Multitenancy ELK 7.8

marwojt · August 7, 2020, 9:11am

Elasticsearch version:
7.8 + sg plugin 43.0.0
Server OS version:
Centos 7
Kibana version (if relevant):
Kibana 7.8 + kibana sg plugin 43.0.0

There is some problem with creating tenants, no matter how. I try by tenants api, sgadmin and gui.
When I create new tenant it’s always visible in Kibana but then sometimes i can’t switch to this tenant. Sometimes is working like expected sometimes not. When i can’t switch to tenant then i am move to Global.

sg_config:
  dynamic:
    filtered_alias_mode: "warn"
    do_not_fail_on_forbidden: true
    do_not_fail_on_forbidden_empty: false
    kibana:
      multitenancy_enabled: true
      server_username: "kibanaserver"
      index: ".kibana"
...

kibana.yml

searchguard.accountinfo.enabled: false
searchguard:
    #cookie:
        #password: "<some_string>"
        #secure: true
        #ttl: 0
    session:
        #ttl: 0
        keepalive: true
    multitenancy:
        enabled: true
        tenants:
            enable_global: true
            enable_private: false
           # preferred:
           #     - "*"
           #     - private
    basicauth:
        forbidden_usernames: ["kibanaro", "kibanaserver", "logstash", "readall", "remote_monitoring", "snapshotrestore" ]
        #login:
            #brandimage: <some_string>

br,
Mariusz

srgbnd · August 7, 2020, 10:14am

Sometimes is working like expected sometimes not.

Did you see any error in the Elasticsearch or Kibana log when this happened? Any error in the browser console log? How many tenants do you have?

marwojt · August 10, 2020, 6:37am

Hi ,
I have around 110 tenants. I didn’t find nothing special in logs but i will take a closer look and try send some logs. There is no errors in browser
It seems that problem appears when I use tenant API from sgadmin or Devtools.
Sometimes I saw in kibana logs that user even if don’t have privileges to Global try to switch to SGS_GLOBAL_TENANT.
Try to create for example 50 tenants from sgadmin and switch to them from user with SGS_ALL_ACCESS role.
br,
MW

marwojt · August 10, 2020, 8:34am

I have another suspicion that is something wrong with switching between tenants from Kibana Gui.
For example I create two new tenants test1 and test2 then i can’t switch between tenants.
I am in tenant test1 and then try to switch to test2 and i am still in tenant test1. When i select tenant test2 and then logout/login then selected tenant is test2.
br,
MW

srgbnd · August 10, 2020, 10:57am

Hi. I tested more and saw a similar behaviour. We have to look more into it. I’ll get back to you soon. Thanks for reporting this.

marwojt · August 11, 2020, 7:25am

Ok thanks a lot.
It’s really important future for me

Patryk · August 17, 2020, 11:27am

Hi, any update with this issue? its a main blocker migration from 6 version to 7

srgbnd · August 18, 2020, 3:39pm

Hi @Patryk. It is in the high priority queue. I’ll text you when it is ready.

marwojt · August 31, 2020, 2:55pm

Hi @srgbnd,
any update with this issue?
br

srgbnd · September 1, 2020, 8:02am

Hi @marwojt. It is in the next release (October) queue. If the fix will be ready sooner, we do a build for you before the release.

srgbnd · September 1, 2020, 8:02am

What minor version do you use, 7.8.1?

marwojt · September 1, 2020, 9:23am

We use version 7.8.0. Thanks a lot @srgbnd
br

Mike · October 21, 2020, 1:04pm

Hi @marwojt,

Would it be possible for you to test with the following setting in kibana.yml?

searchguard.auth.disable_authinfo_cache: true

Does that make any difference?

Best Regards
Mike

marwojt · September 16, 2020, 10:09am

Hi @Mike,
i have tested this settings and it works. I can change tenants now. Thanks a lot
br,
Mariusz

Patryk · September 30, 2020, 3:10pm

But i think it’s only temp solution. Any info about date of this release ?

marwojt · October 19, 2020, 6:40am

Hi @Mike, @srgbnd,
i’ve seen that you release new SG version for elastic 7.9.x.
Will You make a new package for elastic 7.8.x?
br,
Mariusz

srgbnd · October 19, 2020, 8:14am

@marwojt Hi. This is a different minor version. Kibana usually introduces breaking changes in the new minor versions. Thus porting back the patch might not be straightforward.

Why do you want to port the cache fix back? Didn’t the option searchguard.auth.disable_authinfo_cache: true work for you?

marwojt · October 19, 2020, 8:34am

Hi @srgbnd,
it works but i am worry about performance. We have a lot off users.
br,
Mariusz

srgbnd · October 19, 2020, 8:57am

Do you experience any performance issues now?

Mike · October 19, 2020, 9:56am

Hi @Patryk and @marwojt,

Actually this will be the default and only behaviour from now (i.e. the latest release) on. We removed the caching on the Kibana side completely, so the setting you used will be deprecated.

The caching didn’t really make much sense at this point, and it led to a bunch of negative side effects.
In short: no need to worry about this being a temporary solution, it is permanent.

But as @srgbnd mentioned - please let us know if this somehow results in performance issues!

Best regards,
Mike