Tenants and parameter substitution

Hello all,

A quick question regarding parameter substitution.

We would like to have it available for tenants (for the moment, my understanding is that it is only available for index permissions as well as dls : Users and Roles - Open Distro Documentation).

The idea would be that this user :

new-user:
  hash: "*************"
  reserved: false
  hidden: false
  opendistro_security_roles:
  - "role-tenant1"
  attributes:
    attribute1: "tenant1"
  static: false

Would only have access to the tenant tenant1 if the role role-tenant1 was defined like this :

role-tenant1:
 reserved: false
 hidden: false
 cluster_permissions:
 - "read"
 - "cluster:monitor/nodes/stats"
 - "cluster:monitor/task/get"
 tenant_permissions:
 - tenant_patterns:
   - ${attr.internal.attribute1}
   allowed_actions:
   - "kibana_all_write"
 static: false
_meta:
 type: "roles"
 config_version: 2

I did not find anything on the roadmap yet or any feature request regarding this, do you think this would be an interesting FR (or even PR) ?

Thanks in advance.
Christophe.

Personally I try to keep a 1:1 tenant to role mapping, mostly because of the KISS principle. I would otherwise be worried that I would not be able to figure out which users actually have access to a specific tenant.

Hello there,
Thanks for the answer.
This is precisely what I am going for here : something dead simple, because in the end I will be using the jwt attributes and have only one generic role referencing the attribute received from the LDAP for the index as well as the tenants permissions.
Christophe.

Hello all,

FYI, I have created both a Feature Request as well as a Pull Request for this on github :

• FR : https://github.com/opendistro-for-elasticsearch/security/issues/817
• PR : https://github.com/opendistro-for-elasticsearch/security/pull/819

Please let me know if you need more information.
Thanks.
Christophe.