Tenants - Private and Global


We’ve experimented a bit with the multitenancy feature of opendistro and we like it so far.
However, i cannot find anywhere what the “private” and “global” tenants are?

Also, is it possible to restrict a user to only one tenant, therefore not even showing the user other tenants such as Private and Global? Therefore “auto” signing into the one tenant that the user has access to?

Hello Victor !
About the user to restrict him to one tenant you can do it by just giving him rights on the tenant.
In the “Roles” Tab :

And in “Tenants” Tab, add your custom tenant name, with rights Read&Write if you want the user to be able to save Visualizations, Search, Dashboards. Read&Only for just reading rights.

Don’t forget to create the appropriate “Role mappings”, map the role to the user.

About disabling the Private and Global tenants, I only know how to disable it globally.
In /etc/kibana.yml, you have to add these lines :

opendistro_security.multitenancy.tenants.enable_private: false
opendistro_security.multitenancy.tenants.enable_global: false

Global is a tenant that is shared by all users.
Private is private to each users.

Hope I helped and answered your questions.


1 Like

That is great news, thank you for the quick reply.

Do you know if there is a way to restrict kibana in a way so that the regular users only see the Discover tab and the admins see everything else? Like Management etc?

First you can try the “Read Only” role for the Tenant in the Tenant tab.

This will remove the Management tab for the user and remove the rights to create visualizations.

You can also remove globally the “DevTools” and “Timelion”.
In /etc/kibana.yml, add these lines :

timelion.enabled: false
console.enabled: false

Kibana will take more times to restart.

You can also check the kibana_read_only role (I didn’t try it)

I don’t know if it’s possible to restrict an user to “Discover” only.


1 Like

Hello Everyone,

Can some one answer for below questions:

I have created two roles with name RoleA, RoleB…(Elastic search version - 7.1)

Question 1: I want to map Global tenant for RoleA only , will that be possible?

Question 2: Is it possible to disable Global tenant for all roles via rest api call with using dev tools, if yes please share the sample request body to do this task.

your help highly appreciated …!

Hi @ksware. Global tenant is not explicitly mapped to users, all users get it. Currently the setting to disable the global tenant opensearch_security.multitenancy.tenants.enable_global is not exposed via REST APIs, unfortunately.

Hope this helps!

1 Like