenant (for example, if a custom tenant unavailable to the user was specified as the default), the default transitions to the preferred tenant, which is specified by the `opensearch_security.multitenancy.tenants.preferred` setting in the `opensearch-dashboards.yml` file. See [Multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) for details about this setting. +- **Disable or enable private tenant** - This option allows administrators to disable and enable private tenants. As with the enable multi-tenancy setting, when private tenants are reenabled all previously saved objects are preserved and made available. +- **Default tenant** - This option allows an administrator to choose either a global, private, or custom tenant as the default when users log in. In cases where a user doesn't have access to the default tenant (for example, if a custom tenant unavailable to the user was specified as the default), the default transitions to the preferred tenant, which is specified by the `opensearch_security.multitenancy.tenants.preferred` setting in the `opensearch-dashboards.yml` file. See [Multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) for more information about this setting. Depending on the specific changes made to multi-tenancy using dynamic configuration, some users may be logged out of their Dashboards session once the changes are saved. For example, if an admin user disables multi-tenancy, users with either a private or custom tenant as their selected tenant will be logged out and will need to log back in. Similarly, if an admin user disables private tenants, users with the private tenant selected will be logged out and will need to log back in. -The global tenant, however, is a special case. Since this tenant is never disabled, users with global tenant selected as their active tenant will experience no interruption to their session. Furthermore, changing the default tenant has no impact on a user's session. +The global tenant, however, is a special case. Because this tenant is never disabled, users with the global tenant selected as their active tenant will experience no interruption to their session. Furthermore, changing the default tenant has no impact on a user's session. ## Configuring multi-tenancy in OpenSearch Dashboards -To configure multi-tenancy in Dashboards, follow these steps. +To configure multi-tenancy in Dashboards, follow these steps: 1. Begin by selecting **Security** in the Dashboards home page menu. Then select **Tenancy** from the Security menu on the left side of the screen. The **Multi-tenancy** page is displayed. 1. By default, the **Manage** tab is displayed. Select the **Configure** tab to display the dynamic settings for multi-tenancy. - * In the **Multi-tenancy** field, select the **Enable tenancy** checkbox to enable multi-tenancy. Clear the checkbox to disable the feature. The default is `true`. - * In the **Tenants** field, you can enable or disable private tenants for users. By default the checkbox is selected and the feature is enabled. + * In the **Multi-tenancy** field, select the **Enable tenancy** check box to enable multi-tenancy. Clear the check box to disable the feature. The default is `true`. + * In the **Tenants** field, you can enable or disable private tenants for users. By default the check box is selected and the feature is enabled. * In the **Default tenant** field, use the dropdown menu to select a default tenant. The menu includes Global, Private, and any other custom tenants that are available to users. -1. After making your preferred changes, select **Save changes** in the lower right corner of the window. A popup window appears listing the configuration items you've changed and asks you to review your changes. -1. Select the checkboxes beside the items you want to confirm and then select **Apply changes**. The changes are implemented dynamically. +1. After making your preferred changes, select **Save changes** in the lower right corner of the window. A pop-up window appears listing the configuration items you've changed and asks you to review your changes. +1. Select the check boxes beside the items you want to confirm and then select **Apply changes**. The changes are implemented dynamically. ## Configuring multi-tenancy with the REST API -In addition to the Dashboards interface, dynamic configurations can be made using the REST API. +In addition to using the Dashboards interface, you can manage dynamic