OpenSearch Tenants Introduction
OpenSearch Security Multi-Tenancy allows you to maintain separate spaces for working with indexes, visualisations, dashboards and other OpenSearch objects. By default, all OpenSearch users have access to two tenants; Global, which is shared by all users and Private which can’t be shared and is only available privately to a single user.
Tip: Security roles requires a Logit.io Stack running Opendistro 1.13 onwards
You can use Tenants to securely share and collaborate with other Logit.io users. By controlling which roles have access to which tenants allows you to define granular read or write access to dashboards, visualisations and more.
You may want to share a single corporate dashboard only with members of the management team by defining a corporate tenant, which is then applied to an associated role to restrict access as needed.
Creating a Tenant
Creating a Tenant requires a Stack Administrator role, from the Security Menu choose Tenants > Create Tenant.
You can view and switch which Tenant you are currently viewing using the menu in the top-right menu of OpenSearch, below we are viewing the Global Tenant.
From the Tenants screen above you can choose View Dashboards or View Visualisations to switch to that Tenant, in addition to duplicating and deleting existing Tenants.
How to restrict a user's access to a specific Tenant using Roles
Once the Tenant is created, choose Security > Roles and select the required Role. Now choose Edit Role and under Tenant permissions enter the name of your Tenant, give Read or Write permissions as required and choose Update to apply the changes.
If you need to create a new role to save time you can duplicate an existing role, for example, the stack_user role and choose Actions > Duplicate. This allows you to then edit the duplicated role and just modify index and tenant permissions where needed.
Tip: In most cases, any new roles will need to have read access to the following indexes to allow the OpenSearch Discover view to work as expected .kibana .kibana-6 .kibana_*
By restricting the Role to a single Tenant and setting this as read-only, any users in that role are prevented from accessing the Global Tenant.
Users in these restricted roles will need to choose from the Custom Tenant dropdown to access only what they are authorised to.