Dynamic tenancy configurations

[abhivka7]

Description

• Category : Enhancement
• Why these changes are required?
  These changes are required to dynamically enable/disable multi-tenancy, private tenant and set a default tenant.
• What is the old behavior before changes and new behavior after changes?
  Earlier users had to change YAML files in each node and restart node to enable/disable multi-tenancy and private tenant. With our changes, users will be able to change these settings dynamically. We will also give admins the option to set a default tenant for all users for first time log in.
  More details can be found here:
  [RFC] Dynamically Configurable Tenancy Feature  OpenSearch#5853
  [FEATURE] Enable/Disable Multi-Tenancy, Private Tenant and set Default Tenant in OS Dashboards. security-dashboards-plugin#1302

Previous PR for the same issue: #2444

Issues Resolved

opensearch-project/security-dashboards-plugin#1302

Is this a backport? If so, please add backport PR # and/or commits #
Nope

Testing

We have done manual testing for all changes on our local server. We have also unit tests for our api changes.

Check List

• [ ✅ ] New functionality includes testing
• [] New functionality has been documented. : Will document in further commits.
• [ ✅ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[expani]

nit: Can we read "" from a constant for Global tenant instead.

[peternied]

Thanks for iterating on this @abhivka7 huge improvement. Many comments on here, but most of these should be fairly straight forward. Let me know if you need help.

Another area I'd like us to shine some visibility on is the permission names and the REST API paths. Can you enumerate those in a comment and walk through them?

From the draft pull request there was a lot of back and forth and those permissions / paths never really gelled, lets make sure we nail these down since we will have to live with them for a long time.

[peternied]

Do you have context on what this check? IMO I don't see any reason we need to restrict these results based on PrivilegesInterceptor used to construct this class.

[abhivka7]

@peternied I don't have much context on why we are using this check. But the function above (multitenancyEnabled) is using the same check that's why I thought of using it.

[peternied]

As long as this is exercised in end to end tests, ok.

[peternied]

End to end test should replicate the workflow that is used by dashboards. If we just call the config APIs / confirm we are reading out the same value we put in it only indicates that the config was updated not that the users are seeing the correct behavior.

Same issue for the TenancyPrivateTenantEnabledTests

[abhivka7]

Those tests will be covered in Security Dashboards plugin PR. Anyways the Dashboards also will be calling this API (DashboardsInfo) as replicated in test to get final config so that should be fine.

[peternied]

We need the end to end coverage of this scenarios in the security plugin. Otherwise breaking changes could be make in this repo.

The example from TenancyMultitenancyEnabledTests.java shows how when the feature is activated behavior changes, please use this as a starting point. Let me know if you need help to test these scenarios.

[abhivka7]

I have added that for TenancyPrivateTenantEnabledTests. Not sure what else to add for Default tenant tests. What test scenario are you thinking @peternied ?

[expani]

@abhivka7 We are using separate Rest Actions for every configuration being added as part of this PR like default_tenant and private_tenant

Since these are individual properties, the approach will require adding multiple classes for every property added in the future as well. This will in-turn end up increasing the metaspace of OS JVM.

Can we try an approach where separate endpoints/routes are not required for every property ?

[peternied]

@anijain-Amazon Thanks for the comments, data consistency was a considerable trade-offs with the previous iteration that used a single API, see the discussion in #2444.

We've got an issue centered around granular access of security config, we would welcome your feedback in this space.

• [FEATURE] Create a way to add action oriented APIs to update configuration values #2559

Since these are individual properties, the approach will require adding multiple classes for every property added in the future as well. This will in-turn end up increasing the metaspace of OS JVM.

This is a good consideration. Is this an immediate issue, can you quantify the severity?

I expect all OpenSearch components + plugins + extensions to be impacting the memory usage of OpenSearch as we incorporate more features. I don't see an issue in the OpenSearch repo, could you create one?

[expani]

data consistency was a considerable trade-offs with the previous iteration that used a single API, see the discussion in #2444.

