[Workspace]Add permission control logic for workspace

[wanglam]

Description

This PR is for adding permission control logic for workspace. It's includes below changes:

1. Add savedObjects.permission to global config object
2. Add permissions field in workspace create and update API
3. Consume workspaces in repository get method
4. Add ACLSearchParams and workspaceSearchOperator to repository find method
5. Add permission control client and workspace saved object client wrapper

Issues Resolved

closes #6051

Screenshot

Testing the changes

Write unit tests and integration tests for workspace saved object client wrapper.

Test instructions

Since all these changes are in the server side. We need to call these APIs manual to verify if permission control work fine.
There are two types saved objects in permission control. The first one is saved object with workspaces property, another one is saved object with permissions property. In this test instruction, we will use workspace type saved object to verify permission control when has permissions property. Use dashboard type saved object to verify permission control when has workspaces property. If one saved object has workspaces property, the permission control logic will check if has related permissions to the workspaces. Then if it has permissions property, it will do the permission validation on the permissions property.

savedObjects.permission.enabled: true
workspace.enabled: true

To run all below tests, need to add above flags in opensearch_dashboards.yml, and install security-dashboards-plugin. There are two internal users will be used in following tests. Here are the user details:

• user1:
  username: admin, password: myStrongPassword123! backend-roles: admin
• user2:
  username: another-user, password: myStrongPassword123! backend-roles: kibanauser

The admin user is not a specific user here, all the permission control process is the same as a normal user.
We will add authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE= to curl command to simulate admin user and add authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh to simulate another-user.
After all the environments ready and user created, we can start to test permission control feature.

Create workspace

This steps is for creating test workspace for future test cases. Run below workspace create API.

curl 'http://localhost:5601/api/workspaces' \
  -X 'POST' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'Content-Type: application/json' \
  -H 'osd-xsrf: osd-fetch' \
  -H 'osd-version: 3.0.0' \
  --data-raw '{"attributes":{"name":"admin-only-workspace"}}' \
  --compressed

Here is an example response, the workspace will be created. It will return a workspace id, can be used in following steps.

{"success":true,"result":{"id":"GVnXDv"}}

GVnXDv is the workspace id, since the workspace was created by admin user. The user will be assigned library_write and write permission to workspace. The another-user doesn't have this permission, we can try to get this workspace by below code.

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

Try to get workspace with another-user, it will response {"success":false,"error":"Invalid saved objects permission"}.

create in permitted workspace

curl 'http://localhost:5601/api/saved_objects/dashboard' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '{"attributes":{"title":"test-dashboard-admin","hits":0,"description":"","panelsJSON":"[]","optionsJSON":"{\"useMargins\":true,\"hidePanelTitles\":false}","version":1,"timeRestore":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}},"references":[],"workspaces":["GVnXDv"]}' \
  --compressed

In above commands, it will create an dashboard in the admin-only-workspace. The admin user has library_write permission in the workspace. The create option will be succeed. The response dashboard id is 87af5db0-dc52-11ee-acaf-4d315f971049, we can try to get / update / delete this ID in next tests.

create in not permitted workspace

curl 'http://localhost:5601/api/saved_objects/dashboard' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '{"attributes":{"title":"test-dashboard-admin"},"workspaces":["GVnXDv"]}' \
  --compressed

{"statusCode":403,"error":"Forbidden","message":"Invalid workspace permission"}

In above commands, it try to create an dashboard in the admin-only-workspace. The another-user user doesn't have library_write permission in the workspace. The create option will be failed. It's show permission control for saved object work as expected.

create with overwrite

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049?overwrite=true' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '{"attributes":{"title":"test-dashboard-admin"}} \
  --compressed

{"statusCode":403,"error":"Forbidden","message":"Invalid saved objects permission"}

This is another cases, the another-user user wants to overwrite an existing saved object. Seems the user doesn't have permission to the dashboard's workspaces and doesn't have permission to the dashboard saved object self. The operation was denied.

bulkCreate in permitted workspace

curl 'http://localhost:5601/api/saved_objects/_bulk_create?workspaces=GVnXDv' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","attributes":{"title":"bulk-test-dashboard-admin"}}]' \
  --compressed

These above commands will be succeed, it will create a dashboard saved object in admin-only-workspace. We can write down the dashboard id fffe5ab0-dc83-11ee-9093-372beb25d7b4. Then we can used in the bulkGet method.

bulkCreate in not permitted workspace

curl 'http://localhost:5601/api/saved_objects/_bulk_create?workspaces=GVnXDv' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","attributes":{"title":"bulk-test-dashboard-admin"}}]' \
  --compressed

