Dynamically Enable/Disable multi-tenancy, private tenant and set Defa…

[abhivka7]

…ult Tenant

Description

• Category : Enhancement
• Why these changes are required?
  These changes are required to dynamically enable/disable multi-tenancy, private tenant and set a default tenant.
• What is the old behavior before changes and new behavior after changes?
  Earlier users had to change YAMl files in each node and restart node to enable/disable multi-tenancy and private tenant. With our changes, users will be able to change these settings dynamically. We will also give admins the option to set a default tenant for all users for first time log in.
  More details can be found here:
  [RFC] Dynamically Configurable Tenancy Feature  OpenSearch#5853
  [FEATURE] Enable/Disable Multi-Tenancy, Private Tenant and set Default Tenant in OS Dashboards. security-dashboards-plugin#1302

Issues Resolved

opensearch-project/security-dashboards-plugin#1302

Is this a backport? If so, please add backport PR # and/or commits #
Nope

Testing

We have done manual testing for all changes on our local server. We have also written some unit tests for our api changes. We will write more unit tests and integration tests based on reviewer feedbacks soon.

Check List

• [ ✅ ] New functionality includes testing
• [] New functionality has been documented. : Will document in further commits.
• [ ✅ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[stephen-crawford]

Looks good, just a couple comments and general questions. I left a note for cleaning the style stuff. Thank you for you contribution.

[stephen-crawford]

You can use ./gradlew spotlessApply to automatically correct style

[abhivka7]

Thanks for the sugestion @scrawfor99 . I used ./gradlew spotlessApply as per your suggestion. It corrected style for some files but not tenancy_config.yml. Do you need any specific change in this file that you want me to do manually?

[stephen-crawford]

Should this be moved to a config constants file?

[abhivka7]

Sure will do in next commit. Thanks for the suggestion.

[cliu123]

With this, would populateEmptyIfFileMissing always be true? When would it be false?

[abhivka7]

It was already always true. We just moved the line of declaring this variable. From next commit onwards, we can change this from config constants file.

[stephen-crawford]

If you want to do anything special for responses you will need to add onResponse logic here.

[abhivka7]

@scrawfor99 We do not want to do anything special with our responses. I don't think we need that logic here.

[expani]

nit: Camel Case

[abhivka7]

Thanks @anijain-Amazon for finding this miss. Will update in next commit.

[cliu123]

With this change, would config.dynamic.kibana.multitenancy_enabled be ignored? Would this work in mixed clusters? Based on my understanding, security index is node-scoped. If there're 2 settings(the old and the new), could there be 2 different values(false and true) of multitenancy_enabled setting in a mixed cluster?

[abhivka7]

@cliu123 going forward we will only use config.dynamic.kibana.multitenancy_enabled and this will get priority over config.dynamic.kibana.multitenancy_enabled.

If there're 2 settings(the old and the new), could there be 2 different values(false and true) of multitenancy_enabled setting in a mixed cluster?

In this case we will give priority to new settings.

[expani]

Were we not calling builder.endObject(); before ?

[abhivka7]

No we were not doing it. That was a miss I guess.

[expani]

If we change the condition to validator == null || !validator.validate() then the use of checks in the lines below is not required.

[abhivka7]

This was added while testing and I forgot to remove it. Thanks @anijain-Amazon for pointing this out. Will remove this check condition in next commit.

[expani]

If this is not doing anything, shouldn't it be notImplemented as well ?

[abhivka7]

We want to enable PUT request for tenancyConfig. That's why we are not using notImplemented .

[DarshitChanpura]

For my understanding, why is it returning successResponse directly?

[cwperks]

@abhivka7 Thank you for the PR! Overall the PR looks good, but I wanted to run an idea by you to ensure that introducing a new tenantconfig.yml file is the right way to go.

I see that config.yml already provides:

@Override
public boolean isDashboardsMultitenancyEnabled() {
    return config.dynamic.kibana.multitenancy_enabled;
}

was any consideration given to also adding private_tenant_enabled and default_tenant to this section of config.yml? I think that could potentially simplify this PR. The beginning of config.yml could look like:

config:
  dynamic:
    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    #do_not_fail_on_forbidden: false
    multitenancy:
      enabled: true
      private_tenant_enabled: true
      default_tenant: ''

then to get these into SecurityInfoAction you could follow a pattern similar to https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/auth/BackendRegistry.java#L152-L169 to subscribe to changes in this config.

[cwperks]

This legacy block is only for CType for ES6. This can be removed from this block.

