Dynamic tenancy configurations

config/config.yml

@@ -68,6 +68,8 @@ config:
     #kibana:
     # Kibana multitenancy
     #multitenancy_enabled: true
+    #private_tenant_enabled: true
+    #default_tenant: ""
     #server_username: kibanaserver
     #index: '.kibana'
     http:

legacy/securityconfig_v6/config.yml

@@ -60,6 +60,7 @@ opendistro_security:
     #filtered_alias_mode: warn
     #kibana:
       #multitenancy_enabled: true
+
       #server_username: kibanaserver
       #index: '.kibana'
       #do_not_fail_on_forbidden: false

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -115,6 +115,11 @@
 import org.opensearch.search.query.QuerySearchResult;
 import org.opensearch.security.action.configupdate.ConfigUpdateAction;
 import org.opensearch.security.action.configupdate.TransportConfigUpdateAction;
+import org.opensearch.security.action.tenancy.TenancyConfigRestHandler;
+import org.opensearch.security.action.tenancy.TenancyConfigRetrieveActions;
+import org.opensearch.security.action.tenancy.TenancyConfigRetrieveTransportAction;
+import org.opensearch.security.action.tenancy.TenancyConfigUpdateAction;
+import org.opensearch.security.action.tenancy.TenancyConfigUpdateTransportAction;
 import org.opensearch.security.action.whoami.TransportWhoAmIAction;
 import org.opensearch.security.action.whoami.WhoAmIAction;
 import org.opensearch.security.auditlog.AuditLog;
@@ -469,6 +474,7 @@ public List<RestHandler> getRestHandlers(Settings settings, RestController restC
                         Objects.requireNonNull(cs), Objects.requireNonNull(adminDns), Objects.requireNonNull(cr)));
                 handlers.add(new SecurityConfigUpdateAction(settings, restController, Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
                 handlers.add(new SecurityWhoAmIAction(settings, restController, Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
+                handlers.add(new TenancyConfigRestHandler());
                 handlers.addAll(
                         SecurityRestApiActions.getHandler(
                                 settings,
@@ -505,6 +511,10 @@ public UnaryOperator<RestHandler> getRestHandlerWrapper(final ThreadContext thre
         if(!disabled && !SSLConfig.isSslOnlyMode()) {
             actions.add(new ActionHandler<>(ConfigUpdateAction.INSTANCE, TransportConfigUpdateAction.class));
             actions.add(new ActionHandler<>(WhoAmIAction.INSTANCE, TransportWhoAmIAction.class));
+
+            actions.add(new ActionHandler<>(TenancyConfigRetrieveActions.INSTANCE, TenancyConfigRetrieveTransportAction.class));
+            actions.add(new ActionHandler<>(TenancyConfigUpdateAction.INSTANCE, TenancyConfigUpdateTransportAction.class));
+
         }
         return actions;
     }

src/main/java/org/opensearch/security/action/tenancy/EmptyRequest.java

@@ -0,0 +1,35 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.action.tenancy;
+
+import java.io.IOException;
+
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.ActionRequestValidationException;
+import org.opensearch.common.io.stream.StreamInput;
+
+public class EmptyRequest extends ActionRequest {
+
+    public EmptyRequest(final StreamInput in) throws IOException {
+        super(in);
+    }
+
+    public EmptyRequest() throws IOException {
+        super();
+    }
+
+    @Override
+    public ActionRequestValidationException validate()
+    {
+        return null;
+    }
+}

src/main/java/org/opensearch/security/action/tenancy/TenancyConfigRestHandler.java

@@ -0,0 +1,65 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.action.tenancy;
+
+import java.io.IOException;
+import java.util.List;
+
+import com.google.common.collect.ImmutableList;
+
+import org.opensearch.client.node.NodeClient;
+import org.opensearch.rest.BaseRestHandler;
+import org.opensearch.rest.RestRequest;
+import org.opensearch.rest.action.RestToXContentListener;
+
+import static org.opensearch.rest.RestRequest.Method.GET;
+import static org.opensearch.rest.RestRequest.Method.PUT;
+
+public class TenancyConfigRestHandler extends BaseRestHandler {
+
+    public TenancyConfigRestHandler() {
+        super();
+    }
+
+    @Override
+    public String getName() {
+        return "Multi Tenancy actions to Retrieve / Update configs.";
+    }
+
+    @Override
+    public List<Route> routes() {
+        return ImmutableList.of(
+                new Route(GET, "/_plugins/_security/api/tenancy/config"),
+                new Route(PUT, "/_plugins/_security/api/tenancy/config")
+        );
+    }
+
+    @Override
+    protected RestChannelConsumer prepareRequest(final RestRequest request, final NodeClient nodeClient) throws IOException {
+
+        switch (request.method()) {
+            case GET:
+                return channel -> nodeClient.execute(
+                        TenancyConfigRetrieveActions.INSTANCE,
+                        new EmptyRequest(),
+                        new RestToXContentListener<>(channel));
+            case PUT:
+                return channel -> nodeClient.execute(
+                        TenancyConfigUpdateAction.INSTANCE,
+                        TenancyConfigUpdateRequest.fromXContent(request.contentParser()),
+                        new RestToXContentListener<>(channel));
+            default:
+                throw new RuntimeException("Not implemented");
+        }
+    }
+
+}

src/main/java/org/opensearch/security/action/tenancy/TenancyConfigRetrieveActions.java

