Open-Search/Kibana - Multi Tenancy Setup

When you are working on SaaS platform and managing central log management(Kibana/Open-Search dashboard), then it is very important for you, how you are managing data access across different clients and maintaining data separation for each client as multi tenancy concept.

One way could be you setup dedicated "Kibana/Open-Search dashboard" for each client and give them access to see/manage their logs.

But think of when we have lots of small and big clients, there definitely you would like to use same "Kibana/Open-Search dashboard" where multiple clients logs will be going and you need to manage multi tenancy and proper access for each client users, so that respective client user should able to view/manage their own data only.

(USE CASE 1) - If you want to create indices/index pattern specific role, like I want to give access to user who can only able to view indices/index log which name start with "test-xclient*". So in this case, create new role and

• Give cluster permission with: read
• Create two indices/index pattern i.e. one is for your index to give access i.e. "test-xclient*" and other is "?kibana" with both as read permission.
• Give tenant global permission with: read.
• And then map new user with this new role and that's it. But here is one problem i.e. now when user logs in and try see logs, it show all the indices/index available, because by default it access/have global tenant permission, so you able to see logs of given indices/index i.e. "test-xclient*" and if you try to see/select other indices/index, then it will throw access denied error. But ideally, here it should not display all those indices/index where permission is not given, (to solve this refer below USE CASE 2 section).

(USER CASE - 2) - (Multi Tenancy)

As problem mentioned above, so here now use case is, if we want handle multi tenancy concept, like as SaaS model we may have multiple clients logs pushing to same open search but we want to make sure, we should have client wise user and each user should able to access their own logs only and to do that, below are the steps to be follow:

• Make sure while you are pushing data to open search, you must push index name with client code or name or some kind of client identifier with index name, so that we will give permission to each client user specific to client index.
• Login to open search dashboard url with admin/root credential.
• Create tenant for each client (navigate to security menu from left panel).
  • Navigate to tenant menu
  • Create new tenant by putting name.
  • One tenant listing page click on either view visualization or view dashboard link for your created new tenant.
  • Above step will redirect to index page or you can navigate same page from left navigation by choosing "Stack management menu" but in this case make sure you are using same tenant which you can verify from top right log in menu where you can switch to your tenant also.
  • On above index page, create index pattern and there you should put name as per your client naming (the index name for the client you pushed into log like via lambda function). So value could be like "<client-X>-log*" and by following same you can create multiple indexes as per client indices/index names.
  • Do repeat this for all your tenants to have respective index pattern available into that tenant which match with your client.
• Create new role for each client/tenant (navigate to security menu from left panel).
  • Navigate to role menu.
  • Put role name as per tenant/client naming convention.
  • Cluster permission: read
  • Index pattern: *
  • Index permission: read
  • Tenant: your client specific tenant as you created above for your client.
  • Repeat this for all the tenants you have.
• Create internal user (navigate to security menu from left panel).
  • Navigate to internal user menu.
  • Put user name as per your client/tenant naming convention.
  • Put password.
  • Repeat this for all the tenants you have.
• Map users with respective tenant role (navigate to security menu from left pane):
  • Search your role and go inside that role.
  • Switch to map user tab.
  • Attach your respective tenant user you created above.
  • Repeat this for all your roles you created above and map respective user.
• Now you login to open search dashboard url with new tenant user created above and here make sure first time when you login it ask you for tenant selection, so there you must choose private, and this will land to discover page where you can see only those indices/index pattern which are mapped to your role and able to see logs.
  • Note - in case, tenant selection window does not come, then you can try login with browser incognito mode.