Hi all,
i’ve a question about opensearch-security plugin: does it allow multitenancy with multiple instances of opensearch-dashboard (or kibana if still using kibana_oss+odfe) ?
I did some tests but it seems multitenancy does not work if the server.index setting is specified, which I guess is related to having to specif the index name also in the security config.yml config file.
I was expecting in having indexes like .kibana_N1_xxxxxxxxxx and .kibana_N2_xxxxxxxxxxx (where xxxxx is the multitenant hash+username generated string) but is keeps using .kibana_N1 and .kibana_N2.
I’ve also notificed using a custom index for kibana is going to be deprecated in v8.0 so it seems this config is not allowed (anymore?) also the ES world.
Is there any way to have multiple instances of opensearch dashboard with multitenancy in the same opensearch cluster ?
I’m going to move this to the security category for an answer to the specific question about multiple instances of Dashboards.
Before I do I want to chime in on ES 8.0 deprecation of custom indexes - as a reminder OpenSearch maintains it’s own roadmap so what is going on over in ES shouldn’t really influence OpenSearch. So, if as a community, OpenSearch wants to do that then it’s possible, but their deprecation wouldn’t directly lead to ours.
Before I do I want to chime in on ES 8.0 deprecation of custom indexes - as a reminder OpenSearch maintains it’s own roadmap so what is going on over in ES shouldn’t really influence OpenSearch
yeah, I know. it was only to point out it could be a never-ever-supported configuration even in the ES world as they are cutting it out.
Btw, it would be really COOL to have such feature in opensearch-dashboard.
If you’ve got a compelling set of reasons that it would be cool, I think you should write it up as a feature request!
@tvc_apisani there is no way that I can think of to implement multitenacy using different kibana/opensearch-dashboard instances, as you pointed out the index name is set via config.yml and there can only be one security index with this setting uploaded, therefore multiple indices names, like you mentioned, will not work.
Out of interest what would be your use case for using multiple tenants on multiple instances?
@Anthony thank you for your reply.
As for my use case, I was trying to have two kibana instances, K1 and K2, both in the same cluster, with indexes like .kibana-K1-* and .kibana-K2-*.
IMHO it would have sense to have the security plugin honoring the server.index setting so having server.index=“.kibana-K1” would result in having indexes like .kibana-K1-hash-tenant and .kibana-K1-hash-user; this would allow having multiple instantes of kibana, with multitenancy enabled, with all the indexes stored all in the same cluster.
Currently this is not possible as the security plugin requires the index name to be the same specified in server.index (defaulting to .kibana if not specified); this had always been a poorly solution even in the ES world and as such they are deprecating server.index for ES 8.
It still think opensearch could offer an advantage to users supporting multiple dashboard instances with multitenancy in the same cluster without having to rely on more complex solutions like using CCS or multiple clusters. I’d like to have openseach cummunity feedback on it before opening a feature request as perhaps it could be a feature which is only needed on my side.
So, any thought on this ? Should I open a feature request or do ou think it would be pointless ?
@tvc_apisani you can submit feature request, it will then be considered, will depend on many factors of course.