Enabling Multi-Tenancy using Docker

[Ryan Mohr]

Hi All,

I'm looking to enable Multi-Tenancy using Docker, however I'm struggling to figure out the specific config file to edit. Opendistro mentions using the security config or kibana.yml. Docker doesn't pull a Kibana config file, it just edits the environment. Do I need to edit multi-tenancy under the environment? In the production configuration file? 

kibana:

    image: wazuh/wazuh-kibana-odfe:4.1.5

    hostname: kibana

    restart: always

    ports:

      - 5601:5601

    environment:

      - ELASTICSEARCH_USERNAME=____________

      - ELASTICSEARCH_PASSWORD=_____________

      - SERVER_SSL_ENABLED=true

      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/______.pem

      - SERVER_SSL_KEY=/usr/share/kibana/config/_______.pem

      - WAZUH_API_URL="https://wazuh-master"

      - API_USERNAME=______________

      - API_PASSWORD=______________

    volumes:

      - ./production_cluster/kibana_ssl/______.pem:/usr/share/kibana/config/______.pem

      - ./production_cluster/kibana_ssl/______.pem:/usr/share/kibana/config/______.pem

Best,

Ryan

[Alfonso Ruiz-Bravo]

Hello Ryan,

First of all, I would like to apologize for the late reply.

To enable multitenancy it is necessary to configure the following files: 

-  Open DIstro security config.yml

In the Open Distro pod run the following command:

bash /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -backup /usr/share/elasticsearch/check-backup/ -icl -key  /etc/elasticsearch/kirk-key.pem   -cert  /etc/elasticsearch/kirk.pem   -cacert  /etc/elasticsearch/root-ca.pem   -nhnv

This command will download the contents of the security index into a series of yml files in the  /usr/share/elasticsearch/check-backup/ directory. Consider making changes to both the download path and the certificates used.

Once the files are created, check the content of the config.yml file, to enable multitenancy it should look like this:

...

config:

  dynamic:

    kibana:

      multitenancy_enabled: true

      server_username: kibanaserver

      index: '.kibana'

    do_not_fail_on_forbidden: false

...

If you prefer to change the user (server_username), replace kibanaserver with the desired user, such as admin or another user you have created for Kibana container.

If you have had to make any changes to the file, you will have to upload these changes for Open Distro to make them effective. Run:

bash /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -f /usr/share/elasticsearch/check-backup/config.yml -icl -key  /etc/elasticsearch/kirk-key.pem    -cert  /etc/elasticsearch/kirk.pem   -cacert  /etc/elasticsearch/root-ca.pem  -nhnv

This way Open Distro will already be enabled to use multitenancy.

- Kibana configuration kibana.yml

Kibana needs to be configured to use multitenancy for this, I think the best option would be for you to create the kibana.yml and mount it as a volume. One option would be to get the contents of the kibana.yml file you have now, without multitenancy and copy it to a file outside the container, which you will use to mount the volume.

The next step is to add the multitenancy configuration to this copy you have created. Add or change:

. . .

opendistro_security.multitenancy.enabled: true

opendistro_security.multitenancy.tenants.preferred: ["Global", "Private"]

. . .

Finally, prepare this copy to be mounted as a volume in the Kibana container: 

kibana:

    image: wazuh/wazuh-kibana-odfe:4.1.5

    hostname: kibana

    restart: always

    ports:

      - 5601:5601

    environment:

. . .

    volumes:

. . .

      - ./custom-kibana.yml:/usr/share/kibana/config/kibana.yml

Now when I bring up the environment again, Kibana should be configured correctly to use multitenancy.

I hope I have been helpful. Please do not hesitate to contact us with any other questions you may have.

Best regards,

Alfonso Ruiz-Bravo