Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] Rule Based request labeling to define multi-tenancy #14425

Open
kaushalmahi12 opened this issue Jun 18, 2024 · 1 comment
Open
Labels
Cluster Manager enhancement Enhancement or improvement to existing feature or request Telemetry:Metrics PRs or issues specific to telemetry metrics framework

Comments

@kaushalmahi12
Copy link
Contributor

kaushalmahi12 commented Jun 18, 2024

Is your feature request related to a problem? Please describe

Currently there is no mechanism to label/classify the incoming requests into tenants. There is an RFC open for defining the multi-tenancy in OpenSearch. We should provide a way to translate request's implicit/explicit attributes into tenants. Currently we are working on query sandboxing which can leverage this but this is not limited to this feature only and can be easily leveraged for both the indexing as well as search workloads.

Describe the solution you'd like

Rule Based Labeling

We will enable admin users to define rules to translate requests into output tokens which can be interpreted as tenants for consuming features. These rules can leverage implicit|explicit attributes to define the tenants. The output tokens will be propagated via ThreadContext or can be consumed into the feature directly as return values.

Implicit attributes could be anything like

  • LoggedIn entity
  • Indices

Explicit Attributes

  • custom tags

I am skipping over the authN/authZ part for explicit attributes since that is something which should be handled at the security layer as discussed in the parent RFC

What will a Rule look like ?

{
    "Input": {
        "attr1": ["val1", "val2*"],
        "attr2": ["xyz", "xyz*"]
        .....
    },
    "Output": {
        "field1": "value",
        "field2": "value",
        ....
    }
}

What if multiple rules matches for a request, how to resolve these conflicts ?
Only one Rule should apply for a request. To avoid such conflicts we will ensure that no two rules are overlapping. But doing this will not ensure that the rukes doesn't overlap. We still need to come up with precedence of attributes.

Now the precedence of attributes needs to be tackled for both the supported type of attributes.

  • Implicit Attributes: For these attributes we can define the precedence based on the request type, if the request is co-ordinator level then give priority to loggedInEntity attribute and if the request is shard level we can give priority to index attribute.
  • Explicit Attributes: For explicit attributes It will be hard to enforce precedence sicne the we don't know what all attributes could be used as explicit attributes for all the users beforehand. Since this will vary from user to user, It is more suitable for users to define such order. Now we can provide users with two ways of giving this input.
  1. as part of request (QueryParam): something like _search?precedence="attr1>attr2"
  2. define it as part of config to be stored somewhere else

Related component

Other

Describe alternatives you've considered

No response

Additional context

No response

@kaushalmahi12 kaushalmahi12 added enhancement Enhancement or improvement to existing feature or request untriaged labels Jun 18, 2024
@github-actions github-actions bot added the Other label Jun 18, 2024
@peternied peternied added Cluster Manager Telemetry:Metrics PRs or issues specific to telemetry metrics framework and removed Other labels Jun 19, 2024
@peternied
Copy link
Member

[Triage - attendees 1 2 3 4 5]
@kaushalmahi12 Thanks for creating this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Cluster Manager enhancement Enhancement or improvement to existing feature or request Telemetry:Metrics PRs or issues specific to telemetry metrics framework
Projects
Status: 🆕 New
Status: New
Development

No branches or pull requests

2 participants