opensearch-project · DarshitChanpura · Mar 20, 2024 · Mar 14, 2024 · Mar 14, 2024 · Mar 14, 2024
diff --git a/.github/workflows/cypress-test-multidatasources-disabled-e2e.yml b/.github/workflows/cypress-test-multidatasources-disabled-e2e.yml
@@ -0,0 +1,49 @@
+name: E2E multi datasources disabled workflow
+
+on: [ push, pull_request ]
+
+env:
+  OPENSEARCH_VERSION: '3.0.0'
+  CI: 1
+  # avoid warnings like "tput: No value for $TERM and no -T specified"
+  TERM: xterm
+  PLUGIN_NAME: opensearch-security
+  OPENSEARCH_INITIAL_ADMIN_PASSWORD: myStrongPassword123!
+
+jobs:
+  tests:
+    name: Run Cypress multidatasources tests
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu-latest ]
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout Branch
+        uses: actions/checkout@v3
+
+      # Configure the Dashboard for multi datasources disabled (default)
+      - name: Create OpenSearch Dashboards Config
+        if: ${{ runner.os == 'Linux' }}
+        run: |
+          cat << 'EOT' > opensearch_dashboards_multidatasources.yml
+          server.host: "localhost"
+          opensearch.hosts: ["https://localhost:9200"]
+          opensearch.ssl.verificationMode: none
+          opensearch.username: "kibanaserver"
+          opensearch.password: "kibanaserver"
+          opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
+          opensearch_security.multitenancy.enabled: false
+          opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
+          opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+          opensearch_security.cookie.secure: false
+          data_source.enabled: false
+          home.disableWelcomeScreen: true
+          EOT
+
+      - name: Run Cypress Tests
+        uses: ./.github/actions/run-cypress-tests
+        with:
+          dashboards_config_file: opensearch_dashboards_multidatasources.yml
+          yarn_command: 'yarn cypress:run --browser chrome --headless --env BYPASS_LOGIN=true --spec "test/cypress/e2e/multi-datasources/multi_datasources_disabled.spec.js"'
diff --git a/.github/workflows/cypress-test-multidatasources-enabled-e2e.yml b/.github/workflows/cypress-test-multidatasources-enabled-e2e.yml
@@ -0,0 +1,120 @@
+name: E2E multi datasources enabled workflow
+
+on: [ push, pull_request ]
+
+env:
+  OPENSEARCH_VERSION: '3.0.0'
+  CI: 1
+  # avoid warnings like "tput: No value for $TERM and no -T specified"
+  TERM: xterm
+  PLUGIN_NAME: opensearch-security
+  OPENSEARCH_INITIAL_ADMIN_PASSWORD: myStrongPassword123!
+
+jobs:
+  tests:
+    name: Run Cypress multidatasources tests
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu-latest ]
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout Branch
+        uses: actions/checkout@v3
+
+      - name: Set env
+        run: |
+          opensearch_version=$(node -p "require('./package.json').opensearchDashboards.version")
+          plugin_version=$(node -p "require('./package.json').version")
+          echo "OPENSEARCH_VERSION=$opensearch_version" >> $GITHUB_ENV
+          echo "PLUGIN_VERSION=$plugin_version" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Create remote OpenSearch Config
+        if: ${{ runner.os == 'Linux' }}
+        run: | 
+          cat << 'EOT' > remote_opensearch.yml
+          http.port: 9202
+          plugins.security.ssl.transport.pemcert_filepath: esnode.pem
+          plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
+          plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+          plugins.security.ssl.transport.enforce_hostname_verification: false
+          plugins.security.ssl.http.pemcert_filepath: esnode.pem
+          plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
+          plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+          plugins.security.allow_unsafe_democertificates: true
+          plugins.security.allow_default_init_securityindex: true
+          plugins.security.authcz.admin_dn:
+            - 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
+          plugins.security.nodes_dn:
+            - 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
+            - 'CN=node2.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
+          plugins.security.audit.type: internal_opensearch
+          plugins.security.enable_snapshot_restore_privilege: true
+          plugins.security.check_snapshot_restore_write_privileges: true
+          # TODO: change this back to true/just append to the created opensearch.yml the new port
+          # after the self-signed certs issue is fixed
+          plugins.security.ssl.http.enabled: false 
+          plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
+          plugins.security.system_indices.enabled: true
+          plugins.security.system_indices.indices: [.plugins-ml-config, .plugins-ml-connector,
+            .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task, .plugins-ml-conversation-meta,
+            .plugins-ml-conversation-interactions, .plugins-ml-memory-meta, .plugins-ml-memory-message,
+            .opendistro-alerting-config, .opendistro-alerting-alert*, .opendistro-anomaly-results*,
+            .opendistro-anomaly-detector*, .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state,
+            .opendistro-reports-*, .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability,
+            .ql-datasources, .opendistro-asynchronous-search-response*, .replication-metadata-store,
+            .opensearch-knn-models, .geospatial-ip2geo-data*, .plugins-flow-framework-config,
+            .plugins-flow-framework-templates, .plugins-flow-framework-state]
+          node.max_local_storage_nodes: 3
+          EOT
+
+      - name: Download security plugin and create setup scripts
+        uses: ./.github/actions/download-plugin
+        with:
+          opensearch-version: ${{ env.OPENSEARCH_VERSION }}
+          plugin-name: ${{ env.PLUGIN_NAME }}
+          plugin-version: ${{ env.PLUGIN_VERSION }}
+
+      - name: Run Opensearch with A Single Plugin
+        uses: derek-ho/start-opensearch@9202
+        with:
+          opensearch-version: ${{ env.OPENSEARCH_VERSION }}
+          plugins: "file:$(pwd)/opensearch-security.zip"
+          security-enabled: true
+          admin-password: ${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }}
+          security_config_file: ${{ inputs.security_config_file }}
+          opensearch_yml_file: remote_opensearch.yml
+          opensearch_port: 9202
+
+      - name: Check OpenSearch is running
+          # Verify that the server is operational
+        run: |
+          curl http://localhost:9202/_cat/plugins -v -u admin:myStrongPassword123!
+        shell: bash
+
+      # Configure the Dashboard for multi datasources
+      - name: Create OpenSearch Dashboards Config
+        if: ${{ runner.os == 'Linux' }}
+        run: |
+          cat << 'EOT' > opensearch_dashboards_multidatasources.yml
+          server.host: "localhost"
+          opensearch.hosts: ["https://localhost:9200"]
+          opensearch.ssl.verificationMode: none
+          opensearch.username: "kibanaserver"
+          opensearch.password: "kibanaserver"
+          opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
+          opensearch_security.multitenancy.enabled: true
+          opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
+          opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+          opensearch_security.cookie.secure: false
+          data_source.enabled: true
+          home.disableWelcomeScreen: true
+          EOT
+
+      - name: Run Cypress Tests
+        uses: ./.github/actions/run-cypress-tests
+        with:
+          dashboards_config_file: opensearch_dashboards_multidatasources.yml
+          yarn_command: 'yarn cypress:run --browser chrome --headless --env BYPASS_LOGIN=true --spec "test/cypress/e2e/multi-datasources/multi_datasources_enabled.spec.js"'
diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
@@ -59,6 +59,62 @@ jobs:
           plugin-name: ${{ env.PLUGIN_NAME }}
           plugin-version: ${{ env.PLUGIN_VERSION }}
 