[abhivka7]

Thanks for pointing this out @cwperks. Will remove this in next commit.

[cwperks]

Should this only be populated if the file exists? I see tenants.yml does not create this config entry if no tenants.yml file is supplied.

[cwperks]

I see that this PR introduces a validator. When will the validator ever be null? Are the changes in this file needed?

[abhivka7]

This was added while testing and I forgot to remove it. Thanks @cwperks for pointing this out. Will remove this check condition in next commit.

[shikharj05]

Thank you for the work, added few comments.

[shikharj05]

Is DELETE not required?

[abhivka7]

I don't think there will be a use case where we require DELETE. We should not delete tenancy_config and we can replace existing config using PATCH.
Correct me if I am wrong @devardee

[shikharj05]

nit: rename to getDashboardsDefaultTenant

[abhivka7]

Ok. Will change in next commit.

[shikharj05]

nit: extra space

[abhivka7]

Thanks @shikharj05 for pointing this out. Will fix in next commit.

[shikharj05]

implement a toString() method?

[abhivka7]

Sure. Will do in next commit.

[shikharj05]

these can be split into different tests for each property

[abhivka7]

Thanks for the suggestion @shikharj05 . I will split these and update in next commit.

[DarshitChanpura]

I would suggest to keep it in one test, as the test sets up a cluster before executing the test and tears down after. This will impact on the performance of the tests.

[cwperks]

@abhivka7 @shikharj05 See comment above. Have you considered doing this inside of config.yml under config.dynamic instead of introducing a new config file?

i.e.

config:
  dynamic:
    multitenancy:
      enabled: true
      private_tenant_enabled: true
      default_tenant: ''

[abhivka7]

@abhivka7 Thank you for the PR! Overall the PR looks good, but I wanted to run an idea by you to ensure that introducing a new tenantconfig.yml file is the right way to go.

I see that config.yml already provides:

@Override
public boolean isDashboardsMultitenancyEnabled() {
    return config.dynamic.kibana.multitenancy_enabled;
}

was any consideration given to also adding private_tenant_enabled and default_tenant to this section of config.yml? I think that could potentially simplify this PR. The beginning of config.yml could look like:

config:
  dynamic:
    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    #do_not_fail_on_forbidden: false
    multitenancy:
      enabled: true
      private_tenant_enabled: true
      default_tenant: ''

then to get these into SecurityInfoAction you could follow a pattern similar to https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/auth/BackendRegistry.java#L152-L169 to subscribe to changes in this config.

@cwperks We were initially working on the same approach that you suggested. But going forward, we plan on introducing some other fields and features for multi-tenancy. Therefore we plan on separating this file and introducing a new one.

[cliu123]

With this, would populateEmptyIfFileMissing always be true? When would it be false?

[cliu123]

Please remove the empty line and avoid format-only changes.

[cliu123]

With this change, would config.dynamic.kibana.multitenancy_enabled be ignored? Would this work in mixed clusters? Based on my understanding, security index is node-scoped. If there're 2 settings(the old and the new), could there be 2 different values(false and true) of multitenancy_enabled setting in a mixed cluster?

[cliu123]

Please remove format-only changes.

[cliu123]

Please remove format-only changes.

[cliu123]

Please remove format-only changes.

[cliu123]

Please remove format-only changes.

[cliu123]

Please remove format-only changes.

[peternied]

Consider reusing the existing configuration and configuration API for tenancy instead of introducing a new one. This would simplify the design.

Could you explain why this new configuration approach was chosen?

[RyanL1997]

Hi @abhivka7, thanks for this contribution. I see the point that you are trying to extend the original multi-tenancy feature with this change. So do we need a feature flag for this dynamically enable/disable multi-tenancy feature? Or it will be applied directly by enable multi tenancy?

[abhivka7]

We don't meed a flag for these changes. We will keep multi-tenancy enabled for new domains and changes can be applied directly.

[devardee]

Consider reusing the existing configuration and configuration API for tenancy instead of introducing a new one. This would simplify the design.

Could you explain why this new configuration approach was chosen?

We want to decouple tenancy related configuration from securityconfig for the following reasons:

1. Securityconfig currently contains information about the authc and authz aspect of the Security Plugin, We believe that Tenancy as such is not related to plugins security model (since, it is used to enhance OSD user experience) hence we are planning on moving tenancy configuration to a separate document inside security-index.