@@ -0,0 +1,24 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.action.tenancy;
+
+import org.opensearch.action.ActionType;
+
+public class TenancyConfigRetrieveActions extends ActionType<TenancyConfigRetrieveResponse> {
+
+    public static final TenancyConfigRetrieveActions INSTANCE = new TenancyConfigRetrieveActions();
+    public static final String NAME = "cluster:feature/tenancy/config/read";
+
+    protected TenancyConfigRetrieveActions() {
+        super(NAME, TenancyConfigRetrieveResponse::new);
+    }
+}

src/main/java/org/opensearch/security/action/tenancy/TenancyConfigRetrieveResponse.java

@@ -0,0 +1,70 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.action.tenancy;
+
+import java.io.IOException;
+
+import org.opensearch.action.ActionResponse;
+import org.opensearch.common.Strings;
+import org.opensearch.common.io.stream.StreamInput;
+import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.common.xcontent.XContentType;
+import org.opensearch.core.xcontent.ToXContentObject;
+import org.opensearch.core.xcontent.XContentBuilder;
+
+public class TenancyConfigRetrieveResponse extends ActionResponse implements ToXContentObject {
+
+    public TenancyConfigs tenancyConfigs = new TenancyConfigs();
+
+    public TenancyConfigRetrieveResponse(final StreamInput in) throws IOException {
+        super(in);
+        this.tenancyConfigs.multitenancy_enabled = in.readOptionalBoolean();
+        this.tenancyConfigs.private_tenant_enabled = in.readOptionalBoolean();
+        this.tenancyConfigs.default_tenant = in.readOptionalString();
+    }
+
+    public TenancyConfigRetrieveResponse(final TenancyConfigs tenancyConfigs) {
+        this.tenancyConfigs = tenancyConfigs;
+    }
+
+    public TenancyConfigs getMultitenancyConfig() {
+        return tenancyConfigs;
+    }
+
+    public Boolean getMultitenancyEnabled() { return tenancyConfigs.multitenancy_enabled; }
+
+    public Boolean getPrivateTenantEnabled() { return tenancyConfigs.private_tenant_enabled; }
+
+    public String getDefaultTenant() { return tenancyConfigs.default_tenant; }
+
+    @Override
+    public void writeTo(final StreamOutput out) throws IOException {
+        out.writeBoolean(getMultitenancyEnabled());
+        out.writeBoolean(getPrivateTenantEnabled());
+        out.writeString(getDefaultTenant());
+    }
+
+    @Override
+    public String toString() {
+        return Strings.toString(XContentType.JSON, this, true, true);
+    }
+
+    @Override
+    public XContentBuilder toXContent(final XContentBuilder builder, final Params params) throws IOException {
+        builder.startObject();
+        builder.field("multitenancy_enabled", getMultitenancyEnabled());
+        builder.field("private_tenant_enabled", getPrivateTenantEnabled());
+        builder.field("default_tenant", getDefaultTenant());
+        builder.endObject();
+        return builder;
+    }
+}

src/main/java/org/opensearch/security/action/tenancy/TenancyConfigRetrieveTransportAction.java

@@ -0,0 +1,63 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.action.tenancy;
+
+import java.util.Collections;
+
+import org.opensearch.action.ActionListener;
+import org.opensearch.action.support.ActionFilters;
+import org.opensearch.action.support.HandledTransportAction;
+import org.opensearch.common.inject.Inject;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.security.configuration.ConfigurationRepository;
+import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
+import org.opensearch.security.securityconf.impl.v7.ConfigV7;
+import org.opensearch.tasks.Task;
+import org.opensearch.transport.TransportService;
+
+public class TenancyConfigRetrieveTransportAction
+        extends HandledTransportAction<EmptyRequest, TenancyConfigRetrieveResponse> {
+
+    private final ConfigurationRepository config;
+
+    @Inject
+    public TenancyConfigRetrieveTransportAction(final Settings settings,
+                                                final TransportService transportService,
+                                                final ActionFilters actionFilters,
+                                                final ConfigurationRepository config) {
+        super(TenancyConfigRetrieveActions.NAME, transportService, actionFilters, EmptyRequest::new);
+
+        this.config = config;
+    }
+
+    /** Load the configuration from the security index and return a copy */
+    protected final SecurityDynamicConfiguration<?> load() {
+        return config.getConfigurationsFromIndex(Collections.singleton(CType.CONFIG), false).get(CType.CONFIG).deepClone();
+    }
+
+    @Override
+    protected void doExecute(final Task task, final EmptyRequest request, final ActionListener<TenancyConfigRetrieveResponse> listener) {
+
+        // Get the security configuration and lookup the config setting state
+        final SecurityDynamicConfiguration<?> dynamicConfig = load();
+        ConfigV7 config = (ConfigV7)dynamicConfig.getCEntry("config");
+
+        final TenancyConfigs tenancyConfigs= new TenancyConfigs();
+
+        tenancyConfigs.multitenancy_enabled = config.dynamic.kibana.multitenancy_enabled;
+        tenancyConfigs.private_tenant_enabled = config.dynamic.kibana.private_tenant_enabled;
+        tenancyConfigs.default_tenant = config.dynamic.kibana.default_tenant;
+
+        listener.onResponse(new TenancyConfigRetrieveResponse(tenancyConfigs));
+    }
+}

src/main/java/org/opensearch/security/action/tenancy/TenancyConfigUpdateAction.java

@@ -0,0 +1,26 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.action.tenancy;
+
+import org.opensearch.action.ActionType;
+
+public class TenancyConfigUpdateAction extends ActionType<TenancyConfigRetrieveResponse> {
+
+    public static final TenancyConfigUpdateAction INSTANCE = new TenancyConfigUpdateAction();
+    public static final String NAME = "cluster:feature/tenancy/config/update";
+
+
+    protected TenancyConfigUpdateAction()
+    {
+        super(NAME, TenancyConfigRetrieveResponse::new);
+    }
+}