Merge branch 'LuD1161/pull-analytics-branch' into eng-42/workflow-analytics-dashboards

LuD1161 · LuD1161 · commit 000fe035cd8f · 2026-02-06T13:19:38.000-05:00
diff --git a/backend/src/analytics/opensearch-tenant.service.ts b/backend/src/analytics/opensearch-tenant.service.ts
@@ -172,18 +172,20 @@ export class OpenSearchTenantService {
 
   /**
    * Creates a read-only customer role for the organization.
-   * Grants read access to security-findings-{orgId}-* indices.
+   * Grants read-only access to security findings indices, plus the minimum
+   * Dashboards/Notifications permissions required for tenant-scoped UI usage.
    */
   private async createCustomerRole(orgId: string): Promise<void> {
     const roleName = `customer_${orgId}_ro`;
     const url = `${this.opensearchUrl}/_plugins/_security/api/roles/${roleName}`;
+    const tenantSavedObjectsPattern = `.kibana_*_${orgId.replace(/[^a-z0-9]/g, '')}*`;
 
     const roleDefinition = {
       cluster_permissions: [
         'cluster_composite_ops_ro',
         // Required for Dashboards saved objects (bulk writes to .kibana_* tenant indices)
         'indices:data/write/bulk',
-        // Alerting: monitor CRUD, execution, alerts, and destinations
+        // Alerting: monitor CRUD, execution, alerts, and destinations (legacy endpoints)
         'cluster:admin/opendistro/alerting/monitor/get',
         'cluster:admin/opendistro/alerting/monitor/search',
         'cluster:admin/opendistro/alerting/monitor/write',
@@ -193,12 +195,30 @@ export class OpenSearchTenantService {
         'cluster:admin/opendistro/alerting/destination/get',
         'cluster:admin/opendistro/alerting/destination/write',
         'cluster:admin/opendistro/alerting/destination/delete',
+        // Notifications plugin (OpenSearch 2.x): channel features + config CRUD
+        'cluster:admin/opensearch/notifications/features',
+        'cluster:admin/opensearch/notifications/configs/get',
+        'cluster:admin/opensearch/notifications/configs/create',
+        'cluster:admin/opensearch/notifications/configs/update',
+        'cluster:admin/opensearch/notifications/configs/delete',
       ],
       index_permissions: [
         {
           index_patterns: [`security-findings-${orgId}-*`],
           allowed_actions: ['read', 'indices:data/read/*'],
         },
+        {
+          // Tenant-scoped Dashboards saved objects index alias/index
+          index_patterns: [tenantSavedObjectsPattern],
+          allowed_actions: [
+            'read',
+            'write',
+            'create_index',
+            'indices:data/read/*',
+            'indices:data/write/*',
+            'indices:admin/mapping/put',
+          ],
+        },
       ],
       tenant_permissions: [
         {
diff --git a/docker/docker-compose.dev-ports.yml b/docker/docker-compose.dev-ports.yml
@@ -1,15 +1,49 @@
 # Development Ports Overlay
 #
 # WARNING: These ports bypass ALL nginx authentication!
-# Use ONLY for local development where direct OpenSearch/Dashboards access is needed.
+# Use ONLY for local development where direct service access is needed.
 #
 # Usage:
 #   docker compose -f docker-compose.infra.yml -f docker-compose.dev-ports.yml up -d
 #
-# This overlay exposes OpenSearch and Dashboards ports on loopback (127.0.0.1) only,
+# This overlay exposes all service ports on loopback (127.0.0.1) only,
 # preventing external network access while allowing local development tools to connect.
 