2. If we include the new Tenancy fields in Securityconfig we need to add the changes in both ConfigModelV7 and ConfigModelV6 and also think about the migrate api, having a new SecurityDynamicConfiguration Model for Tenancy configuration on the other hand will not need us to worry about the migrate api, duplicating code and possibility on introducing breaking changes.

3. All future enhancements to Tenancy will go into the Tenancy configuration document instead of securityconfig doc

cc: @peternied , @shikharj05, @abhivka7

[cwperks]

@devardee, there is already a multi-tenancy key (config.dynamic.kibana.multitenancy_enabled) in config.yml so the coupling is already there.

I'm not sure I follow the concerns on the migrate API.

---

For this section I am assuming the new section in config.yml could be under a new key called osd instead of kibana to prevent any changes to that config section:

config:
  dynamic:
    osd:
      multitenancy_enabled: true
      private_tenant_enabled: true
      default_tenant: ''

What I am thinking is changing the DynamicConfigModel to add 2 additional abstract methods:

public abstract boolean isPrivateTenantEnabled();
public abstract String getDefaultTenant();

then inside DynamicConfigModelV7 the implementation for public abstract boolean isDashboardsMultitenancyEnabled(); can be updated and implementations for the new methods could be implemented as follows:

@Override
public boolean isDashboardsMultitenancyEnabled() {
    return config.dynamic.osd.multitenancy_enabled || config.dynamic.kibana.multitenancy_enabled;
}

@Override
public boolean isPrivateTenantEnabled() {
    return config.dynamic.osd.private_tenant_enabled;
}

@Override
public boolean getDefaultTenant() {
    return config.dynamic.osd.default_tenant;
}

This new section could be created in ConfigModelV7 and omitted from ConfigModelV6. The corresponding implementations in DynamicConfigModelV6 could return the default values.

Would this approach be feasible? I think what's presented in this PR will work, but I also like the idea of less configuration files.

[peternied]

Thank you for the reply @devardee

Securityconfig currently contains information about the authc and authz aspect of the Security Plugin, We believe that Tenancy as such is not related to plugins security model (since, it is used to enhance OSD user experience) hence we are planning on moving tenancy configuration to a separate document inside security-index.

There is an existing setting already in the security configuration, removing/invalidating this setting is a breaking change - that is a con with this proposal.

If we include the new Tenancy fields in Securityconfig we need to add the changes in both ConfigModelV7 and ConfigModelV6 and also think about the migrate api, having a new SecurityDynamicConfiguration Model for Tenancy configuration on the other hand will not need us to worry about the migrate api, duplicating code and possibility on introducing breaking changes.

I'm not sure how this is a problem. Could you provide more background on what the migrate api is and how it is impacted with this change vs reusing the existing config?

All future enhancements to Tenancy will go into the Tenancy configuration document instead of securityconfig doc

Could you provide reference to what future enhancements are? Without more context this argument does not inform the current choice.

I am in aligned with Craig's proposal that reusing the existing systems.

[DarshitChanpura]

Thank you @abhivka7 for adding this PR. One generic comment is to add a brief javadoc for the new class added and check/add a new-line at the end of all modified files.

[DarshitChanpura]

For my understanding, why is it returning successResponse directly?

[DarshitChanpura]

the name tenancy_enabled is slightly misleading. Can we have multi_tenancy_enabled instead?

[abhivka7]

Ok will make this change.

[DarshitChanpura]

Why the name V7 here? There is only one version of this class. We can move this class out of v7 folder and rename it to TenancyConfig

[DarshitChanpura]

Can we remove this method from DynamicConfigModel and its inheritor DynamicConfigModelV7 since it is not used anymore?

[DarshitChanpura]

I would suggest to keep it in one test, as the test sets up a cluster before executing the test and tears down after. This will impact on the performance of the tests.

[peternied]

Checking back in with this pull request. There are still a number of outstanding comments. I have written up a proposal that I think might simplify the issues around proxying config data from place to place. I'll see about getting a proof of concept up and running as I think it would be a far better model isolating intention from the storage medium of the configuration value.

Love to get feedback on this - thanks!

• [FEATURE] Create a way to add action oriented APIs to update configuration values #2559

[peternied]

I have created a draft pull request featuring a version of this dynamic configuration that would support this scenario and shore up the limitations that have been called in the comments.

• Feature activation for multi-tenancy #2568

[abhivka7]

Created another PR for these changes: #2607. Closing this one.

[peternied]

I'm closing this PR out since #2607 is where this functionality is being worked on