I have been going down the path of multi-tenancy where all tenant info is provided by the proxy. (We have way too many, and too fast changing tenants to maintain static config files).
The only docs I have found on how to do multi-tenant (with a selector) is [ROR ENTERPRISE] Feature Preview: Group/Tenancy Selector (Video). But this uses hard-coded values for tenants. Is that the only way to define tenants and for an admin to switch tenants?
But that still leaves the issue of how to get the group set without hard-coding in the rules?
I looked at the groups provider, but it seems that only the username is passed to it. In my case, I just came thru a proxy that had full access to the jwt and set headers. I really don’t want to bounce back out again to get a group which would just be the same as x-vi-plant in an existing header.
CGR seems to have been a decoy. I was using the kibana test data kibana_sample_data_ecommerce and the field customer_gender as a stand-in for plant. But the value I was passing in for x-vi-plant was “MALE” – uppercase, which is not a valid name for an index. This was of course logged by elasticsearch, but I was not looking at that log (in the terminal just below the ror log ).
A Kibana session should always have one and only one kibana index. The fact that in 6.5.x we have some calls being made to the default kibana index is a bug and we are at work trying to fix it.
Your workaround with the double block sounds legit.
about tenancy switcher using headers as authorization
ROR cannot anticipate the whole set of headers values that the proxy can pass to it. And as a matter of fact, they are seen as headers, not groups. This is why with this configuration, you cannot have the tenancy selector menu.
Normally, with local groups and LDAP authorization, the information ROR can detect a user can belong to N > 1 tenancies, and introduces the drop down menu automatically.