configurations using the REST API. ### Get tenancy configuration From 31224bb29b68d4d27411d90fb219ed19ac24619c Mon Sep 17 00:00:00 2001 From: cwillum Date: Fri, 21 Apr 2023 13:21:05 -0700 Subject: [PATCH 17/17] fix#2562 dynamic config Signed-off-by: cwillum --- _security/multi-tenancy/dynamic-config.md | 6 +++--- _security/multi-tenancy/multi-tenancy-config.md | 16 ++++++++-------- _security/multi-tenancy/tenant-index.md | 12 ++++++------ 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/_security/multi-tenancy/dynamic-config.md b/_security/multi-tenancy/dynamic-config.md index 78136afc81..38b612659b 100644 --- a/_security/multi-tenancy/dynamic-config.md +++ b/_security/multi-tenancy/dynamic-config.md @@ -42,7 +42,7 @@ In addition to using the Dashboards interface, you can manage dynamic configurat ### Get tenancy configuration -Retrieves settings for the dynamic configuration. +The GET call retrieves settings for the dynamic configuration: ```json GET /_plugins/_security/api/tenancy/config @@ -61,7 +61,7 @@ GET /_plugins/_security/api/tenancy/config ### Update tenant configuration -Updates settings for dynamic configuration. +The PUT call updates settings for dynamic configuration: ```json PUT /_plugins/_security/api/tenancy/config @@ -85,7 +85,7 @@ PUT /_plugins/_security/api/tenancy/config ### Dashboardsinfo API -You can also use the Dashboardsinfo API to retrieve the status of multi-tenancy settings for the user logged in to Dashboards. +You can also use the Dashboardsinfo API to retrieve the status of multi-tenancy settings for the user logged in to Dashboards: ```json GET /_plugins/_security/dashboardsinfo diff --git a/_security/multi-tenancy/multi-tenancy-config.md b/_security/multi-tenancy/multi-tenancy-config.md index 817458cd3b..83871c1bd7 100644 --- a/_security/multi-tenancy/multi-tenancy-config.md +++ b/_security/multi-tenancy/multi-tenancy-config.md @@ -24,12 +24,12 @@ config: | Setting | Description | | :--- | :--- | -| `multitenancy_enabled` | Enable or disable multi-tenancy. Default is true. | -| `private_tenant_enabled` | Enable or disable the private tenant. Default is true. | +| `multitenancy_enabled` | Enable or disable multi-tenancy. Default is `true`. | +| `private_tenant_enabled` | Enable or disable the private tenant. Default is `true`. | | `default_tenant` | Use to set the tenant that is available when users log in. | | `server_username` | Must match the name of the OpenSearch Dashboards server user from `opensearch_dashboards.yml`. Default is `kibanaserver`. | | `index` | Must match the name of the OpenSearch Dashboards index from `opensearch_dashboards.yml`. Default is `.kibana`. | -| `do_not_fail_on_forbidden` | If true, the security plugin removes any content that a user is not allowed to see from search results. If false, the plugin returns a security exception. Default is false. | +| `do_not_fail_on_forbidden` | When `true`, the Security plugin removes any content that a user is not allowed to see from the search results. When `false`, the plugin returns a security exception. Default is `false`. | The `opensearch_dashboards.yml` file includes additional settings: @@ -47,11 +47,11 @@ opensearch_security.multitenancy.enable_filter: false | Setting | Description | | :--- | :--- | | `opensearch.requestHeadersAllowlist` | OpenSearch Dashboards requires that you add all HTTP headers to the allow list so that the headers pass to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not on the allow list, OpenSearch Dashboards starts with a red status. -| `opensearch_security.multitenancy.enabled` | Enables or disables multi-tenancy in OpenSearch Dashboards. Default is true. | -| `opensearch_security.multitenancy.tenants.enable_global` | Enables or disables the global tenant. Default is true. | -| `opensearch_security.multitenancy.tenants.enable_private` | Enables or disables the private tenant. Default is true. | -| `opensearch_security.multitenancy.tenants.preferred` | Lets you change ordering in the **Tenants** tab of OpenSearch Dashboards. By default, the list starts with global and private (if enabled) and then proceeds alphabetically. You can add tenants here to move them to the top of the list. | -| `opensearch_security.multitenancy.enable_filter` | If you have many tenants, you can add a search bar to the top of the list. Default is false. | +| `opensearch_security.multitenancy.enabled` | Enables or disables multi-tenancy in OpenSearch