[FEATURE] Support Multiple Data Source in Security Dashboards Plugin

[BionIT]

Is your feature request related to a problem?
Since 2.4.0, multiple data source feature is enabled as a core plugin(see RFC opensearch-project/OpenSearch-Dashboards#1388 and PR opensearch-project/OpenSearch-Dashboards#2334).

With multiple data source enabled, users of OpenSearch Dashboards are able to create data source connections and query local and remote OpenSearch clusters(see documentation https://opensearch.org/docs/latest/dashboards/management/data-sources/). Enabling multiple data source at dashboards plugin would ensure users that have been using the multiple data source feature to have a consistent experience in the dashboard, and allows users to use the same dashboard for different clusters.

What solution would you like?
Support multiple data source in the Security dashboards plugin and allow user to use one dashboard for different backend clusters

What alternatives have you considered?
A clear and concise description of any alternative solutions or features you've considered.

Do you have any additional context?
Add any other context or screenshots about the feature request here.

[davidlago]

Thanks for creating this issue, @BionIT. It is thin on details or specific acceptance criteria, so we won't be able to mark as triaged and action on it until we do. Could you please provide more specifics as to what "support multiple datasources" means, and perhaps link to other RFCs, designs, issues etc that would provide more context on the requirements? Unfortunately the META issue linked above is also lacking substantial details or context.

[BionIT]

Thanks @davidlago for taking a look at this issue!

Pulling in @zengyan-amazon @seraphjiang for detailed requirements.

[zengyan-amazon]

@davidlago any specific questions do you have?

[davidlago]

@zengyan-amazon quite the opposite, there are so few details in this ticket that I don't have enough to even ask questions :) This issue is not currently actionable. I'm removing the untriaged label, as I'm looking at it, but I'm not adding the triaged label (pre-requisite for an issue to be worked on) until we have the details.

[DarshitChanpura]

@BionIT @zengyan-amazon We are looking for actionable details on this issue. It will be marked as closed if there is no clear actionable items listed.

[seraphjiang]

@BionIT @zengyan-amazon We are looking for actionable details on this issue. It will be marked as closed if there is no clear actionable items listed.

@kgcreative to help requirement and experience.

[derek-ho]

@zengyan-amazon currently to get it setup on my local I set this flag: data_source.enabled: true. Under Dashboards Management, I see an option to add a datasource.

Can you help clarify - what is expected for this issue? What situations/assumptions can be made from security plugin side?

• Do we need to support username and password, AWS Sigv4 as P0? (I am assuming no authentication doesn't apply for security plugin?) Can we ignore SAML, OIDC, JWT, Proxy, multi auth? What happens if the clusters are not using the same auth or credentials?
• What features of security dashboards plugin do we need to support? Can we assume tenancy is disabled? Which things should the user be able and not be able to modify?

[cwperks]

@zengyan-amazon For the login flow, which data-source would be the backend to send a login request to? Is it the last selected data-source, or is there a notion of a primary data-source for that purpose? I bring this up, because there is a feature in the security-dashboards-plugin backlog to configure sign in options through a page in OSD. For consistency sake, I think it makes sense to send the initial login request to a "primary" data-source and not have the request go to the last selected data-source. I suppose a toggle for data-source can be on the log in screen, but instead of an auto-redirect in the case where SAML or OpenID are configured as the only sign in option the user would instead land on the login screen for OSD with a single option to click a button to "Log in with Single Sign On".

If a user logs in with credentials that work with the cluster that the login request goes to, but then toggles datasources and does not have valid creds for the toggled cluster, would the correct behavior be to autologout the user (as it does today for session expiry) or should the logged in user have the option to toggle back to the cluster where they were successfully authenticated against?

In order for the security-dashboards-plugin to be as generic as possible, the current TLS configuration will need to be extended to allow TLS configuration per data-source or if they share a common TLS configuration then when multiple datasources are enabled, there should be a way to configure a common TLS configuration for OSD across all datasources.

Single-sign on like SAML, OpenID and LDAP will certainly work better for the multiple data sources use case then relying on the internal users across all datasources to be synchronized. In the security configuration for basic auth there is a concept of internal for the authentication_backend which means that the users are persisted in the security index of the cluster that OSD is connected with. I wonder if its possible to also support external to connect with the security index of another cluster and have all data sources configured to reference the same user list if configured with internal users.

Minor question:

• Similar to multi-tenancy, will the data-source selector use local storage to keep track of the last selected data-source so if a user opens a new tab it remembers the data-source they are currently connected to?

[zengyan-amazon]

@derek-ho

Do we need to support username and password, AWS Sigv4 as P0? (I am assuming no authentication doesn't apply for security plugin?) Can we ignore SAML, OIDC, JWT, Proxy, multi auth? What happens if the clusters are not using the same auth or credentials?

the data source management page gives users to choose how to authenticate with the data source that is being created, it is not related to the local cluster authentication. For now we only support basicauth and IAM user credentials. Supporting other auth method is part of data source feature work, not related to security plugin work here.

What features of security dashboards plugin do we need to support? Can we assume tenancy is disabled? Which things should the user be able and not be able to modify?

We only need the cluster security management features in dashboards security plugin to support multi-data source, so that admin can use it to manage roles and permissions in the data source (remote cluster). if the data source has tenant enabled, it should be able to manage tenants as well.

@cwperks the login flow will remain the same and it is not impacted by multi-data source integration, OSD will still be associated with a default(local) OpenSearch cluster, and allows user to login based on the existing configuration in yml file the same way as it today, we only want to offer user(admin) capability to manage roles and permissions in other data sources in dashboards security plugin for multi-datasource support. Hope this answers your question.

