search

opensearch-project / alerting

📟 Get notified when your data meets certain conditions by setting up monitors, alerts, and notifications
https://opensearch.org/docs/latest/monitoring-plugins/alerting/index/
Apache License 2.0
62 stars 102 forks source link

[FEATURE] Alerting plugin does not suppport tenancy #1660

Open eirsep opened 2 months ago

eirsep commented 2 months ago

I want to create monitors inside different tenants and one tenant user should not view another tenant alert monitors

Is your feature request related to a problem? Describe the issue: We are trying to create the alert monitors in different tenants but however all the monitors are being visible in both the tenants and app teams are complaining about the RBAC in the alerting plugin.

Even after enabling the backend roles the rbac with alerting plugin is not working. Below is the settings that are enabled in the cluster. settings_in_cluster:

{ “persistent”: { “cluster”: { “routing”: { “allocation”: { “cluster_concurrent_rebalance”: “50”, “node_concurrent_recoveries”: “50”, “enable”: “all”, “total_shards_per_node”: “5000” } }, “max_shards_per_node”: “5000” }, “indices”: { “breaker”: { “fielddata”: { “limit”: “60%” } }, “recovery”: { “max_bytes_per_sec”: “1024mb”, “max_concurrent_file_chunks”: “5”, “max_concurrent_operations”: “4” } }, “opensearch”: { “notifications”: { “general”: { “filter_by_backend_roles”: “true” } } }, “plugins”: { “index_state_management”: { “metadata_migration”: { “status”: “1” }, “template_migration”: { “control”: “-1” } }, “alerting”: { “filter_by_backend_roles”: “true” } } }, “transient”: { “cluster”: { “routing”: { “allocation”: { “disk”: { “watermark”: { “low”: “95%”, “flood_stage”: “95%”, “high”: “95%” } }, “enable”: “all”, “total_shards_per_node”: “5000” } }, “info”: { “update”: { “interval”: “1m” } }, “max_shards_per_node”: “5000” }, “plugins”: { “anomaly_detection”: { “filter_by_backend_roles”: “true” }, “alerting”: { “filter_by_backend_roles”: “true” } } } } Roles&users: Below are the configuration I have used for the tenants , Roles, Internal users. For the internal users We have provided the pre-defined roles as alerting_full_access

What solution would you like? I want to create monitors inside different tenants and one tenant user should not view another tenant alert monitors

What alternatives have you considered? Even after creating via API's monitor got triggered but under the global tenant, not under specified tenant.

curl -k -u admin:admin -XPOST "https://127.0.0.1:9200/_plugins/_alerting/monitors" -H "Content-Type: application/json" -H "securitytenant: Tenant-1" -d '{

eirsep commented 2 months ago

this issue is copied over from https://github.com/opensearch-project/security-analytics/issues/1300 as it was created in wrong repo.

Sreekanth-hubs commented 2 months ago

Could anyone please confirm If this multi tenancy is possible or not with the alerting plugin.

Sreekanth-hubs commented 2 months ago

https://forum.opensearch.org/t/alerting-backend-roles-not-working-even-after-enabling-the-backend-roles/21353

https://github.com/opensearch-project/alerting/issues/119

multi tenancy is not possible with the alerting plugin.

dblock commented 2 months ago

[Catch All Triage - 1, 2, 3, 4]