Header securitytenant doesn't work in opensearch-dashboard

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.18.0

Describe the issue:

my default tenant is set to apploggingtenant.
I tested to use curl to change a setting in opensearch dashboard as below:

curl --silent -X POST ${OPENSEARCH_DASHBOARD_URL}/api/opensearch-dashboards/settings/theme:darkMode
-w “\n” -k -H “Content-Type: application/json;” -H “osd-xsrf: true”
-H “securitytenant: apploggingtenant”
-u admin:${AdminRuntimePassword}
-d ‘{“value”:true}’

no error, but the setting always goes to the Global tenant.

I checked, the securitytenant is already added into opensearch.requestHeadersAllowlist

also, I tried to config admin (all_access) user in opensearch dashboard, it doesn’t work.
Configuration:

Relevant Logs or Screenshots:

I made 2 changes, and it seems the issue is resolved:

  1. adding annotation to nginx ingress:
    nginx.ingress.kubernetes.io/configuration-snippet: |
    proxy_set_header securitytenant $http_securitytenant;

  2. change back kibanaserver user. (it seems the admin user doesn’t cover all priv of kibanaserver user)

1 Like

FYI What it special about kibanaserver is that its the default “internaluser”. i.e. the user defined here in the dynamic security config: security/config/config.yml at main · opensearch-project/security · GitHub

The creds for this user would also need to be set in opensearch_dashboards.yml in the opensearch.username and opensearch.password settings. This user can access dashboards endpoints.