+      - name: Create remote OpenSearch Config
+        if: ${{ runner.os == 'Linux' }}
+        run: | 
+          cat << 'EOT' > remote_opensearch.yml
+          http.port: 9202
+          plugins.security.ssl.transport.pemcert_filepath: esnode.pem
+          plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
+          plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+          plugins.security.ssl.transport.enforce_hostname_verification: false
+          plugins.security.ssl.http.pemcert_filepath: esnode.pem
+          plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
+          plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+          plugins.security.allow_unsafe_democertificates: true
+          plugins.security.allow_default_init_securityindex: true
+          plugins.security.authcz.admin_dn:
+            - 'CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
+          plugins.security.nodes_dn:
+            - 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
+            - 'CN=node2.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
+          plugins.security.audit.type: internal_opensearch
+          plugins.security.enable_snapshot_restore_privilege: true
+          plugins.security.check_snapshot_restore_write_privileges: true
+          # TODO: change this back to true/just append to the created opensearch.yml the new port
+          # after the self-signed certs issue is fixed
+          plugins.security.ssl.http.enabled: false 
+          plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
+          plugins.security.system_indices.enabled: true
+          plugins.security.system_indices.indices: [.plugins-ml-config, .plugins-ml-connector,
+            .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task, .plugins-ml-conversation-meta,
+            .plugins-ml-conversation-interactions, .plugins-ml-memory-meta, .plugins-ml-memory-message,
+            .opendistro-alerting-config, .opendistro-alerting-alert*, .opendistro-anomaly-results*,
+            .opendistro-anomaly-detector*, .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state,
+            .opendistro-reports-*, .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability,
+            .ql-datasources, .opendistro-asynchronous-search-response*, .replication-metadata-store,
+            .opensearch-knn-models, .geospatial-ip2geo-data*, .plugins-flow-framework-config,
+            .plugins-flow-framework-templates, .plugins-flow-framework-state]
+          node.max_local_storage_nodes: 3
+          EOT
+
+      - name: Run Opensearch with A Single Plugin
+        uses: derek-ho/start-opensearch@9202
+        with:
+          opensearch-version: ${{ env.OPENSEARCH_VERSION }}
+          plugins: "file:$(pwd)/opensearch-security.zip"
+          security-enabled: true
+          admin-password: ${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }}
+          security_config_file: ${{ inputs.security_config_file }}
+          opensearch_yml_file: remote_opensearch.yml
+          opensearch_port: 9202
+
+      - name: Check OpenSearch is running
+          # Verify that the server is operational
+        run: |
+          curl http://localhost:9202/_cat/plugins -v -u admin:myStrongPassword123!
+        shell: bash
+
       - name: Run Opensearch with security
         uses: derek-ho/start-opensearch@v2
         with:

