Skip to content

Make opensearch_security.multitenancy.tenants.preferred configurable dynamically via security config api#5986

Open
itsmevichu wants to merge 9 commits intoopensearch-project:mainfrom
itsmevichu:feature/gh-5969
Open

Make opensearch_security.multitenancy.tenants.preferred configurable dynamically via security config api#5986
itsmevichu wants to merge 9 commits intoopensearch-project:mainfrom
itsmevichu:feature/gh-5969

Conversation

@itsmevichu
Copy link

@itsmevichu itsmevichu commented Mar 3, 2026

Description

  • Category (Enhancement)
  • Why these changes are required?
    This PR proposes making opensearch_security.multitenancy.tenants.preferred configurable dynamically via the Security configuration API in OpenSearch, instead of being solely controlled via opensearch_dashboards.yml
  • What is the old behavior before changes and new behavior after changes?
    Before: preferred_tenants was not part of config APIs or /dashboardsinfo.
    After: preferred_tenants can be set via tenancy config API, is persisted in ConfigV7.Kibana, returned in /dashboardsinfo.

Issues Resolved

#5969

Testing

  • Added/updated unit tests in MultiTenancyConfigApiTest and ConfigV7Test for preferred_tenants. :

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@itsmevichu
Add preferred_tenants support to multitenancy config and dashboards i…
ab6ec77 
…nfo API

Signed-off-by: Vishnutheep B <vishnutheep@gmail.com>
@itsmevichu
Add preferred_tenants to config files for tests
0a97a7c 
Signed-off-by: Vishnutheep B <vishnutheep@gmail.com>
@itsmevichu itsmevichu marked this pull request as draft March 4, 2026 05:02
@itsmevichu itsmevichu marked this pull request as ready for review March 8, 2026 13:15
@itsmevichu
Fix checkstyle
5f3f93e 
Signed-off-by: Vishnutheep B <vishnutheep@gmail.com>
@cwperks
Copy link
Member

cwperks commented Mar 22, 2026

@itsmevichu thank you for this PR. Can you please fix the CHANGELOG conflict? Apologies for not running the checks earlier. They are running now. Please look for any failures if some of the checks come back red.

@codecov
Copy link

codecov bot commented Mar 22, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 95.45455% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.90%. Comparing base (adf4a40) to head (cf42566).
⚠️ Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
.../dlic/rest/validation/RequestContentValidator.java 90.00% 0 Missing and 2 partials ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #5986      +/-   ##
==========================================
+ Coverage   73.79%   73.90%   +0.10%     
==========================================
  Files         440      440              
  Lines       27259    27371     +112     
  Branches     4052     4076      +24     
==========================================
+ Hits        20117    20229     +112     
+ Misses       5227     5218       -9     
- Partials     1915     1924       +9
Files with missing lines Coverage Δ
...ity/dlic/rest/api/MultiTenancyConfigApiAction.java 92.78% <100.00%> (+1.87%) ⬆️
...rivileges/DashboardsMultiTenancyConfiguration.java 90.90% <100.00%> (+0.90%) ⬆️
...opensearch/security/rest/DashboardsInfoAction.java 81.03% <100.00%> (+0.33%) ⬆️
...search/security/securityconf/impl/v7/ConfigV7.java 84.28% <100.00%> (+0.11%) ⬆️
.../dlic/rest/validation/RequestContentValidator.java 89.71% <90.00%> (+3.44%) ⬆️

... and 6 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@itsmevichu
Copy link
Author

itsmevichu commented Mar 22, 2026

The failing CI checks seems irrelevant.

cwperks
cwperks reviewed Mar 25, 2026
View reviewed changes
src/main/java/org/opensearch/security/dlic/rest/validation/RequestContentValidator.java
}

private ValidationResult<JsonNode> nullValuesInArrayValidator(final JsonNode jsonContent) {
for (final Map.Entry<String, DataType> allowedKey : validationContext.allowedKeys().entrySet()) {
Copy link
Member

@cwperks cwperks Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I think key name is all that matters here so idk if we need this change. That being said, is it enforced that allowedKeyWithConfig is strictly a subset of allowedKeys?

Copy link
Author

@itsmevichu itsmevichu Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand, we don’t need the DataType; just the key name is sufficient, and I’ll update the changes.

And allowedKeysWithConfig isn’t required to be a strict subset of allowedKeys. If allowedKeysWithConfig is present, it takes precedence; otherwise, we fallback to allowedKeys. Going forward, for any new API we define, we can start using allowedKeysWithConfig directly, which will make it easier when we eventually remove allowedKeys completely.

@cwperks
Copy link
Member

cwperks commented Mar 25, 2026

@itsmevichu the changes in this PR look good to me. Only question I have is if preferred_tenants will be populated in the index when blank or if its only persisted when its set?

We have had some bwc issues with the security index in mixed clusters if the value is set in a mixed cluster and the older version of nodes is not aware of this value. As long as its not auto-persisted when new nodes join the cluster then its reasonably backwards compatible as long as a security admin does not try to set it in a mixed cluster.

@cwperks
Copy link
Member

cwperks commented Mar 25, 2026

Note: backend functionality helps get the setting, but security-dashboards-plugin needs a change to consume this dynamic setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cwperks cwperks cwperks approved these changes

@DarshitChanpura DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura is a code owner

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho is a code owner

@nibix nibix Awaiting requested review from nibix nibix is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta is a code owner

@shikharj05 shikharj05 Awaiting requested review from shikharj05 shikharj05 is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@itsmevichu @cwperks