I could see the comments in previous iteration are w.r.t. using a new document vs reusing the existing security config document. Didn't find anything mentioning the flaws of using a single API.

Having separate APIs for every property requires the users/clients to take the overhead of ensuring transaction while updating multiple properties OR consider the drawbacks of having partial failures. For instance, if a user wants to update propertyA and propertyB, then either they have to do it individually OR do it in a transaction to ensure consistency.

We've got an issue centered around granular access of security config, we would welcome your feedback in this space.

Ack will take a look into it. This should help bring more flexibility for OpenSearch users to control admin privileges.

This is a good consideration. Is this an immediate issue, can you quantify the severity?

My concern is how will this approach scale with more properties in future. From a quick glance at this PR, it looks like we are adding at least 3 classes per property which can be simplified. Although, this will immediately not affect OpenSearch but will sure eat up the JVM Metaspace in future with say like 30-50 properties requiring 60-150 classes for updating their settings.

[expani]

I expect all OpenSearch components + plugins + extensions to be impacting the memory usage of OpenSearch as we incorporate more features. I don't see an issue in the OpenSearch repo, could you create one?

Since the classes are statically referenced, I expect OpenSearch will detect any increase in its JVM Metaspace while running performance tests and adjust it's xmS and xmX accordingly.

[prabhat-chaturvedi]

This PR should have v2.7.0 label on this PR? @peternied can you help please?

[abhivka7]

Thanks a lot @anijain-Amazon for bringing this up. After a lot of considerations and POC, I have decided to move to a single API model for cleaner user experience and better metaspace utilisation. I will raise a new revision with that approach. Please take a look and give your feedbacks.
cc: @prabhat-chaturvedi @shikharj05 @devardee @peternied

[peternied]

Refactoring looks good, notable callouts:

• API / permissions naming needs iteration, I've made suggestions, but product team might need to be engaged.
• Need end to end verification in the test cases. Cannot depend on test cases in other repositories.
• Looks like many test cases are broken. Check the CI results.

[peternied]

This seems like it can be removed as the object isn't serialized/deserialized directly, replace it with using Request/Response classes with fields.

[abhivka7]

Going forward we want to contribute more to tenancy in OpenSearch and therefore add new properties. It makes more sense to have an object for same for better accessibility and keeping everything together in a structured form.

[peternied]

As long as this is exercised in end to end tests, ok.

[peternied]

We need the end to end coverage of this scenarios in the security plugin. Otherwise breaking changes could be make in this repo.

The example from TenancyMultitenancyEnabledTests.java shows how when the feature is activated behavior changes, please use this as a starting point. Let me know if you need help to test these scenarios.

[expani]

Intentionally not adding the availableTenants in the logs.

[stephen-crawford]

Hi @abhivka7, I see that a few of my questions got answered. Reviewing the remaining ones and the state of the PR, I am fine to merge this without any further conversation. Thank you for the contribution and being so quick to respond throughout. Great job!

[abhivka7]

Thanks @peternied and @scrawfor99 for reviewing and merging this PR. Also thanks @prabhat-chaturvedi @anijain-Amazon @devardee @shikharj05 @cliu123 for helping with this feature.

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-2607-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 9fca0dae5c1e3fe4746381d9f87c4d4abb0f0fda
# Push it to GitHub
git push --set-upstream origin backport/backport-2607-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-2607-to-2.x.

[opensearch-trigger-bot]

The backport to 2.7 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.7 2.7
# Navigate to the new working tree
cd .worktrees/backport-2.7
# Create a new branch
git switch --create backport/backport-2607-to-2.7
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 9fca0dae5c1e3fe4746381d9f87c4d4abb0f0fda
# Push it to GitHub
git push --set-upstream origin backport/backport-2607-to-2.7
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.7

Then, create a pull request where the base branch is 2.7 and the compare/head branch is backport/backport-2607-to-2.7.