Multi-tenancy in Search with OpenSearch

To use the multi-tenancy feature in Search with OpenSearch, the security mode for the cluster must be set to enforcing. For more information about how to check this setting, and update if necessary, see Verify Security Mode and Updating Cluster Security Mode to Enforcing.

Multi-tenancy should be enabled by default for new clusters. You can check if multi-tenancy is enabled for your cluster by making a get request with the Configuration API:

GET _plugins/_security/api/securityconfig

The following response example shows the relevant part of the response for determining if the multi-tenancy feature is enabled, specifically the multitenancy_enabled attribute in the kibana element.

{
   "config" : {
      "dynamic" : {
         "filtered_alias_mode" : "warn",
         "disable_rest_auth" : false,
         "disable_intertransport_auth" : false,
         "respect_request_indices_options" : false,
         "kibana" : {
            "multitenancy_enabled" : false,
            "server_username" : "kibanaserver",
            "index" : ".kibana"
         },
   <additional securityconfig response returned for GET request>...

If you need to enable multi-tenancy, use a put request with the Configuration API to update the setting, as shown in the following example:

PUT _plugins/_security/api/securityconfig/config
{
   "dynamic": {
      "security_mode": "ENFORCING",
      "kibana": {
         "multitenancy_enabled": true,
         "server_username": "kibanaserver",
         "index": ".kibana_1"
      },
   <additional securityconfig details for PUT request>...

After you've confirmed that the multi-tenancy feature is enabled for your cluster, you can do the following:

• Create a tenant. You must have admin permissions to create a new tenant.

• Give roles access to tenants. In addition to doing this for any custom tenants you create, you also need to do this for the global tenant. You can grant roles read access or read/write access to tenants.