Tenant popup appears when switch to offline API

[Machi3mfl]

Wazuh	Elastic	Rev	Security
4.2	7.x	4xxx	Basic, ODFE, Xpack

Browser
Chrome, Firefox, Safari, etc

Description
When an API is offline, the dropdown should not let you choose it. Research the tenants and the multi API support.

Steps to reproduce

1. Switch between APIs
2. Logout and Login
3. Tenant popup appears

[Machi3mfl]

Research about Popup tenant

Expected results

• Hide popup tenant on login

Actual result

• The Popup tenant appears constantly
• The popup tenant doesn't disappear when is disabled in kibana.yml
• This behavior is in charge of security-dashboards-plugin. We don't have permission to change it.

[Machi3mfl]

Disable tenancy popup via kibana.yml

Add setting opendistro_security.multitenancy.enabled: true on kibana.yml.

Result: The popup doesn't disappear.

Researching on opensearch repository, we found that exist issues about this.

• Tenancy selection prompt keeps on appearing even if disabled
• [BUG] Totally disable tenancy
• Global tenant still enabled despite setting to disabled

Conclusions:

This issue doesn't seem to have a solution in the short term. The ideal solution is to fix this feature on the source code (by the opensearch team).

[Machi3mfl]

Alternatives solutions:

• We can make the fix on the source code and do a Pull Request to the opendistro-for-elasticsearch repository. And wait that the pull request be approved.
• Customize the security-dashboards-plugin fixing this behavior and make a package to use it in our environments.
  We have an approach on this issue: ODFE 1.13.0 Select your tenant message popping up every time we log in #3496 ODFE 1.13.0 Select your tenant message popping up every time we log in

[Machi3mfl]

Current solution

• Skip tenant selection if tenant is specified in URL.
  Example: http://wazuh:5601/app/wazuh?security_tenant=<tenant_name>

Implementation:

1. Add the following config in kibana.yml
server.defaultRoute: /app/wazuh?security_tenant=<tenant_name> or uiSettings.overrides.defaultRoute: /app/wazuh?security_tenant=<tenant_name>

This will add this config to the URL and skip the tenant popup.

Resources:

• Add tenant parameter to shared url opensearch-project/security-dashboards-plugin#605
• Skip tenant selection if tenent is specified in URL opensearch-project/security-dashboards-plugin#586

Testing solution

Screen.Recording.2022-04-22.at.10.26.14.mov

# opensearch_dashboard.yml
server.host: "0.0.0.0"
opensearch.hosts: "https://localhost:9200"
uiSettings.overrides.defaultRoute: /app/wazuh?security_tenant=global

# OpenSearch security
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]

[gdiazlo]

The problem with the URL solution is that if we open a link in another window, the URL must have also the tenant selection included. That would force us to change all the links within the application to incorporate it. Some times this will be impossible depending on the component which generates the link.

[gdiazlo]

We are going to use the mitigation proposed in wazuh/wazuh-packages#1471 and implemented in https://github.com/wazuh/wazuh-packages/pull/1479/files

The key change here besides disabling the multi-tenancy by default is to disable the pop-up function by passing it a hard-coded false value.

If we enable multi-tenancy again, we can access the pop-up tenant selection window through the top-right user-menu. We just tested the selection is possible, but we haven't tested the whole multi-tenancy functionality yet.

[gdiazlo]

@wazuh/qa is also testing it with the packages. Their progress is in wazuh/wazuh-qa#2816

[gdiazlo]

The fix was applied and released as a modification of the package.