security-dashboards-plugin icon indicating copy to clipboard operation
security-dashboards-plugin copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

[BUG] Dashboard not giving an option to select a tenant and defaultRoute does not seem to be in sync with default tenant (last selected tenant)

Open deepak-rsystems opened this issue 2 years ago • 16 comments

Describe the bug

We have multiple problems with dashboard access related to multi tenancy:

  1. Dashboard doesn't not give an option to select a tenant every single time, instead it keeps default tenant (or last selected tenant) in user cookie.
  2. When we login to dashboard, it starts with defaultRoute but this defaultRoute is not the one specific to the default tenant (or last selected tenant). For example, we have three tenants: A, B (default tenant) and C, and when we login it lands on the defaultRoute of tenant A, while expectation is to land at defaultRoute of tenant B.

To Reproduce Pre-requisites:

  1. We have two custom tenants "cadm" and "e911", and e911 is the default tenant (or last selected tenant)
  2. We have disabled "Global" and "Private" tenants

Steps to reproduce the behavior:

  1. Go to Dashboard

  2. Click on Single Sign-on

  3. See defaultRoute belonging to "cadm" tenant Multi-tenant-defaultRoute-issue-1

  4. See error "could not locate that dashboard" which is understood as it belongs to a different tenant "cadm" other than the default/selected tenant "e911": Multi-tenant-defaultRoute-issue-2

Expected behavior

  1. Dashboard should give an option to select a tenant every single time.
  2. When we login to dashboard, the defaultRoute should be in sync with the default tenant (or last selected tenant).

OpenSearch Version 2.4.0

Dashboards Version 2.4.0

Plugins

No custom plugin enabled.

Screenshots

If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

  • OS: [e.g. iOS]
  • Browser and version [e.g. 22]

Additional context

Add any other context about the problem here.

deepak-rsystems avatar Dec 06 '22 13:12 deepak-rsystems

[Triage] @peternied Would you please look into this issue and classify it accordingly?

cwperks avatar Dec 12 '22 20:12 cwperks

This issue is being transferred. Timeline may not be complete until it finishes.

I don't see anything else that needs to happen here, but if there is wackiness due to this being stuck in a transfer queue please feel free to comment on the issue

peternied avatar Dec 12 '22 20:12 peternied

[Triage] @deepak-rsystems Thank you for filing this issue.

Dashboard should give an option to select a tenant every single time.

This is expected behavior by design. Users have still have an option to switch tenants by clicking on your avatar and choose the tenant they want to switch to.

When we login to dashboard, the defaultRoute should be in sync with the default tenant (or last selected tenant).

@opensearch-project/security Can someone please look into this behavior?

DarshitChanpura avatar Dec 19 '22 20:12 DarshitChanpura

Hi @opensearch-project/security-dashboards-plugin team, Could you please let us know, what is the plan for this ticket? Any fix planned? If yes, in which release?

deepak-rsystems avatar May 17 '23 07:05 deepak-rsystems

@RyanL1997 I see you are assigned to it, but it was back in December so I doubt it is still accurate that you're working on this one. If you are not, could you please un-assign yourself so it is clear that this is up for grabs still? Thanks!

davidlago avatar May 17 '23 13:05 davidlago

Hi @opensearch-project/security-dashboards-plugin team, Could you please let us know, what is the plan for this ticket? Any fix planned? If yes, in which release?

deepak-rsystems avatar Sep 28 '23 06:09 deepak-rsystems

I will pick this up @davidlago, please assign me.

kajetan-nobel avatar Oct 25 '23 15:10 kajetan-nobel

Update: on 2.11.0 we're unable to disable global tenant, so I couldn't reproduce that error. Gonna try to reproduce that on 2.4.0

// Edit Well, I was uninformed, investigating one more time 🙈

kajetan-nobel avatar Oct 31 '23 18:10 kajetan-nobel

Tested on 2.10.0 with:

  • disabled global tenant
  • disabled private tenant
  • I've created two tenants: cadm and e911

results:

  • user with e911 tenant was by default on e911_tenant
  • user with cadm tenant at first login had to choose tenant but his cadm_tenant was selected by default

select-tenant

As said previously I'll compare with 2.4.0.

kajetan-nobel avatar Nov 27 '23 16:11 kajetan-nobel

Tested on 2.4.1 (Dashboard and OpenSearch) with the same results. Dashboards are taking the first available tenant for this case by showing up set up defaultRoute (which is set per tenant on Stack Management > Advanced Settings).