diff --git a/opensearch_dashboards.json b/opensearch_dashboards.json
@@ -10,7 +10,9 @@
     "savedObjectsManagement"
   ],
   "optionalPlugins": [
-    "managementOverview"
+    "managementOverview",
+    "dataSource",
+    "dataSourceManagement"
   ],
   "server": true,
   "ui": true

diff --git a/public/apps/configuration/app-router.tsx b/public/apps/configuration/app-router.tsx
@@ -14,7 +14,7 @@
  */
 
 import { EuiBreadcrumb, EuiPage, EuiPageBody, EuiPageSideBar } from '@elastic/eui';
-import { flow, map, mapValues, partial } from 'lodash';
+import { flow, partial } from 'lodash';
 import React from 'react';
 import { HashRouter as Router, Route, Switch, Redirect } from 'react-router-dom';
 import { AppDependencies } from '../types';

diff --git a/public/apps/configuration/configuration-app.tsx b/public/apps/configuration/configuration-app.tsx
@@ -21,14 +21,22 @@
 import { AppMountParameters, CoreStart } from '../../../../../src/core/public';
 import { SecurityPluginStartDependencies, ClientConfigType } from '../../types';
 import { AppRouter } from './app-router';
+import { DataSourceManagementPluginSetup } from '../../../../../src/plugins/data_source_management/public';
 
