Skip to content

[FEATURE] Make opensearch_security.multitenancy.tenants.preferred dynamic via Security config (similar to 2.7 multitenancy) #5969

New issue
New issue
Open
Open
[FEATURE] Make opensearch_security.multitenancy.tenants.preferred dynamic via Security config (similar to 2.7 multitenancy)#5969
Labels
enhancementNew feature or requesttriagedIssues labeled as 'Triaged' have been reviewed and are deemed actionable.v3.6.0Issues targeting release v3.6.0
@cwperks

Description

@cwperks
cwperks
opened on Feb 25, 2026

Summary

Today, the opensearch_security.multitenancy.tenants.preferred setting is configured statically in opensearch_dashboards.yml. In order to change the value of this setting requires OSD node reboots unlike other dynamic security dashboards settings.

In OpenSearch 2.7, we made a change to make multi-tenancy dynamic, allowing it to be managed via the Security config and updated without requiring a Dashboards restart:

This issue proposes making opensearch_security.multitenancy.tenants.preferred configurable dynamically via the Security configuration API in OpenSearch, instead of being solely controlled via opensearch_dashboards.yml.

Problem Statement

Currently:

opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
  • This setting is defined statically in opensearch_dashboards.yml
  • Changes require a Dashboards restart

Proposed Design

Backend (Security plugin)

1. Extend Security Config

  • Extend securityconfig to include a preferred_tenants setting under kibana.

Example (illustrative):

{
  "dynamic": {
    "kibana": {
      ...
      "multitenancy_enabled": true,
      "preferred_tenants": ["Private", "Global"]
    }
  }
}

2. Expose via /_plugins/_security/dashboardsinfo

The value should be returned by the /_plugins/_security/dashboardsinfo endpoint.

This keeps Dashboards configuration fetch centralized and consistent.

Example (illustrative):

{
  ...
  "multitenancy_enabled": true,
  "preferred_tenants": ["Private", "Global"]
}

Frontend (Security Dashboards Plugin)

  • Similar pattern to:

  • Fetch preferred tenants from the Security config instead of only reading from opensearch_dashboards.yml.

  • Maintain backward compatibility:

    • If dynamic config is absent → fallback to opensearch_dashboards.yml
    • If both exist → dynamic config takes precedence

Backward Compatibility

  • Default behavior remains unchanged if no dynamic setting is defined.
  • Static opensearch_dashboards.yml continues to work.
  • No breaking changes to existing configurations.

Related Work

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesttriagedIssues labeled as 'Triaged' have been reviewed and are deemed actionable.v3.6.0Issues targeting release v3.6.0

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions