[BUG-2.7.0] tenants not showing for indices in private_tenant mode for fgac domains

[himsgupta1122]

What is the bug?
tenants such as saved_objects, index-patterns under private_tenant are not showing up in fgac domains.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Create a fgac domain and switch to private tenant and add sample data
2. Navigate to Index-pattern/saved_object is empty
3. Navigate Dashboards redirects to empty index-pattern url

What is the expected behavior?
Show all the tenants for indices added ex: index-patterns etc

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

[kavilla]

this turns out to be the indices:admin/index_template* is now a require permission for the OpenSearch Dashboards server user. It is applied to the default server user but if the user who switches the server user will need to make sure they add indices:admin/index_template* as it previously needed indices:admin/template*.

So this would seem the solution would be to document this change.

[davidlago]

[Triage] @RyanL1997 to look into this and follow up with @cliu123 .

[RyanL1997]

Thanks @kavilla for this follow up. Yes, this this index template was introduced by this #1359 change. Reaching out to @cwillum for documentation.

[cliu123]

This is a false alarm. I agree on it will be better to update documentation for this though. I'm closing this issue.
Cc: @himsgupta1122

[cwillum]

@cliu123 @RyanL1997 Thanks for looping me in. Although this issue is closed, it seems like there still needs to be a change to documentation for this. Is there another issue that explains what needs to be clarified/changed in docs? Thanks.

[kavilla]

@cliu123 @RyanL1997 Thanks for looping me in. Although this issue is closed, it seems like there still needs to be a change to documentation for this. Is there another issue that explains what needs to be clarified/changed in docs? Thanks.

It's not particularly a breaking change I guess because you will only get this state of this bug if you changed the default OpenSearch Dashboards server user (which if you look at the default OpenSearch Dashboards config it is kibanaserver and we default add that user on release).

In this case we updated the default user but if you utilize the security plugin multitenancy and do not use the out of the box kibanaserver user. Then it is likely you don't have the right permissions on that user.

So something along the lines of:

If you do not use the default internal OpenSearch Dashboards user kibana_server, then ensure to update their cluster permissions to include "indices:admin/index_template"

Example: for example: https://github.com/opensearch-project/security/blob/main/src/main/resources/static_config/static_roles.yml#L90

I think maybe here: https://opensearch.org/docs/latest/breaking-changes/ or https://opensearch.org/docs/latest/security/multi-tenancy/tenant-index/

[cwillum]

@kavilla Thanks for the detailed response about doc changes. I get this. But I'm still not sure which setting when changed drops the indices:admin/index_template* permissions. In config.yml there is a default server_username: kibanaserver setting. In opensearch_dashboards.yml there is a server.name setting in the OpenSearch build. And there is also apparently an opensearch.username: kibanaserver default setting in opensearch_dashboards.yml. From what I can gather from info here, one of these settings maps to the kibana_server role, which includes the indices:admin/index_template* permissions. So when you change the server name, you lose this permission (and you get funny things like no private tenants.
So which YAML file and setting specifically needs attention? After I know, I'll add a note that if this is changed you need to add the indices:admin/index_template* permission to the new user. Thanks again.