 export function renderApp(
   coreStart: CoreStart,
-  navigation: SecurityPluginStartDependencies,
+  securityPluginStartDeps: SecurityPluginStartDependencies,
   params: AppMountParameters,
-  config: ClientConfigType
+  config: ClientConfigType,
+  dataSourceManagement?: DataSourceManagementPluginSetup
 ) {
-  const deps = { coreStart, navigation, params, config };
+  const deps = {
+    coreStart,
+    securityPluginStartDeps,
+    params,
+    config,
+    dataSourceManagement,
+  };
   ReactDOM.render(
     <I18nProvider>
       <AppRouter {...deps} />

diff --git a/public/apps/configuration/panels/get-started.tsx b/public/apps/configuration/panels/get-started.tsx
@@ -26,7 +26,7 @@ import {
   EuiTitle,
   EuiGlobalToastList,
 } from '@elastic/eui';
-import React from 'react';
+import React, { useState } from 'react';
 import { FormattedMessage } from '@osd/i18n/react';
 import { AppDependencies } from '../../types';
 import { buildHashUrl } from '../utils/url-builder';
@@ -36,6 +36,8 @@ import { API_ENDPOINT_CACHE, DocLinks } from '../constants';
 import { ExternalLink, ExternalLinkButton } from '../utils/display-utils';
 import { httpDelete } from '../utils/request-utils';
 import { createSuccessToast, createUnknownErrorToast, useToastState } from '../utils/toast-utils';
+import { SecurityPluginTopNavMenu } from '../top-nav-menu';
+import { Cluster } from '../../../types';
 
 const addBackendStep = {
   title: 'Add backends',
@@ -158,7 +160,17 @@ const setOfSteps = [
   },
 ];
 
+export function getClusterInfoIfEnabled(dataSourceEnabled: boolean, cluster: Cluster) {
+  if (dataSourceEnabled) {
+    return `for ${cluster.label || 'Local cluster'}`;
+  }
+  return '';
+}
+
 export function GetStarted(props: AppDependencies) {
+  const dataSourceEnabled = !!props.securityPluginStartDeps.dataSource?.dataSourceEnabled;
+  const [dataSource, setDataSource] = useState<Cluster>({ id: '', label: '' });
+
   let steps;
   if (props.config.ui.backend_configurable) {
     steps = [addBackendStep, ...setOfSteps];
@@ -170,6 +182,11 @@ export function GetStarted(props: AppDependencies) {
   return (
     <>
       <div className="panel-restrict-width">
+        <SecurityPluginTopNavMenu
+          {...props}
+          dataSourcePickerReadOnly={false}
+          setDatasourceId={setDataSource}
+        />
         <EuiPageHeader>
           <EuiTitle size="l">
             <h1>Get started</h1>
@@ -236,16 +253,29 @@ export function GetStarted(props: AppDependencies) {
               data-test-subj="purge-cache"
               onClick={async () => {
                 try {
-                  await httpDelete(props.coreStart.http, API_ENDPOINT_CACHE);
+                  await httpDelete(props.coreStart.http, API_ENDPOINT_CACHE, {
+                    dataSourceId: dataSource.id,
+                  });
                   addToast(
                     createSuccessToast(
                       'cache-flush-success',
-                      'Cache purge successful',
-                      'Cache purge successful'
+                      `Cache purge successful ${getClusterInfoIfEnabled(
+                        dataSourceEnabled,
+                        dataSource
+                      )}`,
+                      `Cache purge successful ${getClusterInfoIfEnabled(
+                        dataSourceEnabled,
+                        dataSource
+                      )}`
                     )
                   );
                 } catch (err) {
-                  addToast(createUnknownErrorToast('cache-flush-failed', 'purge cache'));
+                  addToast(
+                    createUnknownErrorToast(
+                      'cache-flush-failed',
+                      `purge cache ${getClusterInfoIfEnabled(dataSourceEnabled, dataSource)}`
+                    )
+                  );
                 }
               }}
             >