These above commands will be failed. another-user doesn't have library_write permission in admin-only-workspace. It can't create saved objects in the workspace.

bulkCerate with override

curl 'http://localhost:5601/api/saved_objects/_bulk_create?overwrite=true' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","id":"fffe5ab0-dc83-11ee-9093-372beb25d7b4","attributes":{"title":"bulk-test-dashboard-admin"}}]' \
  --compressed

These above commands will be failed. another-user doesn't have permission to the existing saved objects. The overwrite operation will be denied.

get permitted dashboard

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

The admin user has library_write permission to dashboard saved object's workspace. The API return the dashboard object.

get not permitted dashboard

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

The another-user user doesn't any permission to the dashboard saved object's workspace and itself. The API will response error.

get permitted workspace

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

Since workspace is a hidden type in saved objects. It doesn't support call saved object get API directly. We need to call workspace get API instead. This will be succeed, since admin user has related permission.

get not permitted workspace

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

This command will be failed. The workspace type saved object has permissions property. It will store permitted user in this property. The another-user doesn't in it. So the get API call will be failed.

bulk get permitted dashboard

curl 'http://localhost:5601/api/saved_objects/_bulk_get' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","id":"fffe5ab0-dc83-11ee-9093-372beb25d7b4"}]' \
  --compressed

This command will be succeed, it will return dashboards created in bulk create method.

bulk get not permitted dashboard

curl 'http://localhost:5601/api/saved_objects/_bulk_get' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","id":"fffe5ab0-dc83-11ee-9093-372beb25d7b4"}]' \
  --compressed

Response:

{"statusCode":403,"error":"Forbidden","message":"Invalid saved objects permission"}

This command will be failed, the another-user doesn't have permission to related saved objects.

find all permitted workspaces

Since workspace is a hidden saved object, we can't call saved objects API directly. Call workspace list API instead.

• For admin

curl 'http://localhost:5601/api/workspaces/_list' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  -H 'Content-Type: application/json' \
  --data-raw '{}' \
  --compressed

This above command will list all permitted workspaces for admin user. They will includes admin-only-workspaces.

• For another-user

curl 'http://localhost:5601/api/workspaces/_list' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  -H 'Content-Type: application/json' \
  --data-raw '{}' \
  --compressed

This above command will list all permitted workspaces for another-user user. They won't includes admin-only-workspaces.

find all permitted saved objects in specific workspaces

curl 'http://localhost:5601/api/saved_objects/_find?workspaces=GVnXDv&type=dashboard' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

The admin user has permission to admin-only-workspaces. So this find API will return all dashboard saved objects inner admin-only-workspace.

find saved objects in not permitted workspaces

curl 'http://localhost:5601/api/saved_objects/_find?workspaces=GVnXDv&type=dashboard' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

The another user doesn't has permission to admin-only-workspaces. So this find API call will be failed.

update permitted dashboard

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049' \
  -X 'PUT' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  -H 'Content-Type: application/json' \
  --data-raw '{"attributes":{"title":"test-dashboard-admin-new"}}' \
  --compressed

This command should be succeed, since call update the dashboard API with a permitted user.

update not permitted dashboards

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049' \
  -X 'PUT' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  -H 'Content-Type: application/json' \
  --data-raw '{"attributes":{"title":"test-dashboard-admin-new"}}' \
  --compressed

{"statusCode":403,"error":"Forbidden","message":"Invalid saved objects permission"}

This command should be failed, another-user doesn't have library_write permission to the workspace. The update operation should be denied.

update permitted workspace

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
 -X 'PUT' \
 -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
 -H 'osd-version: 3.0.0' \
 -H 'osd-xsrf: osd-fetch' \
 -H 'Content-Type: application/json' \
 --data-raw '{"attributes":{"name":"admin-only-workspace-new-new"},"permissions": {"write": {"users": ["admin"]},"library_write": {"users": ["admin"]}}}' \
 --compressed

This command should be succeed, the workspace type saved object has permissions property. The admin is in the write principals list.

update not permitted workspace

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
 -X 'PUT' \
 -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
 -H 'osd-version: 3.0.0' \
 -H 'osd-xsrf: osd-fetch' \
 -H 'Content-Type: application/json' \
 --data-raw '{"attributes":{"name":"admin-only-workspace-new"}}' \
 --compressed

This command should be failed, The another-user doesn't have corresponding write permission in the workspace type saved objects.

