Multitenancy - Removing non-admin users access to Global Tenant

vmm-afonso · February 19, 2024, 3:28pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch/Opensearch-Dashboards v2.11.1

Describe the issue:
Trying to figure out a way to remove non-admin users access to Global Tenant here. I only found a way to remove Global tenant access from every user (admin included) through the config “opensearch_security.multitenancy.tenants.enable_global: false” on opensearch_dashboards.yml file.

Or if not possible, I suppose a way to give read-only access to Global tenant? Not optimal but I can live with that for now

Configuration:

Relevant Logs or Screenshots:

hm21 · February 19, 2024, 5:41pm

When no permissions are granted to users, they shouldn’t be able to read anything in the global tenant. The may be able to select and enter it when asked but not have access anything.

E.g.: the following role in tf would grant access to the global_tenant

resource "opensearch_role" "writer" {
  role_name   = "logs_writer"
  description = "Logs writer role"

  cluster_permissions = ["*"]

  index_permissions {
    index_patterns  = ["logstash-*"]
    allowed_actions = ["write"]
  }

  tenant_permissions {
    tenant_patterns = ["global_tenant"]
    allowed_actions = ["write"]
  }
}

Topic		Replies	Views
Private and global tenants OpenSearch	2	246	February 24, 2023
How to provide Tenants access OpenSearch	1	201	February 24, 2023
Issue with Multi-Tenancy and Tenant-specific Dashboard saving in Opensearch Dashboards Security	3	127	February 29, 2024
Global tenant and private tenant OpenSearch	1	70	March 1, 2024
Question: Multiple users with differrent views OpenSearch discuss , configure , install	6	170	January 4, 2024

Multitenancy - Removing non-admin users access to Global Tenant

Related Topics