Multitenancy ELK 7.8

marwojt · August 7, 2020, 9:11am

Elasticsearch version:
7.8 + sg plugin 43.0.0
Server OS version:
Centos 7
Kibana version (if relevant):
Kibana 7.8 + kibana sg plugin 43.0.0

There is some problem with creating tenants, no matter how. I try by tenants api, sgadmin and gui.
When I create new tenant it’s always visible in Kibana but then sometimes i can’t switch to this tenant. Sometimes is working like expected sometimes not. When i can’t switch to tenant then i am move to Global.

sg_config:
  dynamic:
    filtered_alias_mode: "warn"
    do_not_fail_on_forbidden: true
    do_not_fail_on_forbidden_empty: false
    kibana:
      multitenancy_enabled: true
      server_username: "kibanaserver"
      index: ".kibana"
...

kibana.yml

searchguard.accountinfo.enabled: false
searchguard:
    #cookie:
        #password: "<some_string>"
        #secure: true
        #ttl: 0
    session:
        #ttl: 0
        keepalive: true
    multitenancy:
        enabled: true
        tenants:
            enable_global: true
            enable_private: false
           # preferred:
           #     - "*"
           #     - private
    basicauth:
        forbidden_usernames: ["kibanaro", "kibanaserver", "logstash", "readall", "remote_monitoring", "snapshotrestore" ]
        #login:
            #brandimage: <some_string>

br,
Mariusz

srgbnd · August 7, 2020, 10:14am

Sometimes is working like expected sometimes not.

Did you see any error in the Elasticsearch or Kibana log when this happened? Any error in the browser console log? How many tenants do you have?

marwojt · August 10, 2020, 6:37am

Hi ,
I have around 110 tenants. I didn’t find nothing special in logs but i will take a closer look and try send some logs. There is no errors in browser
It seems that problem appears when I use tenant API from sgadmin or Devtools.
Sometimes I saw in kibana logs that user even if don’t have privileges to Global try to switch to SGS_GLOBAL_TENANT.
Try to create for example 50 tenants from sgadmin and switch to them from user with SGS_ALL_ACCESS role.
br,
MW

marwojt · August 10, 2020, 8:34am

I have another suspicion that is something wrong with switching between tenants from Kibana Gui.
For example I create two new tenants test1 and test2 then i can’t switch between tenants.
I am in tenant test1 and then try to switch to test2 and i am still in tenant test1. When i select tenant test2 and then logout/login then selected tenant is test2.
br,
MW

srgbnd · August 10, 2020, 10:57am

Hi. I tested more and saw a similar behaviour. We have to look more into it. I’ll get back to you soon. Thanks for reporting this.

marwojt · August 11, 2020, 7:25am

Ok thanks a lot.
It’s really important future for me

Patryk · August 17, 2020, 11:27am

Hi, any update with this issue? its a main blocker migration from 6 version to 7

srgbnd · August 18, 2020, 3:39pm

Hi @Patryk. It is in the high priority queue. I’ll text you when it is ready.

marwojt · August 31, 2020, 2:55pm

Hi @srgbnd,
any update with this issue?
br

srgbnd · September 1, 2020, 8:02am

Hi @marwojt. It is in the next release (October) queue. If the fix will be ready sooner, we do a build for you before the release.

srgbnd · September 1, 2020, 8:02am

What minor version do you use, 7.8.1?

marwojt · September 1, 2020, 9:23am

We use version 7.8.0. Thanks a lot @srgbnd
br

Mike · September 7, 2020, 12:11pm

Hi @marwojt,

Would it be possible for you to test with the following setting in kibana.yml?

searchguard.auth.disable_authinfo_cache: true

Does that make any difference?

Best Regards
Mike

marwojt · September 16, 2020, 10:09am

Hi @Mike,
i have tested this settings and it works. I can change tenants now. Thanks a lot
br,
Mariusz