[cwperks]

@zengyan-amazon On the documentation website, it shows that when adding a new datasource you configure it with username and password. Can you show me where I can find how that password is stored and used when making a request against the datasource? Does that mean that adding a data source requires a cluster to be configured with basic auth?

Which user is used to make calls to the toggled clusters? Is it the currently logged in user or the user that a datasource is configured with? Who is allowed to toggle between data sources?

[kgcreative]

in order to make Security be what I would call "Multiple data source aware" (instead of fully integrated), at the minimum, we need each page to have a selector to allow the user to switch the backend context for which cluster they are communicating with.

Taking the "Roles" page as an example, this would be the "before" state (current state)

For this page to be "Data source aware", we are proposing that all plugins add a cluster selector on the top right of each one of their pages:

We know that there is additional work to make all plugins "Multiple data source native" -- this work is specific to the simple P0 in order to integrate with the existing multiple data source feature.

[derek-ho]

Thanks for the details @zengyan-amazon @kgcreative ! I will use this as a meta issue and create sub issues for each page/section which will need this support. Can you folks share how to setup a cluster with AWSSigV4 creds? I couldn't find a README with these instructions.

[BionIT]

@zengyan-amazon On the documentation website, it shows that when adding a new datasource you configure it with username and password. Can you show me where I can find how that password is stored and used when making a request against the datasource? Does that mean that adding a data source requires a cluster to be configured with basic auth?

Hi @cwperks, thanks for your question:
Data source plugin would support multiple authentication methods and basic auth is just only of them, and in the documentation, it also mentioned sigv4, and this is RFC opensearch-project/OpenSearch-Dashboards#5692 to allow user to register and use their authentication methods to extend the available authentication methods

The credentials are encrypted and stored in OpenSearch cluster in the system index.

Which user is used to make calls to the toggled clusters? Is it the currently logged in user or the user that a datasource is configured with? Who is allowed to toggle between data sources?

The credential provided by dashboard user should have permissions to call the remote cluster, and it is up to the dashboard user what permission is granted. If security plugin was enabled for the cluster, the credentials should match to a mapped user within the security plugin with certain permission defined by the user.

Hope this helps and @zengyan-amazon can help add more details if missed anything.

[BionIT]

Thanks for the details @zengyan-amazon @kgcreative ! I will use this as a meta issue and create sub issues for each page/section which will need this support. Can you folks share how to setup a cluster with AWSSigV4 creds? I couldn't find a README with these instructions.

Hi @derek-ho, you can follow official document to create IAM user, when creating the cluster, just make the user the master user - which is the easiest

[cwperks]

@BionIT Thank you for the response. I am able to setup multiple data-sources locally with 2 clusters that have the security plugin installed. I did encounter an issue though. For the primary cluster, I have https enabled and OSD connects to it fine (as expected). When I try to connect to cluster2, I had to disabled https to get it to connect. When connecting with https, I checked the networking tab of dev tools and saw a cert validation failure.

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "Data Source Error: unable to verify the first certificate",
    "attributes": {
        "error": "Data Source Error: unable to verify the first certificate"
    }
}

Is it possible to setup other datasources with https?

[cwperks]

The credentials are encrypted and stored in OpenSearch cluster in the system index.

So the username and password provided when testing the connection are persisted? Are those credentials used for anything other than testing the connection?

[BionIT]

"message": "Data Source Error: unable to verify the first certificate",

@cwperks could you share the set up for the 2 clusters? Playground provides some examples of the data sources which were set up https://playground.opensearch.org/app/management/opensearch-dashboards/dataSources. We can look it together if needed

[BionIT]

connection

Yes, credentials are encrypted and saved in system index, they were used when querying remote data sources and this documentation provides some details about how it is done by using the client provided by data source plugin https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/docs/multi-datasource/client_management_design.md

[cwperks]

latest-multi-datasource.zip

@BionIT Please see the attached zip which has a docker-compose configuration. cd into the folder and run docker-compose down -v && docker-compose up to run all services which includes 2 clusters (4 nodes in total) plus OSD connected to cluster 1. Cluster 1 has 2 nodes and you can query it at port 9200 with admin:admin as credentials (it injects an internal_users.yml file so it allows the old admin pw from before 2.12).

Cluster 2 is listening on port 9201. Both have HTTPS enabled.

In OSD I try to configured cluster2 as another datasource with the following values:

Endpoint: https://host.docker.internal:9201
Username: admin
Password: admin

When I click Test Connection it gives the Data Source Error: unable to verify the first certificate error.

If I set plugins.security.ssl.http.enabled: false in the opensearch.yml file of cluster2 I can add it as a data source and instead of the endpoint using https, I substitute in http

[derek-ho]

[Triage] @kgcreative @BionIT can you provide some more explicit assumptions and details surrounding testing scenarios (more specifically this: #1782 (comment)) and non-happy paths that we need to design for? We cannot mark this as triaged until we have some more details about what is fully expected to consider this issue as completed.

[stephen-crawford]

[Triage] Still waiting for an idea of what this means to be done... @derek-ho or @cwperks if either of you have any idea what we mean for this we can mark this as triaged. If not, we can leave this untriaged.

[BionIT]

@derek-ho @cwperks could you help to link the PR for this issue?

[DarshitChanpura]

@BionIT #1888

[BionIT]

Thanks @derek-ho for working on adding the MDS support!
linked PR: #1911
#1888