From 6fbdf711092581729977118c0c43a0061441d2f1 Mon Sep 17 00:00:00 2001
From: Hailong Cui <ihailong@amazon.com>
Date: Tue, 12 Mar 2024 15:05:05 +0800
Subject: [PATCH 1/6] Add workspace and multi tenancy check

Signed-off-by: Hailong Cui <ihailong@amazon.com>
---
 opensearch_dashboards.json |  3 ++-
 server/plugin.ts           | 13 +++++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/opensearch_dashboards.json b/opensearch_dashboards.json
index 994096906..af9f06ade 100644
--- a/opensearch_dashboards.json
+++ b/opensearch_dashboards.json
@@ -10,7 +10,8 @@
     "savedObjectsManagement"
   ],
   "optionalPlugins": [
-    "managementOverview"
+    "managementOverview",
+    "workspace"
   ],
   "server": true,
   "ui": true
diff --git a/server/plugin.ts b/server/plugin.ts
index 5f5f50913..ebc078126 100644
--- a/server/plugin.ts
+++ b/server/plugin.ts
@@ -46,6 +46,7 @@ import { createMigrationOpenSearchClient } from '../../../src/core/server/saved_
 import { SecuritySavedObjectsClientWrapper } from './saved_objects/saved_objects_wrapper';
 import { addTenantParameterToResolvedShortLink } from './multitenancy/tenant_resolver';
 import { ReadonlyService } from './readonly/readonly_service';
+import { WorkspacePluginSetup } from '../../../src/plugins/workspace/server';
 
 export interface SecurityPluginRequestContext {
   logger: Logger;
@@ -68,7 +69,11 @@ declare module 'opensearch-dashboards/server' {
   }
 }
 
-export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPluginStart> {
+interface SecurityPluginSetupDeps {
+  workspace: WorkspacePluginSetup;
+}
+
+export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPluginStart, SecurityPluginSetupDeps> {
   private readonly logger: Logger;
   // FIXME: keep an reference of admin client so that it can be used in start(), better to figureout a
   //        decent way to get adminClient in start. (maybe using getStartServices() from setup?)
@@ -83,7 +88,7 @@ export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPlugi
     this.savedObjectClientWrapper = new SecuritySavedObjectsClientWrapper();
   }
 
-  public async setup(core: CoreSetup) {
+  public async setup(core: CoreSetup, { workspace }: SecurityPluginSetupDeps) {
     this.logger.debug('opendistro_security: Setup');
 
     const config$ = this.initializerContext.config.create<SecurityPluginConfigType>();
@@ -138,6 +143,10 @@ export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPlugi
 
     // set up multi-tenant routes
     if (config.multitenancy?.enabled) {
+      if (workspace) {
+        this.logger.error("Both workspace and multi-tenancy features are turned on, only one of them could turned on at same time.");
+        process.exit(1);
+      }
       setupMultitenantRoutes(router, securitySessionStorageFactory, this.securityClient);
     }
 

From e69766d2b8261c4e953458e093c1699f669cfad3 Mon Sep 17 00:00:00 2001
From: Hailong Cui <ihailong@amazon.com>
Date: Tue, 12 Mar 2024 15:28:44 +0800
Subject: [PATCH 2/6] fix lint

Signed-off-by: Hailong Cui <ihailong@amazon.com>
---
 server/plugin.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/plugin.ts b/server/plugin.ts
index ebc078126..2507f329b 100644
--- a/server/plugin.ts
+++ b/server/plugin.ts
@@ -144,7 +144,9 @@ export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPlugi
     // set up multi-tenant routes
     if (config.multitenancy?.enabled) {
       if (workspace) {
-        this.logger.error("Both workspace and multi-tenancy features are turned on, only one of them could turned on at same time.");
+        this.logger.error(
+          'Both workspace and multi-tenancy features are enabled, only one of them could enabled at same time.'
+        );
         process.exit(1);
       }
       setupMultitenantRoutes(router, securitySessionStorageFactory, this.securityClient);

From c1a3ba02e59b863016de4921b5decdd1847b1657 Mon Sep 17 00:00:00 2001
From: Hailong Cui <ihailong@amazon.com>
Date: Tue, 12 Mar 2024 17:00:33 +0800
Subject: [PATCH 3/6] update wording

Signed-off-by: Hailong Cui <ihailong@amazon.com>
---
 server/plugin.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/plugin.ts b/server/plugin.ts
index 2507f329b..e36881feb 100644
--- a/server/plugin.ts
+++ b/server/plugin.ts
@@ -145,7 +145,7 @@ export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPlugi
     if (config.multitenancy?.enabled) {
       if (workspace) {
         this.logger.error(
-          'Both workspace and multi-tenancy features are enabled, only one of them could enabled at same time.'
+          'Both workspace and multi-tenancy features are enabled, only one of them can be enabled at the same time.'
         );
         process.exit(1);
       }

From b213334dedfa0cbe9e0a27f74a6ea421cd4e5d9c Mon Sep 17 00:00:00 2001
From: Hailong Cui <ihailong@amazon.com>
Date: Tue, 12 Mar 2024 17:58:44 +0800
Subject: [PATCH 4/6] fix lint

Signed-off-by: Hailong Cui <ihailong@amazon.com>
---
 server/plugin.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/plugin.ts b/server/plugin.ts
index e36881feb..dd7c56d91 100644
--- a/server/plugin.ts
+++ b/server/plugin.ts
@@ -73,7 +73,8 @@ interface SecurityPluginSetupDeps {
   workspace: WorkspacePluginSetup;
 }
 
-export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPluginStart, SecurityPluginSetupDeps> {
+export class SecurityPlugin
+  implements Plugin<SecurityPluginSetup, SecurityPluginStart, SecurityPluginSetupDeps> {
   private readonly logger: Logger;
   // FIXME: keep an reference of admin client so that it can be used in start(), better to figureout a
   //        decent way to get adminClient in start. (maybe using getStartServices() from setup?)

From dfa03fdee88e8129247add653927ab83cc7c5a5b Mon Sep 17 00:00:00 2001
From: Hailong Cui <ihailong@amazon.com>
Date: Mon, 25 Mar 2024 15:48:17 +0800
Subject: [PATCH 5/6] check dynamic tenancy config

Signed-off-by: Hailong Cui <ihailong@amazon.com>
---
 .../panels/tenant-list/configure_tab1.tsx      |  9 +++++++++
 server/plugin.ts                               | 18 ++++++++++++------
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/public/apps/configuration/panels/tenant-list/configure_tab1.tsx b/public/apps/configuration/panels/tenant-list/configure_tab1.tsx
index dd8686664..2454e079d 100644
--- a/public/apps/configuration/panels/tenant-list/configure_tab1.tsx
+++ b/public/apps/configuration/panels/tenant-list/configure_tab1.tsx
@@ -98,6 +98,14 @@ export function ConfigureTab1(props: AppDependencies) {
         handleSave={async (updatedConfiguration1: TenancyConfigSettings) => {
           try {
             console.log('Calling API');
+            if (
+              updatedConfiguration1.multitenancy_enabled &&
+              props.coreStart.application.capabilities.workspaces.enabled
+            ) {
+              throw new Error(
+                'Multi-tenancy is not allowed to enable as workspace is enabled, you can disable workspace and retry.'
+              );
+            }
             await updateTenancyConfiguration(props.coreStart.http, updatedConfiguration1);
             setSaveChangesModal(null);
             setChangeInMultiTenancyOption(0);
@@ -349,6 +357,7 @@ export function ConfigureTab1(props: AppDependencies) {
                 label={'Enabled'}
                 checked={updatedConfiguration.multitenancy_enabled}
                 onChange={() => onSwitchChangeTenancyEnabled()}
+                disabled={props.coreStart.application.capabilities.workspaces.enabled}
               />
             </EuiDescribedFormGroup>
           </EuiPageContentHeaderSection>
diff --git a/server/plugin.ts b/server/plugin.ts
index dd7c56d91..1ed80139b 100644
--- a/server/plugin.ts
+++ b/server/plugin.ts
@@ -142,14 +142,20 @@ export class SecurityPlugin
     defineRoutes(router);
     defineAuthTypeRoutes(router, config);
 
+    // multitenancyinfo is application level
+    const dashboardsInfo = await esClient.callAsInternalUser(
+      'opensearch_security.multitenancyinfo'
+    );
+
+    if (workspace && config.multitenancy?.enabled && dashboardsInfo.multitenancy_enabled) {
+      this.logger.error(
+        'Both workspace and multi-tenancy features are enabled, only one of them can be enabled at the same time.'
+      );
+      process.exit(1);
+    }
+
     // set up multi-tenant routes
     if (config.multitenancy?.enabled) {
-      if (workspace) {
-        this.logger.error(
-          'Both workspace and multi-tenancy features are enabled, only one of them can be enabled at the same time.'
-        );
-        process.exit(1);
-      }
       setupMultitenantRoutes(router, securitySessionStorageFactory, this.securityClient);
     }
 

From 9e484d943cbdc0c57b050aa7a9280212dcf3b8e3 Mon Sep 17 00:00:00 2001
From: Hailong Cui <ihailong@amazon.com>
Date: Tue, 26 Mar 2024 13:39:27 +0800
Subject: [PATCH 6/6] throw CriticalError instead of procees.exit

Signed-off-by: Hailong Cui <ihailong@amazon.com>
---
 server/plugin.ts | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/server/plugin.ts b/server/plugin.ts
index 1ed80139b..e48f96802 100644
--- a/server/plugin.ts
+++ b/server/plugin.ts
@@ -15,6 +15,7 @@
 
 import { first } from 'rxjs/operators';
 import { Observable } from 'rxjs';
+import { CriticalError } from '../../../src/core/server/errors';
 import {
   PluginInitializerContext,
   CoreSetup,
@@ -148,10 +149,10 @@ export class SecurityPlugin
     );
 
     if (workspace && config.multitenancy?.enabled && dashboardsInfo.multitenancy_enabled) {
-      this.logger.error(
-        'Both workspace and multi-tenancy features are enabled, only one of them can be enabled at the same time.'
-      );
-      process.exit(1);
+      const message =
+        'Both workspace and multi-tenancy features are enabled, only one of them can be enabled at the same time.';
+      this.logger.error(message);
+      throw new CriticalError(message, 'InvalidConfig', 64);
     }
 
     // set up multi-tenant routes