Alerting backend roles not working even after enabling the backend roles

Opensearch-2.13 /Opensearch-2.15

Describe the issue: We are trying to create the alert monitors in different tenants but however all the monitors are being visible in both the tenants and app teams are complaining about the RBAC in the alerting plugin.

Even after enabling the backend roles the rbac with alerting plugin is not working. Below is the settings that are enabled in the cluster.
settings_in_cluster:

{
“persistent”: {
“cluster”: {
“routing”: {
“allocation”: {
“cluster_concurrent_rebalance”: “50”,
“node_concurrent_recoveries”: “50”,
“enable”: “all”,
“total_shards_per_node”: “5000”
}
},
“max_shards_per_node”: “5000”
},
“indices”: {
“breaker”: {
“fielddata”: {
“limit”: “60%”
}
},
“recovery”: {
“max_bytes_per_sec”: “1024mb”,
“max_concurrent_file_chunks”: “5”,
“max_concurrent_operations”: “4”
}
},
“opensearch”: {
“notifications”: {
“general”: {
“filter_by_backend_roles”: “true”
}
}
},
“plugins”: {
“index_state_management”: {
“metadata_migration”: {
“status”: “1”
},
“template_migration”: {
“control”: “-1”
}
},
“alerting”: {
“filter_by_backend_roles”: “true”
}
}
},
“transient”: {
“cluster”: {
“routing”: {
“allocation”: {
“disk”: {
“watermark”: {
“low”: “95%”,
“flood_stage”: “95%”,
“high”: “95%”
}
},
“enable”: “all”,
“total_shards_per_node”: “5000”
}
},
“info”: {
“update”: {
“interval”: “1m”
}
},
“max_shards_per_node”: “5000”
},
“plugins”: {
“anomaly_detection”: {
“filter_by_backend_roles”: “true”
},
“alerting”: {
“filter_by_backend_roles”: “true”
}
}
}
}

Roles&users:
Below are the configuration I have used for the tenants , Roles, Internal users.
For the internal users We have provided the pre-defined roles as alerting_full_access

Relevant Logs or Screenshots:

image1798×964 86.5 KB

image1788×937 81.2 KB

When I start to create the monitors , the monitors are being appeared on both the tenants regardless in which tenant space they are created.
I need the help to debug the issue to create the monitors for individual tenants and no app team has to view the other app teams monitors.
This self service has been a blocker on our side to provide the access to app teams.

Hi @sreekanth3

We are also in need of this feature please do let us know if you find any solution for this issue, we have also enabled the backend roles and created monitors in two different tenants, but no matter what the monitors are visible in both the tenants irrespective of the tenant where they were created.

Thanks & Regards
Navya Goli

Hi @navyagoli,

Could you please share the response to the following request in DevTools?

GET _plugins/_security/api/roles/<your-alert-role>

Also, please share the list of roles that your admin user has:

GET _plugins/_security/api/internalusers/<username>

Thank you!

Hi @Eugene7,

These are the results for the queries you asked for:

GET _plugins/_security/api/roles/tenant1-role

{
“tenant1-role”: {
“reserved”: false,
“hidden”: false,
“cluster_permissions”: [
“cluster_monitor”,
“cluster:admin/opendistro/alerting/"
],
“index_permissions”: [
{
“index_patterns”: [
"”
],
“fls”: ,
“masked_fields”: ,
“allowed_actions”: [
“indices_monitor”,
“indices:admin/aliases/get”,
“indices:admin/mappings/get”,
“indices_all”
]
}
],
“tenant_permissions”: [
{
“tenant_patterns”: [
“tenant1”
],
“allowed_actions”: [
“kibana_all_write”
]
}
],
“static”: false
}
}

GET _plugins/_security/api/internalusers/tenant1-user

{
“tenant1-user”: {
“hash”: “”,
“reserved”: false,
“hidden”: false,
“backend_roles”: [
“alerting_full_access”
],
“attributes”: {},
“opendistro_security_roles”: ,
“static”: false
}
}

the same set of permissions and roles are given to tenant2 user as well.

Thanks
Navya Goli

@navyagoli @sreekanth3 According to this GitHub feature request this is a missing and still not implemented feature.

This is a bug reported a week ago.

Unfortunately, current Alerting is not a tenant-aware plugin.

Thankyou @pablo for the information .Appreciate it.