@deepak-rsystems it's possible that I'm missing details about configuration. Can you please provide as simplest as it's possible configuration (or what was set) to reproduce that bug?

kajetan-nobel avatar Nov 28 '23 06:11 kajetan-nobel

@kajetan-nobel I think you were able to reproduce the bug, but couldn't acknowledge it.

As per your last comments: Tested on 2.4.1 (Dashboard and OpenSearch) with the same results. Dashboards are taking the first available tenant for this case by showing up set up defaultRoute (which is set per tenant on Stack Management > Advanced Settings).

Let me provide the problem description in simple words:

  1. We have two custom tenants "cadm" and "e911", where "e911" is the default tenant (or the last selected tenant). Also we have disabled "Global" and "Private" tenants.
  2. There is an inconsistency in Dashboards that for a user login having access to both the tenants:
  • tenant is displayed as the last selected tenant i.e. "e911", which is fine.
  • but, the default route is displayed as per the first available tenant i.e. "cadm" tenant default route (sorted in ascending order by tenant name).

Expectation is to see the default route as per tenant "e911" which is the default tenant in this case.

Another example, now take three tenants, "cadm", "e911" and "bmc" where "e911" is the default tenant (the last selected tenant). So when user logins now, it will see default route for tenant "bmc" but selected tenant is "e911"

Let me know if its still not clear.

deepak-rsystems avatar Nov 28 '23 11:11 deepak-rsystems

@deepak-rsystems thank you for your quick reply!

I've got a few questions:

  • what do you mean by default route? Do you mean clicking on Dashboards menu item?

So if I understood correctly those would be reproduction steps:

  1. Sign in and select a tenant
  2. Go to a some dashboard of a tenant
  3. Switch tenant (while being on a dashboard) to a different one
  4. See the error and redirect to the list of dashboards

Second one:

  1. Sign in and select a tenant
  2. Go to a some dashboard of a tenant
  3. Go to home and switch a tenant
  4. Click on menu "Dashboard" item
  5. See the error and redirect to the list of dashboards

Am I correct @deepak-rsystems?

kajetan-nobel avatar Nov 28 '23 12:11 kajetan-nobel

@kajetan-nobel Kindly check the definition of defaultRoute in the attached screenshot:

image

So, default route is the landing page when you open OpenSearch Dashboards.

deepak-rsystems avatar Nov 28 '23 12:11 deepak-rsystems

@deepak-rsystems thank you for your response, I'm glad that we're on the same page, just wanted to be sure :). It looks like the amount of tenants also has an impact on the default route.

Cases

Tested on version: 2.4.1

Side note: Expected behaviors are my proposal as solutions for unexpected behaviors.

User contains only one available tenant after login

  • It doesn't show a user's homepage, instead, it uses a default route ✅

User contains more than one available tenant after login

  • It shows a homepage always (ignores completely default route for every case) ❌ expected behavior: uses the default route if the current user has access to the last selected tenant, if he doesn't - should show up a tenant selection (even with Global and Private tenants available)
  • it shows a selection of tenants only when the site is visited for the first time, after re-login it uses the last selected tenant (expected) ✅
  • but after logging out and logging in as a different user who doesn't have access to the last selected tenant (from the previous user), it uses the first available tenant alphabetically. ❌ expected behavior: shows up a tenant selection but with selected default tenant. After changing tenant it should go to the default route.

The user changed the tenant

  • it ignores the default route of the selected tenant ❌ expected behavior: goes to the default route of selected tenant after switching
  • co-related GUI issues to the last selected tenant (repro steps are in https://github.com/opensearch-project/security-dashboards-plugin/issues/1261#issuecomment-1829750611)
    • clicking in the menu Dashboard after switching a tenant throws an error that Could not locate the dashboard
    • switching a tenant while being in the dashboard of a different one throws the same error
    • expected behavior for both: after switching a tenant it should go to the default route. For such a solution, it'll never try to access an unavailable dashboard.

Summary: Default route is only used when an available tenant is only one. So it'll never be used when Global and Private are also enabled because they're treated as tenants which was said in issue #1245. As those two issues are co-related and I've tried to cover impacted cases I propose to merge #1245 to this one. Also when the last selected tenant is not found we should rather show a menu of selection tenants with preselected default tenant and use the default route after switching.

As I was debugging, and looking into that I found additional cases that are related, so decisions here will be needed @DarshitChanpura @davidlago @peternied

kajetan-nobel avatar Dec 05 '23 01:12 kajetan-nobel

Hey, @davidlago @peternied @cwperks I need feedback for this one if my proposes of expected behaviours are correct ones.

kajetan-nobel avatar Dec 11 '23 12:12 kajetan-nobel