-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Support Multiple Data Source in Security Dashboards Plugin #1782
Comments
Thanks for creating this issue, @BionIT. It is thin on details or specific acceptance criteria, so we won't be able to mark as triaged and action on it until we do. Could you please provide more specifics as to what "support multiple datasources" means, and perhaps link to other RFCs, designs, issues etc that would provide more context on the requirements? Unfortunately the META issue linked above is also lacking substantial details or context. |
Thanks @davidlago for taking a look at this issue! Pulling in @zengyan-amazon @seraphjiang for detailed requirements. |
@davidlago any specific questions do you have? |
@zengyan-amazon quite the opposite, there are so few details in this ticket that I don't have enough to even ask questions :) This issue is not currently actionable. I'm removing the untriaged label, as I'm looking at it, but I'm not adding the triaged label (pre-requisite for an issue to be worked on) until we have the details. |
@BionIT @zengyan-amazon We are looking for actionable details on this issue. It will be marked as closed if there is no clear actionable items listed. |
@kgcreative to help requirement and experience. |
@zengyan-amazon currently to get it setup on my local I set this flag: Can you help clarify - what is expected for this issue? What situations/assumptions can be made from security plugin side?
|
@zengyan-amazon For the login flow, which data-source would be the backend to send a login request to? Is it the last selected data-source, or is there a notion of a primary data-source for that purpose? I bring this up, because there is a feature in the security-dashboards-plugin backlog to configure sign in options through a page in OSD. For consistency sake, I think it makes sense to send the initial login request to a "primary" data-source and not have the request go to the last selected data-source. I suppose a toggle for data-source can be on the log in screen, but instead of an auto-redirect in the case where SAML or OpenID are configured as the only sign in option the user would instead land on the login screen for OSD with a single option to click a button to "Log in with Single Sign On". If a user logs in with credentials that work with the cluster that the login request goes to, but then toggles datasources and does not have valid creds for the toggled cluster, would the correct behavior be to autologout the user (as it does today for session expiry) or should the logged in user have the option to toggle back to the cluster where they were successfully authenticated against? In order for the security-dashboards-plugin to be as generic as possible, the current TLS configuration will need to be extended to allow TLS configuration per data-source or if they share a common TLS configuration then when multiple datasources are enabled, there should be a way to configure a common TLS configuration for OSD across all datasources. Single-sign on like SAML, OpenID and LDAP will certainly work better for the multiple data sources use case then relying on the internal users across all datasources to be synchronized. In the security configuration for basic auth there is a concept of Minor question:
|
the data source management page gives users to choose how to authenticate with the data source that is being created, it is not related to the local cluster authentication. For now we only support basicauth and IAM user credentials. Supporting other auth method is part of data source feature work, not related to security plugin work here.
We only need the cluster security management features in dashboards security plugin to support multi-data source, so that admin can use it to manage roles and permissions in the data source (remote cluster). if the data source has tenant enabled, it should be able to manage tenants as well. @cwperks the login flow will remain the same and it is not impacted by multi-data source integration, OSD will still be associated with a default(local) OpenSearch cluster, and allows user to login based on the existing configuration in yml file the same way as it today, we only want to offer user(admin) capability to manage roles and permissions in other data sources in dashboards security plugin for multi-datasource support. Hope this answers your question. |
@zengyan-amazon On the documentation website, it shows that when adding a new datasource you configure it with username and password. Can you show me where I can find how that password is stored and used when making a request against the datasource? Does that mean that adding a data source requires a cluster to be configured with basic auth? Which user is used to make calls to the toggled clusters? Is it the currently logged in user or the user that a datasource is configured with? Who is allowed to toggle between data sources? |
Thanks for the details @zengyan-amazon @kgcreative ! I will use this as a meta issue and create sub issues for each page/section which will need this support. Can you folks share how to setup a cluster with AWSSigV4 creds? I couldn't find a README with these instructions. |
Hi @cwperks, thanks for your question: The credentials are encrypted and stored in OpenSearch cluster in the system index.
The credential provided by dashboard user should have permissions to call the remote cluster, and it is up to the dashboard user what permission is granted. If security plugin was enabled for the cluster, the credentials should match to a mapped user within the security plugin with certain permission defined by the user. Hope this helps and @zengyan-amazon can help add more details if missed anything. |
Hi @derek-ho, you can follow official document to create IAM user, when creating the cluster, just make the user the master user - which is the easiest |
@BionIT Thank you for the response. I am able to setup multiple data-sources locally with 2 clusters that have the security plugin installed. I did encounter an issue though. For the primary cluster, I have https enabled and OSD connects to it fine (as expected). When I try to connect to cluster2, I had to disabled https to get it to connect. When connecting with https, I checked the networking tab of dev tools and saw a cert validation failure.
Is it possible to setup other datasources with https? |
So the username and password provided when testing the connection are persisted? Are those credentials used for anything other than testing the connection? |
@cwperks could you share the set up for the 2 clusters? Playground provides some examples of the data sources which were set up https://playground.opensearch.org/app/management/opensearch-dashboards/dataSources. We can look it together if needed |
Yes, credentials are encrypted and saved in system index, they were used when querying remote data sources and this documentation provides some details about how it is done by using the client provided by data source plugin https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/docs/multi-datasource/client_management_design.md |
@BionIT Please see the attached zip which has a docker-compose configuration. cd into the folder and run Cluster 2 is listening on port 9201. Both have HTTPS enabled. In OSD I try to configured cluster2 as another datasource with the following values: Endpoint: When I click If I set |
[Triage] @kgcreative @BionIT can you provide some more explicit assumptions and details surrounding testing scenarios (more specifically this: #1782 (comment)) and non-happy paths that we need to design for? We cannot mark this as triaged until we have some more details about what is fully expected to consider this issue as completed. |
Is your feature request related to a problem?
Since 2.4.0, multiple data source feature is enabled as a core plugin(see RFC opensearch-project/OpenSearch-Dashboards#1388 and PR opensearch-project/OpenSearch-Dashboards#2334).
With multiple data source enabled, users of OpenSearch Dashboards are able to create data source connections and query local and remote OpenSearch clusters(see documentation https://opensearch.org/docs/latest/dashboards/management/data-sources/). Enabling multiple data source at dashboards plugin would ensure users that have been using the multiple data source feature to have a consistent experience in the dashboard, and allows users to use the same dashboard for different clusters.
What solution would you like?
Support multiple data source in the Security dashboards plugin and allow user to use one dashboard for different backend clusters
What alternatives have you considered?
A clear and concise description of any alternative solutions or features you've considered.
Do you have any additional context?
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: