-
Notifications
You must be signed in to change notification settings - Fork 503
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add documentation for dynamic configuration of tenancy in Dashboards #3694
Merged
Merged
Changes from 12 commits
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
1473e58
fix#2562 start for dynamic config
cwillum f7cdb21
fix#2562 start for dynamic config
cwillum 90dbcf9
Merge branch 'main' into fix#2562-dynamic-config-tenants
cwillum b4ca353
fix#2562 dynamic config
cwillum c13e4a7
fix#2562 dynamic config
cwillum 4002722
fix#2562 dynamic config
cwillum 5ee3cf7
fix#2562 dynamic config
cwillum 831a8e4
fix#2562 dynamic config
cwillum 74685ed
fix#2562 dynamic config
cwillum b0283d8
fix#2562 dynamic config
cwillum ba61e63
fix#2562 dynamic config
cwillum 5187687
fix#2562 dynamic config
cwillum b6ad513
fix#2562 dynamic config
cwillum 045e310
fix#2562 dynamic config
cwillum f9f31e1
fix#2562 dynamic config
cwillum 37b0e37
fix#2562 dynamic config
cwillum 966668f
fix#2562 dynamic config
cwillum 31224bb
fix#2562 dynamic config
cwillum File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,109 @@ | ||||||
--- | ||||||
layout: default | ||||||
title: Dynamic configuration in OpenSearch Dashboards | ||||||
parent: OpenSearch Dashboards multi-tenancy | ||||||
nav_order: 147 | ||||||
--- | ||||||
|
||||||
|
||||||
# Dynamic configuration in OpenSearch Dashboards | ||||||
|
||||||
Dynamic configuration of multi-tenancy in OpenSearch Dashboards provides options to make common settings for tenancy without having to make changes to the configuration YAML files on each node and then restart the cluster. You can take advantage of this functionality by using the Dashboards interface or the REST API. The following list includes description of the options currently covered by dynamic configuration: | ||||||
|
||||||
- **Disable or enable multi-tenancy** - Administrators can disable and enable multi-tenancy dynamically. Disabling multi-tenancy does not pose a risk for loss of data. If and when an administrator chooses to re-enable tenancy, all previously saved objects are preserved and made available. The default is `true`. | ||||||
cwillum marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
This setting does not have an impact on the global tenant, which always remains enabled. | ||||||
{: .note } | ||||||
|
||||||
- **Disable or enable private tenant** - This option allows administrators to disable and enable private tenants. As with the enable multi-tenancy setting, when private tenants are re-enabled all previously saved objects are preserved and made available. | ||||||
cwillum marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
- **Default tenant** - This option allows an administrator to choose either a global, private, or custom tenant as the default when users sign on. In the case where a user doesn't have access to the default tenant (for example, if a custom tenant unavailable to the user was specified as the default), the default transitions to the preferred tenant, which is specified by the `opensearch_security.multitenancy.tenants.preferred` setting in the `opensearch-dashboards.yml` file. See [Multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) for details about this setting. | ||||||
cwillum marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
Depending on the specific changes made to multi-tenancy using dynamic configuration, some users may be logged out of their Dashboards session once the changes are saved. For example, if an admin user disables multi-tenancy, users with either a private or custom tenant as their selected tenant will be logged out and will need to log back in. Similarly, if an admin user disables private tenants, users with the private tenant selected will be logged out and will need to log back in. | ||||||
cwillum marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
The global tenant, however, is a special case. Since this tenant is never disabled, users with global tenant selected as their active tenant will experience no interruption to their session. Furthermore, changing the default tenant has no impact on a user's session. | ||||||
cwillum marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
|
||||||
## Configuring multi-tenancy in OpenSearch Dashboards | ||||||
|
||||||
To make settings for multi-tenancy in Dashboards, follow these steps. | ||||||
cwillum marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
1. Begin by selecting **Security** in the Dashboards home page menu. Then select **Tenancy** from the Security menu on the left side of the screen. The **Multi-tenancy** page is displayed. | ||||||
1. By default, the **Manage** tab is displayed. Select the **Configure** tab to display the dynamic settings for multi-tenancy. | ||||||
* In the **Multi-tenancy** field, select the **Enable tenancy** check box to enable multi-tenancy. Clear the check box to disable the feature. The default is `true`. | ||||||
* In the **Tenants** field, you can enable or disable private tenants for users. By default the check box is selected and the feature is enabled. | ||||||
* In the **Default tenant** field, use the dropdown menu to select a default tenant. The menu includes Global, Private, and any other custom tenants that are available to users. | ||||||
1. After making your preferred changes, select **Save changes** in the lower right corner of the window. A popup window appears listing the configuration items you've changed and asks you to review your changes. | ||||||
cwillum marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
1. Select the checkboxes beside the items you want to confirm and then select **Apply changes**. The changes are implemented dynamically. | ||||||
cwillum marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
|
||||||
## Configuring multi-tenancy with the REST API | ||||||
|
||||||
In addition to the Dashboards interface, dynamic configurations can be made using the REST API. | ||||||
cwillum marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
### Get tenancy configuration | ||||||
|
||||||
Retrieves settings for the dynamic configuration. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
cwillum marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
```json | ||||||
GET /_plugins/_security/api/tenancy/config | ||||||
``` | ||||||
{% include copy-curl.html %} | ||||||
|
||||||
#### Example response | ||||||
|
||||||
```json | ||||||
{ | ||||||
"mulitenancy_enabled": true, | ||||||
"private_tenant_enabled": true, | ||||||
"default_tenant": "global tenant" | ||||||
} | ||||||
``` | ||||||
|
||||||
### Update tenant configuration | ||||||
|
||||||
Updates settings for dynamic configuration. | ||||||
cwillum marked this conversation as resolved.
