MultiTenancy for OpenStack cloud with Keystone

Hi there,

I am writing on behalf of monasca team. Wa are doing monitoring solution for OpenStack clouds and one part of that monitoring is collecting/indexing logs.

Obviously we are using Kibana to display collected logs but what we do not have is keystone integration and more specifically multi tenancy. Currently we started discussing this topic and ended up with idea on implementing this in form of Kibana plugin.

What we would need is:

  • authorization access to kibana
  • scoping queries/requests sent to ES to include particular tenant

We would very much like to get some support from your side, maybe some general opinion on Kibana approach we would like to take. We're asking because Kibana plugins API is currently still not finalized (at least we suspect so because of the very nice file :wink: ).

Thx for any help, thought or insight :wink:

Currently multi-tenancy support only exists when you pair Kibana/Elasticsearch with Shield. This would allow you to restrict which users can view which data in Elasticsearch at a pretty granular level. However, fine-grained access control at the UI level, such as restricting which dashboards and views are accessible to given groups of users, is not part of that integration yet.

You can work around this currently by setting up multiple instances of Kibana - one per user - configured to point to different configuration indices (instead of the default .kibana).

Thanks Tyler for your answer. As the OpenStack project we are intereseted in an opensource solution, so Shield is not an option for us. We implemented already a plugin for Keystone authorisation and started the work on scoping the access to ES based on the current project.

Do you plan to redesign completely or even drop the plugin support in Kibana? Are you interested in integration with OpenStack and our contribution of the mentioned functionality in upstream Kibana?

1 Like

Any news about what @witekest wrote ?

We would really appreciate some cooperation or input. Like @witekest mentioned, we cannot use Shield because that is a proprietary solution and what we are looking for is OS solution.