Hi José,
Thank you for your response.
After enabling the multitenancy Kibana would fail to start in my scenario.
I am posting here next steps hopefully this will help someone else in the future
Not sure if this is needed but after reading different forums I enabled during my experiments the following part in in /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
config:
dynamic:
do_not_fail_on_forbidden: false
kibana:
# Kibana multitenancy
multitenancy_enabled: true
server_username: admin
#index: '.kibana'
Which did not resolve the issue.
When I checked for listening ports I noticed my kibana listening process on port 443 would not show up.
After much searching I found the relevant error:
["error","plugins","opendistroSecurityKibana"],"pid":14733,"message":"{ Error: Authorization Exception\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)\n at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/lodash/lodash.js:4949:19)\n at IncomingMessage.emit (events.js:203:15)\n at endReadableNT (_stream_readable.js:1145:12)\n at process._tickCallback (internal/process/next_tick.js:63:19)\n status: 403,\n displayName: 'AuthorizationException',\n message: 'Authorization Exception',\n path: '/_opendistro/_security/tenantinfo',\n query: {},\n body: undefined,\n statusCode: 403,\n response: '',\n toString: [Function],\n toJSON: [Function] }"}
which led me to user permissions.
Not fully understanding the users permissions intricacies between different components of the stack I was trying different things.
What seemed to finally work for me is using the same user in /etc/kibana/kibana.yml and /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml which is in my case kibanaserver
At some point I had user admin in both kibana.yml and config.yml but the error persisted.
I do not know why admin user did not work but changing to kibanaserver in both location seemed to do the trick.
Jose,
If you don't mind I will pick your brain.
Do you have any comment on the above ?
Do you normally need to edit the /elasticsearch/plugins/opendistro_security/securityconfig/config.yml file or the kibana change alone should have been sufficient ?
Is there any high level documentation for Wazuh explaining the multi tenancy and what can be accomplished with it? All the document I saw are quickly very technical and are not including Wazuh in the examples.
My initial thinking is we have Wazuh agents from different customers reporting to the Wazuh server. Can we use multitenancy so that Customer A can login and see only his X Agents (and its relevant security events/vulnerabilities etc) and customer B sees only his Y agents ?
Kind regards
Filip