Skip to content

[BUG] Breaking changes to tenants in 2.19.4 #5924

New issue
New issue
Closed
#5926
Closed
[BUG] Breaking changes to tenants in 2.19.4#5924
#5926
Labels
bugSomething isn't workinguntriagedRequire the attention of the repository maintainers and may need to be prioritized
@AlexRuiz7

Description

@AlexRuiz7
AlexRuiz7
opened on Jan 27, 2026

What is the bug?

In previous versions, such as 2.19.3, Opensearch uses an empty string ("") as the global tenant, both with multi-tenancy enabled and disabled.

However, because of the changes introduced in OpenSearch 2.19.4 (#5519), the global tenant changes to "null" when multi-tenancy disabled. As a result, the reports (and every custom asset) falls under a different tenant compared to the previous version, so they don't show for a user using the global tenant.

How can one reproduce the bug?

In OpenSearch 2.19.3, disable multi-tenancy in Dashboards and create, for example, some reports definitions. Note the tenant is set to "".

Image

Then, update to OpenSearch 2.19.4. The reports won't show in the UI. Also, in the image below, we can see how requesting the list of reports definitions for the admin user under the global tenant does return an empty response.

Image Image

This gives the impression that the data was lost during the upgrade. However, the data is still present in the indices, just under a different tenant.

curl -k -u admin:admin -X GET "https://localhost:9200/_cat/indices/.opendistro-reports*?v"

health status index                           uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .opendistro-reports-definitions cQPXRDRXS-SHj_ESdWVDwA   1   0          1            0        5kb            5kb
green  open   .opendistro-reports-instances   eyemwFcfQ8Og0vI6XsAZUw   1   0          2            0      6.7kb          6.7kb

Create a new report definition. Note the tenant is now set to "null".

Image

Do you have any additional context?

As a workaround, we created a script to migrate the resources, by updating every document whose tenant is "" to "null".

curl --key "$CERTS_DIR/admin-key.pem" --cert "$CERTS_DIR/admin.pem" --cacert "$CERTS_DIR/root-ca.pem" \
  -XPOST "https://127.0.0.1:9200/.*/_update_by_query?scroll_size=10000" \
  -H 'Content-Type: application/json' \
  -d'
{                  
  "query": {
    "bool": {
      "must": [
        {
          "exists": {
            "field": "tenant"
          }
        },
        {
          "term": {
            "tenant": ""
          }
        }
      ]
    }
  },
  "script": {
    "lang": "painless",
    "source": "ctx._source.tenant = \"null\""
  }
}'

This is clearly not ideal, but does the trick.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinguntriagedRequire the attention of the repository maintainers and may need to be prioritized

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions