Resolved - Error configuring opensearch-dashboards in opensearch-security configuration

When attempting to configure opensearch-dashboards for multi-tenancy, I get a failure when running the security plugin script.

My configuration:

config:
  dynamic:
    opensearch-dashboards:
      multitenancy_enabled: true

And when I run this:

./plugins/opensearch-security/tools/securityadmin.sh -cd config/opensearch-security/ -icl -nhnv -cacert config/root-ca.pem -cert config/admin.pem -key config/admin-key.pem -h 10.0.0.99 -p 9200

I get this error:

OpenSearch Version: 2.2.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: mountaintop
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Legacy index '.opendistro_security' (ES 6) detected (or forced). You should migrate the configuration!
Populate config from /etc/opensearch/config/opensearch-security
ERR: Seems config/opensearch-security/config.yml is not in legacy format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "opensearch-dashboards" (class org.opensearch.security.securityconf.impl.v7.ConfigV7$Dynamic), not marked as ignorable (15 known properties: "license", "disable_intertransport_auth", "http", "kibana", "authz", "auth_failure_listeners", "transport_userrname_attribute", "filtered_alias_mode", "authc", "disable_rest_auth", "respect_request_indices_options", "multi_rolespan_enabled", "do_not_fail_on_forbidden", "hosts_resolver_mode", "do_not_fail_on_forbidden_empty"])

The doc I’m attempting to follow is this:

Am I doing something terribly wrong?

@bob.lloyd You don’t need to enable multitenancy in config.yml as it’s enabled by default.

The documentation is incorrect here. The correct config is as below.

config:
  dynamic:
    kibana:
      multitenancy_enabled: true

Also, the default username and password in opensearch_dashbords.yml are incorrect.

opensearch.username: dashboardserver
opensearch.password: dashboardserver

It must be as below.

opensearch.username: kibanaserver
opensearch.password: kibanaserver

Hi @pablo , thanks for the quick reply!

kibana is the right configuration here, even when using opensearch-dashboards?

I updated to use the kibana setting, but still get this error when trying to switch tenants in opensearch-dashboards:

Select your tenant
Tenants are useful for safely sharing your work with other OpenSearch Dashboards users. You can switch your tenant anytime by clicking the user avatar on top right.
Contact the administrator to enable multi tenancy.

Maybe there’s another configuration I’m missing to set as the administrator?

@bob.lloyd The kibana is the leftover after OpenDistro.

I suspect that it will change in the future to opensearch-dashboards

Regarding multitenancy, it is controlled by two security plugins (OpenSearch and OpenSearch Dashboards).
You must enable multitenancy in OpenSearch Dashboards.

i.e.

opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.multitenancy.enable_filter: false

Ah, that did it! Thank you so much @pablo !

Setting the correct values in opensearch-dashboards as you stated above enabled that dialog.