0

We are trying create manage Elastic above AWS separate tenant (customer) and assign each tenant to a different index.

Each customer will have their user name/password or similar like token, etc.

We setup a managed ES on AWS and did integration with native Elastic sdk HighRestClient

<dependency>
    <groupId>org.elasticsearch.client</groupId>
    <artifactId>elasticsearch-rest-high-level-client</artifactId>
    <version>7.10</version>
</dependency>

Everything works fine, all our actions performed from Java code like creating index/manage/searches, etc.

This piece of code simulates the basic auth as described here https://www.elastic.co/guide/en/elasticsearch/client/java-rest/master/_basic_authentication.html

final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY,
        new UsernamePasswordCredentials(settings.getEsUserName(), settings.getEsUserPass()));
restClientBuilder.setHttpClientConfigCallback(builder -> builder.setDefaultCredentialsProvider(credentialsProvider));

Now we creating different index on each customer which is OK, but the problem is that now all our customers will have the same username/password.

Is it possible somehow to do this on multiple users, have multiple username/password?

So each user can interact only with his index authenticated with password.

I saw this case - https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html#fgac-walkthrough-basic

As I understand from reading they are talking about multi tenancy on Kibana users.

Am I missing something, is it possible to achieve our goal in different ways?

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
VitalyT
  • 1,671
  • 3
  • 21
  • 49

1 Answers1

0

You are confusing two concepts here. You can refer to the below concepts and decide which use case suits you best.

Fine grained access control provides you with internal database authentication mechanism by which you can create multiple users (having their own username/password) and attach roles/action groups to these users - so each user can have different permissions. Thereafter, each customer can be provided with a different username/password.

Tenants is a concept existing in Kibana system (with above security enabled), where a tenant can be used to store kibana related objects such as dashboards and visualisations. There are two defaults tenants - global which is shared between all users, and private tenant which is exclusive to each customer. You can create your own custom tenant, and configure it to be accessed by a group of users, so that these users can share kibana related objects.

More on tenants here: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/multi-tenancy/

Dhiresh Jain
  • 464
  • 5
  • 15