Hey y’all,
Thanks for the beautiful work called OpenDistro. I want to configure multi-tenancy so my question is: Is there any documentation that I can follow to configure Multi-Tenancy on Opendistro ?
Hi @ashim, unfortunately, we/I haven’t yet added documentation on multi-tenancy. It’s definitely on the to-do list. The easiest way to create new tenants is to use Kibana.
In Security, pick a role (or create a new one), give it whatever permissions you’d like, and then go to the Tenants tab. Here, you can specify the tenants associated with the role and whether users with this role should have read or write access to visualizations/dashboards. Then go to role mappings and map a user to that role.
When you log into Kibana as the user and click Tenants, you should see the new tenants you added. You can select your desired tenant, view dashboards, etc.
(If you look at the REST API, you can see that tenants are more like properties of roles than independent objects: https://opendistro.github.io/for-elasticsearch-docs/docs/security/api/#create-role)
Hey, @aetter, I am very new to this. If I have a field in the documents called “tenants” and has values regarding tenants. How can I configure users to only have access to the documents using that field ?
Sorry for the inconvenience.
Regards,
Ashim
Hi @ashim, sure, you don’t need to worry so much about Kibana multitenancy for now, then. It sounds like you just want document-level security.
-
Index your data. I often use a set of movies for testing. The JSON looks like this:
{"directors":["Jon Turteltaub"],"release_date":"2000-06-25T00:00:00Z","rating":5.9,"genres":["Comedy","Family","Fantasy"],"image_url":"http://ia.media-imdb.com/images/M/MV5BMTIwMzk2NTE5NF5BMl5BanBnXkFtZTcwMTcyOTAwMQ@@._V1_SX400_.jpg","plot":"An unhappy and disliked image consultant gets a second shot at life when an eight year old version of himself mysteriously appears.","title":"The Kid","rank":4707,"running_time_secs":6240,"actors":["Bruce Willis","Spencer Breslin","Emily Mortimer"],"year":2000,"id":"tt0219854","type":"add"} {"directors":["Peter Hyams"],"release_date":"1988-06-10T00:00:00Z","rating":5.8,"genres":["Action","Crime","Mystery","Thriller"],"image_url":"http://ia.media-imdb.com/images/M/MV5BMTg4ODMyOTg2Ml5BMl5BanBnXkFtZTcwNTg4NzAzMQ@@._V1_SX400_.jpg","title":"The Presidio","rank":4708,"running_time_secs":5820,"actors":["Sean Connery","Mark Harmon","Meg Ryan"],"year":1988,"id":"tt0095897","type":"add"} -
Create a role that has READ permissions for * document type on your index.
-
Go to the DLS/FLS tab, select your index, and write a query that includes/excludes the appropriate document. The query DSL is complex, but super flexible. In this case, I’m using a simple query to say that the genres field must include “comedy,” but in your case, you could say that the tenants field must include X, etc.
-
Map a user to your new role, and run some test searches to make sure everything is behaving as you expect:
curl -XGET https://localhost:9200/movies/_search?pretty -u someone:someone -k
In this case, every search result that I get back contains “comedy” in the genres field.
Hey @aetter,
Thanks for the reply but I had figured it out already, sorry for not replying pointing that out. And the DLS works with “match” and field only as of now, no need for bool and must. Thanks anyways.
Regards,
Ashim