Show resolved
Hide resolved
cwillum marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
```json | ||||||
PUT /_plugins/_security/api/tenancy/config | ||||||
{ | ||||||
"default_tenant": "custom tenant 1", | ||||||
"private_tenant_enabled": false, | ||||||
"mulitenancy_enabled": true | ||||||
} | ||||||
``` | ||||||
{% include copy-curl.html %} | ||||||
|
||||||
### Example response | ||||||
|
||||||
```json | ||||||
{ | ||||||
"mulitenancy_enabled": true, | ||||||
"private_tenant_enabled": false, | ||||||
"default_tenant": "custom tenant 1" | ||||||
} | ||||||
``` | ||||||
|
||||||
### Dashboardsinfo API | ||||||
|
||||||
You can also use the Dashboardsinfo API to retrieve the status of multi-tenancy settings for the user logged in to Dashboards. | ||||||
cwillum marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
```json | ||||||
GET /_plugins/_security/dashboardsinfo | ||||||
``` | ||||||
{% include copy-curl.html %} | ||||||
|
||||||
### Example response | ||||||
|
||||||
```json | ||||||
{ | ||||||
"user_name" : "admin", | ||||||
"not_fail_on_forbidden_enabled" : false, | ||||||
"opensearch_dashboards_mt_enabled" : true, | ||||||
"opensearch_dashboards_index" : ".kibana", | ||||||
"opensearch_dashboards_server_user" : "kibanaserver", | ||||||
"multitenancy_enabled" : true, | ||||||
"private_tenant_enabled" : true, | ||||||
"default_tenant" : "Private" | ||||||
} | ||||||
``` | ||||||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -36,7 +36,7 @@ In this first experimental phase of development, there are some limitations that | |
|
||
* The feature can only be used in a new cluster. At this time, the feature is not suported by clusters already in use. | ||
* Also, the feature should be used only in a test environment, not in production. | ||
* Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and have an impact on tenant-to-tenant functionality. | ||
* Finally, once the feature has been enabled and used in a test cluster, the feature cannot be disabled for the cluster. Disabling the feature once it has been used to work with tenants and saved objects can result in the loss of saved objects and can have an impact on tenant-to-tenant functionality. This can occur when disabling the feature in any one of three ways: disabling the aggregate view feature with the [feature flag]({{site.url}}{{site.baseurl}}/security/multi-tenancy/mt-agg-view/#enabling-aggregate-view-for-saved-objects/); disabling multi-tenancy with the traditional [multi-tenancy configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/) setting; or disabling multi-tenancy with [dynamic configuration]({{site.url}}{{site.baseurl}}/security/multi-tenancy/dynamic-config/) settings. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is correct! Thanks for summarizing this up! @cwillum |
||
|
||
These limitations will be addressed in upcoming releases. | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we avoid making this into a feature by calling out the functionality? For example, "You can dynamically configure your multi-tenancy settings in OpenSearch Dashboards without making changes to the configuration YAML files on each note and then restarting the cluster."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see your point. But I don't want to lead out a new section with "You can...". How about ...
"Multi-tenancy includes dynamic configuration options in OpenSearch Dashboards so you can make common settings for tenancy without having to make changes to the configuration YAML files on each node and then restart the cluster."
I've revised the sentence like so.