security-dashboards-plugin icon indicating copy to clipboard operation
security-dashboards-plugin copied to clipboard
verified publisher icon opensearch-project

[BUG] Dashboard user login problem if user name is same as custom tenant

Open deepak-rsystems opened this issue 3 years ago • 7 comments

What is the bug? Dashboard user has login problem that it cannot access custom tenant (its disabled), if user name (e.g. cadm) is same as custom tenant name (e.g. cadm). We doubt that it could be related to opensearch dashboard indices: https://opensearch.org/docs/2.4/security-plugin/multi-tenancy/multi-tenancy-config/#manage-opensearch-dashboards-indices

So as per documentation, each user also has a private tenant, so you might see a large number of indices that follow two patterns: .kibana_<hash>_<tenant_name> .kibana_<hash>_<username>

Also we cannot see any tenant_name .kibana indices as per above documentation. Only username .kibana indices are present. $ curl -s -u "admin:admin" -k "https://10.8.70.196:9200/_cat/indices?pretty"|grep kibana green open .kibana_3045735_cadm_1 oKxgB7TqR_KyPwvh9t95sA 1 1 43 1 88.9kb 44.4kb green open .kibana_92668751_admin_1 xcGFkAWcQBew_CUdlQIRKw 1 1 1 0 10.4kb 5.2kb green open .kibana_1 Db3xQe4AQKedCRwQor-Efg 1 1 0 0 416b 208b

How can one reproduce the bug? Pre-requisites:

  1. We have a custom tenant "cadm"
  2. We have "Global" and "Private" tenants enabled

Steps to reproduce the behavior:

  1. Go to Dashboard

  2. Do login with "cadm" user

  3. User gets logged in to Private tenant as shown below, though dashboard has landed as per the defaultRoute set for "cadm" tenant: cadm-user-issue-1

  4. The user cannot switch to custom tenant (cadm) which is disabled as shown below: cadm-user-issue-2

What is the expected behavior?

  1. The custom tenant drop down should be enabled and user can switch to custom tenant "cadm".
  2. When user logs in, the defaultRoute should be in sync with the tenant, which is not currently the case as defaultRoute is as per the custom tenant while the tenant is Private.

What is your host/environment?

  • OS: [e.g. iOS]
  • Version [e.g. 22]
  • Plugins

Do you have any screenshots? If applicable, add screenshots to help explain your problem.

Do you have any additional context? Opensearch version 2.4.0

deepak-rsystems avatar Dec 07 '22 12:12 deepak-rsystems

[Triage] This may be a known issue. @davidlago would you please link to the issue? If there is no documentation, can documentation be created?

cwperks avatar Dec 12 '22 20:12 cwperks

Asking @jimishs and @cliu123 as I believe this was a known limitation with collisions of indexes backing tenant data

davidlago avatar Dec 12 '22 20:12 davidlago

Hi @opensearch-project/security-dashboards-plugin team, Could you please confirm if this is a known limitation? If yes, kindly guide us to the relevant documentation.

deepak-rsystems avatar May 17 '23 07:05 deepak-rsystems

@deepak-rsystems Does the user have permission to any custom tenant?

cliu123 avatar May 17 '23 15:05 cliu123

@cliu123 Yes, user has access to custom tenant, therefore we are expecting it to be able to switch to the custom tenant. E.g. as mentioned in ticket description, the user "cadm" has access to the custom tenant "cadm".

deepak-rsystems avatar May 18 '23 02:05 deepak-rsystems

Hi @opensearch-project/security-dashboards-plugin team, Could you please let us know, what is the plan for this ticket? Any fix planned? If yes, in which release?

deepak-rsystems avatar Sep 28 '23 06:09 deepak-rsystems

Hi @opensearch-project/security-dashboards-plugin team, Could you please let us know, what is the plan for this ticket? Any fix planned? If yes, in which release?

deepak-rsystems avatar Mar 01 '24 08:03 deepak-rsystems

Code pointer: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/public/apps/account/tenant-switch-panel.tsx#L122

derek-ho avatar Jun 10 '24 18:06 derek-ho

@cliu123 did you ever determine if this was a hard blocking issue because of the indices?

stephen-crawford avatar Jun 10 '24 19:06 stephen-crawford

@cliu123 did you ever determine if this was a hard blocking issue because of the indices?

@scrawfor99 I would suggest to try reproducing the issue on local to begin with, and then to identify the root cause.

cliu123 avatar Jun 10 '24 20:06 cliu123

Hi @deepak-rsystems, I am reaching out to let you know that at this time there are not going to be any immediate efforts made the maintainers to address this issue. I actually looked into fixing this, but unfortunately, it is not feasible with a refactor of how the tenant system works.

If this example you can see the primary issue which arises when tenants are named the same thing as users: https://github.com/opensearch-project/security-dashboards-plugin/pull/1992#discussion_r1633824088

Because a user's private tenant is treated as a tenant with the user's name, creating a tenant with a name which matches a user just leads to index confusion. In the linked video, you can see where I try to assume a tenant with the same name as the active user. Unfortunately, I am then treated as if I have assumed the private tenant. This also means that if another user creates a tenant with the same name as a user, that user's private tenant will be shown the same visualizations (subject of course to the authc/z settings for that user--data is not leaked through this).

Since workspaces is being implemented to replace tenants, the best path forward at this time is to provide your tenant a different name for your use case such as cadm_tenant etc.

stephen-crawford avatar Jun 11 '24 20:06 stephen-crawford