bulk update in permitted dashboards

curl 'http://localhost:5601/api/saved_objects/_bulk_update' \
  -X 'PUT' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","id":"fffe5ab0-dc83-11ee-9093-372beb25d7b4","attributes":{"title":"bulk-update-dashboard"}}]' \
  --compressed

This command will be succeed. The admin user has library_write permission to every saved objects's workspace. It will return updated dashboards.

bulk update in not permitted dashboards

curl 'http://localhost:5601/api/saved_objects/_bulk_update' \
  -X 'PUT' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","id":"fffe5ab0-dc83-11ee-9093-372beb25d7b4","attributes":{"title":"bulk-update-dashboard"}}]' \
  --compressed

This command will be failed. The another-user user doesn't have library_write permission to every saved objects's workspace.

delete not permitted dashboard

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049' \
  -X 'DELETE' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

Response

{"statusCode":403,"error":"Forbidden","message":"Invalid saved objects permission"}

delete permitted dashboard

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049' \
  -X 'DELETE' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

Response

{}

delete not permitted workspace

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
 -X 'DELETE' \
 -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
 -H 'osd-version: 3.0.0' \
 -H 'osd-xsrf: osd-fetch' \
 --compressed

Response

{"success":false,"error":"Invalid saved objects permission"}

delete permitted workspace

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
  -X 'DELETE' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

Response

{"success":true,"result":true}

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[codecov]

Codecov Report

Attention: Patch coverage is 85.58952% with 33 lines in your changes missing coverage. Please review.

Project coverage is 67.49%. Comparing base (7352365) to head (e50b60c).
Report is 555 commits behind head on main.

Files with missing lines	Patch %	Lines
src/plugins/workspace/server/routes/index.ts	17.64%	14 Missing ⚠️
..._objects/workspace_saved_objects_client_wrapper.ts	92.64%	3 Missing and 7 partials ⚠️
src/plugins/workspace/server/plugin.ts	72.72%	2 Missing and 1 partial ⚠️
src/plugins/workspace/server/workspace_client.ts	0.00%	3 Missing ⚠️
src/plugins/workspace/server/utils.ts	86.66%	0 Missing and 2 partials ⚠️
...gins/workspace/server/permission_control/client.ts	96.77%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6052      +/-   ##
==========================================
- Coverage   67.50%   67.49%   -0.01%     
==========================================
  Files        3370     3376       +6     
  Lines       65467    65783     +316     
  Branches    10564    10637      +73     
==========================================
+ Hits        44192    44401     +209     
- Misses      18700    18798      +98     
- Partials     2575     2584       +9     

Flag	Coverage Δ
Linux_1	32.60% <78.60%> (+0.42%)	⬆️
Linux_2	55.60% <100.00%> (+0.02%)	⬆️
Linux_3	44.81% <0.00%> (-0.12%)	⬇️
Linux_4	35.04% <0.00%> (-0.08%)	⬇️
Windows_1	32.62% <78.60%> (+0.39%)	⬆️
Windows_2	55.57% <100.00%> (+0.02%)	⬆️
Windows_3	44.83% <0.00%> (-0.12%)	⬇️
Windows_4	35.04% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ashwin-pc]

@wanglam How can i validate this change? Can ou add testing instructions to the PR description? It makes reviewing PR's a lot easier

[wanglam]

@wanglam How can i validate this change? Can ou add testing instructions to the PR description? It makes reviewing PR's a lot easier

Hi Ashwin, I think we can follow the integration testing file (src/plugins/workspace/server/saved_objects/integration_tests/workspace_saved_objects_client_wrapper.test.ts) to do tests and validate this change. I will update the PR description later about how to call workspace CRUD and saved objects API to manual validate all changes.

[Flyingliuhub]

It seems this error doesn't caused by current PR. I've tested in the main branch and try to create workspace with permissions property using devtools. It throw the same error. I've created an issue(#6314) to track this bug. It should be fixed in the future PR. We can add opensearch_security.multitenancy.enabled: false to the opensearch_dashboards.yml to bypass this error.

Thanks @wanglam, it seems like that we need to comment out all the feature flags for opensearch_security., not only for opensearch_security.multitenancy.enabled

workspace.enabled: true

@Flyingliuhub I tried the same curl command in my local env(security dashboard plugin enabled), with workspace feature flag enabled and savedObjects.permissions disabled. It works fine. curl command:
I guess it may due to your code is not up-to-date. Could you please provide the commit id in your local env and try pull the latest code to verify?