Dashboards. Default is `true`. | +| `opensearch_security.multitenancy.tenants.enable_global` | Enables or disables the global tenant. Default is `true`. | +| `opensearch_security.multitenancy.tenants.enable_private` | Enables or disables private tenants. Default is `true`. | +| `opensearch_security.multitenancy.tenants.preferred` | Lets you change ordering in the **Tenants** tab of OpenSearch Dashboards. By default, the list starts with Global and Private (if enabled) and then proceeds alphabetically. You can add tenants here to move them to the top of the list. | +| `opensearch_security.multitenancy.enable_filter` | If you have many tenants, you can add a search bar to the top of the list. Default is `false`. | ## Add tenants diff --git a/_security/multi-tenancy/tenant-index.md b/_security/multi-tenancy/tenant-index.md index 7d4ec1620d..40a7cd7016 100644 --- a/_security/multi-tenancy/tenant-index.md +++ b/_security/multi-tenancy/tenant-index.md @@ -10,13 +10,13 @@ redirect_from: # OpenSearch Dashboards multi-tenancy -*Tenants* in OpenSearch Dashboards are spaces for saving index patterns, visualizations, dashboards, and other OpenSearch Dashboards objects. OpenSearch allows users to create multiple tenants for multiple uses. Tenants are useful for safely sharing your work with other OpenSearch Dashboards users. You can control which roles have access to a tenant and whether those roles have read or write access. By default, all OpenSearch Dashboards users have access to two independent tenants: private and global. Multi-tenancy also provides the option to create custom tenants. +*Tenants* in OpenSearch Dashboards are spaces for saving index patterns, visualizations, dashboards, and other OpenSearch Dashboards objects. OpenSearch allows users to create multiple tenants for multiple uses. Tenants are useful for safely sharing your work with other OpenSearch Dashboards users. You can control which roles have access to a tenant and whether those roles have read or write access. By default, all OpenSearch Dashboards users have access to two independent tenants: the global tenant and a private tenant. Multi-tenancy also provides the option to create custom tenants. -- **Private** - This tenant is exclusive to each user and can't be shared. It does not allow you to access routes or index patterns made by the user's global tenant. -- **Global** - This tenant is shared between every OpenSearch Dashboards user. It does allow for sharing objects among users who have access to it. -- **Custom** - Administrators can create custom tenants and assign them to specific roles. Once created, these tenants can then provide spaces for specific groups of users. +- **Global** -- This tenant is shared between every OpenSearch Dashboards user. It does allow for sharing objects among users who have access to it. +- **Private** -- This tenant is exclusive to each user and can't be shared. It does not allow you to access routes or index patterns created by the user's global tenant. +- **Custom** -- Administrators can create custom tenants and assign them to specific roles. Once created, these tenants can then provide spaces for specific groups of users. -The global tenant is not a *primary* tenant in the sense that it replicates its content in a private tenant. To the contrary, if you make a change to your global tenant, you won't see that change reflected in your private tenant. Some example changes include, but are not limited to: +The global tenant is not a *primary* tenant in the sense that it replicates its content in a private tenant. To the contrary, if you make a change to your global tenant, you won't see that change reflected in your private tenant. Some example changes include the following: - Change advanced settings - Create visualizations @@ -34,5 +34,5 @@ http://:5601/app/opensearch-dashboards?security_tena To get started with tenants, see [Multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) for information about enabling multi-tenancy, adding tenants, and assigning roles to tenants. -To see information about making dynamic changes to the multi-tenancy configuration, see [Dynamic configuration in OpenSearch Dashboards]({{site.url}}{{site.baseurl}}/security/multi-tenancy/dynamic-config/). +For information about making dynamic changes to the multi-tenancy configuration, see [Dynamic configuration in OpenSearch Dashboards]({{site.url}}{{site.baseurl}}/security/multi-tenancy/dynamic-config/).