The commit which I used is that commit 76523f5 (HEAD -> feat-add-permission-control-for-workspace) Author: Lin Wang [email protected] Date: Fri Mar 22 01:52:10 2024 +0800

Refactor permissions field in workspace create and update API

Signed-off-by: Lin Wang <[email protected]>

It seems this error doesn't caused by current PR. I've tested in the main branch and try to create workspace with permissions property using devtools. It throw the same error. I've created an issue(#6314) to track this bug. It should be fixed in the future PR. We can add opensearch_security.multitenancy.enabled: false to the opensearch_dashboards.yml to bypass this error.

I got the same issue when I comment out all the multienancy. my configuration as following and enabled security plugin, and I pull the latest commit from your PR as well

server.host: "0.0.0.0"
opensearch.hosts: ["https://localhost:9200"]
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.ssl.verificationMode: none
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
workspace.enabled: true
savedObjects.permission.enabled: true

{"success":false,"error":"mapping set to strict, dynamic introduction of [permissions] within [_doc] is not allowed: strict_dynamic_mapping_exception: [strict_dynamic_mapping_exception] Reason: mapping set to strict, dynamic introduction of [permissions] within [_doc] is not allowed"}

commit ee41fb5fb478783b70be9f5396e4d58d03353109 (HEAD -> feat-add-permission-control-for-workspace)
Merge: 94dafe5314 8810f08516
Author: Lin Wang <[email protected]>
Date:   Tue Apr 2 16:51:23 2024 +0800

    Merge remote-tracking branch 'origin/main' into feat-add-permission-control-for-workspace
    
    Signed-off-by: Lin Wang <[email protected]>

[SuZhou-Joe]

LGTM

[wanglam]

It seems this error doesn't caused by current PR. I've tested in the main branch and try to create workspace with permissions property using devtools. It throw the same error. I've created an issue(#6314) to track this bug. It should be fixed in the future PR. We can add opensearch_security.multitenancy.enabled: false to the opensearch_dashboards.yml to bypass this error.

Thanks @wanglam, it seems like that we need to comment out all the feature flags for opensearch_security., not only for opensearch_security.multitenancy.enabled

workspace.enabled: true

@Flyingliuhub I tried the same curl command in my local env(security dashboard plugin enabled), with workspace feature flag enabled and savedObjects.permissions disabled. It works fine. curl command:
I guess it may due to your code is not up-to-date. Could you please provide the commit id in your local env and try pull the latest code to verify?

The commit which I used is that commit 76523f5 (HEAD -> feat-add-permission-control-for-workspace) Author: Lin Wang [email protected] Date: Fri Mar 22 01:52:10 2024 +0800

Refactor permissions field in workspace create and update API

Signed-off-by: Lin Wang <[email protected]>

It seems this error doesn't caused by current PR. I've tested in the main branch and try to create workspace with permissions property using devtools. It throw the same error. I've created an issue(#6314) to track this bug. It should be fixed in the future PR. We can add opensearch_security.multitenancy.enabled: false to the opensearch_dashboards.yml to bypass this error.

I got the same issue when I comment out all the multienancy. my configuration as following and enabled security plugin, and I pull the latest commit from your PR as well

server.host: "0.0.0.0"
opensearch.hosts: ["https://localhost:9200"]
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.ssl.verificationMode: none
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
workspace.enabled: true
savedObjects.permission.enabled: true

{"success":false,"error":"mapping set to strict, dynamic introduction of [permissions] within [_doc] is not allowed: strict_dynamic_mapping_exception: [strict_dynamic_mapping_exception] Reason: mapping set to strict, dynamic introduction of [permissions] within [_doc] is not allowed"}

commit ee41fb5fb478783b70be9f5396e4d58d03353109 (HEAD -> feat-add-permission-control-for-workspace)
Merge: 94dafe5314 8810f08516
Author: Lin Wang <[email protected]>
Date:   Tue Apr 2 16:51:23 2024 +0800

    Merge remote-tracking branch 'origin/main' into feat-add-permission-control-for-workspace
    
    Signed-off-by: Lin Wang <[email protected]>

The yarn start:security --no-base-path command will override the opensearch_security.multitenancy.enabled in opensearch_dashboards.yml. It will set multitenancy enabled to true even using false in opensearch_dashboards.yml. We can change to use yarn start --no-base-path to start the OSD server. Then the multitenancy can be turn off. The test can be run as expect.

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-2.x
# Create a new branch
git switch --create backport/backport-6052-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 fb31b2def6a6200425492d772a8d0b1bdfcbe132
# Push it to GitHub
git push --set-upstream origin backport/backport-6052-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-6052-to-2.x.