 services:
+  postgres:
+    ports:
+      - "127.0.0.1:5433:5432"
+
+  temporal:
+    ports:
+      - "127.0.0.1:7233:7233"
+
+  temporal-ui:
+    ports:
+      - "127.0.0.1:8081:8080"
+
+  minio:
+    ports:
+      - "127.0.0.1:9000:9000"
+      - "127.0.0.1:9001:9001"
+
+  redis:
+    ports:
+      - "127.0.0.1:6379:6379"
+
+  loki:
+    ports:
+      - "127.0.0.1:3100:3100"
+
+  redpanda:
+    ports:
+      - "127.0.0.1:9092:9092"
+      - "127.0.0.1:9644:9644"
+
+  redpanda-console:
+    ports:
+      - "127.0.0.1:8082:8080"
+
   opensearch:
     ports:
       - "127.0.0.1:9200:9200"
diff --git a/docker/docker-compose.full.yml b/docker/docker-compose.full.yml
@@ -8,8 +8,9 @@ services:
       POSTGRES_PASSWORD: shipsec
       POSTGRES_DB: shipsec
       POSTGRES_MULTIPLE_DATABASES: temporal
-    ports:
-      - "5433:5432"
+    # Internal only - no direct port access in production
+    expose:
+      - "5432"
     volumes:
       - postgres_data:/var/lib/postgresql/data
       - ./init-db:/docker-entrypoint-initdb.d
@@ -34,8 +35,8 @@ services:
       - POSTGRES_PWD=shipsec
       - POSTGRES_SEEDS=postgres
       - AUTO_SETUP=true
-    ports:
-      - "7233:7233"
+    expose:
+      - "7233"
     volumes:
       - temporal_data:/var/lib/temporal
     restart: unless-stopped
@@ -51,8 +52,8 @@ services:
     environment:
       - TEMPORAL_ADDRESS=temporal:7233
       - TEMPORAL_NAMESPACE=default
-    ports:
-      - "8081:8080"
+    expose:
+      - "8080"
     depends_on:
       - temporal
     restart: unless-stopped
@@ -69,9 +70,9 @@ services:
     environment:
       MINIO_ROOT_USER: minioadmin
       MINIO_ROOT_PASSWORD: minioadmin
-    ports:
-      - "9000:9000"
-      - "9001:9001"
+    expose:
+      - "9000"
+      - "9001"
     volumes:
       - minio_data:/data
     restart: unless-stopped
@@ -85,8 +86,8 @@ services:
     image: grafana/loki:3.2.1
     container_name: shipsec-loki
     command: -config.file=/etc/loki/local-config.yaml
-    ports:
-      - "3100:3100"
+    expose:
+      - "3100"
     volumes:
       - ./loki/loki-config.yaml:/etc/loki/local-config.yaml
       - loki_data:/loki
@@ -100,8 +101,8 @@ services:
   redis:
     image: redis:latest
     container_name: shipsec-redis
-    ports:
-      - "6379:6379"
+    expose:
+      - "6379"
     volumes:
       - redis_data:/data
     restart: unless-stopped
@@ -124,9 +125,9 @@ services:
       - --node-id=0
       - --check=false
       - --advertise-kafka-addr=redpanda:9092
-    ports:
-      - "9092:9092"
-      - "9644:9644"
+    expose:
+      - "9092"
+      - "9644"
     volumes:
       - redpanda_data:/var/lib/redpanda/data
     restart: unless-stopped
@@ -143,8 +144,8 @@ services:
       - redpanda
     environment:
       CONFIG_FILEPATH: /etc/redpanda/console-config.yaml
-    ports:
-      - "8082:8080"
+    expose:
+      - "8080"
     volumes:
       - ./redpanda-console-config.yaml:/etc/redpanda/console-config.yaml:ro
     restart: unless-stopped
@@ -165,9 +166,9 @@ services:
       nofile:
         soft: 65536
         hard: 65536
-    ports:
-      - "9200:9200"
-      - "9600:9600"
+    expose:
+      - "9200"
+      - "9600"
     volumes:
       - opensearch_data:/usr/share/opensearch/data
     restart: unless-stopped
diff --git a/docker/docker-compose.infra.yml b/docker/docker-compose.infra.yml
@@ -7,8 +7,9 @@ services:
       POSTGRES_PASSWORD: shipsec
       POSTGRES_DB: shipsec
       POSTGRES_MULTIPLE_DATABASES: temporal
-    ports:
-      - "5433:5432"
+    # Internal only - use docker-compose.dev-ports.yml overlay for local dev access
+    expose:
+      - "5432"
     volumes:
       - postgres_data:/var/lib/postgresql/data
       - ./init-db:/docker-entrypoint-initdb.d
@@ -33,8 +34,8 @@ services:
       - POSTGRES_PWD=shipsec
       - POSTGRES_SEEDS=postgres
       - AUTO_SETUP=true
-    ports:
-      - "7233:7233"
+    expose:
+      - "7233"
     volumes:
       - temporal_data:/var/lib/temporal
     restart: unless-stopped
@@ -47,8 +48,8 @@ services:
     environment:
       - TEMPORAL_ADDRESS=temporal:7233
       - TEMPORAL_CORS_ORIGINS=http://localhost:5173
-    ports:
-      - "8081:8080"
+    expose:
+      - "8080"
     restart: unless-stopped
 
   minio:
@@ -58,9 +59,9 @@ services:
     environment:
       MINIO_ROOT_USER: minioadmin
       MINIO_ROOT_PASSWORD: minioadmin
-    ports:
-      - "9000:9000"
-      - "9001:9001"
+    expose:
+      - "9000"
+      - "9001"
     volumes:
       - minio_data:/data
     restart: unless-stopped
@@ -73,8 +74,8 @@ services:
   redis:
     image: redis:latest
     container_name: shipsec-redis
-    ports:
-      - "6379:6379"
+    expose:
+      - "6379"
     volumes:
       - redis_data:/data
     restart: unless-stopped
@@ -88,8 +89,8 @@ services:
     image: grafana/loki:3.2.1
     container_name: shipsec-loki
     command: -config.file=/etc/loki/local-config.yaml
-    ports:
-      - "3100:3100"
+    expose:
+      - "3100"
     volumes:
       - ./loki/loki-config.yaml:/etc/loki/local-config.yaml
       - loki_data:/loki
@@ -113,9 +114,9 @@ services:
       - --node-id=0
       - --check=false
       - --advertise-kafka-addr=localhost:9092
-    ports:
-      - "9092:9092"
-      - "9644:9644"
+    expose:
+      - "9092"
+      - "9644"
     volumes:
       - redpanda_data:/var/lib/redpanda/data
     restart: unless-stopped
@@ -132,8 +133,8 @@ services:
       - redpanda
     environment:
       CONFIG_FILEPATH: /etc/redpanda/console-config.yaml
-    ports:
-      - "8082:8080"
+    expose:
+      - "8080"
     volumes:
       - ./redpanda-console-config.yaml:/etc/redpanda/console-config.yaml:ro
     restart: unless-stopped
diff --git a/docker/opensearch-dashboards.Dockerfile b/docker/opensearch-dashboards.Dockerfile
@@ -1,9 +1,11 @@
-FROM opensearchproject/opensearch-dashboards:2.11.1
+# Custom OpenSearch Dashboards image for SaaS tenant lockdown
+# Source: https://github.com/ShipSecAI/tools/tree/main/misc/opensearch-dashboards-saas
+#
+# Removes unwanted plugins from sidebar. Config-level disabling is NOT possible
+# because OSD 2.x plugins don't register an "enabled" config key (fatal error).
+# See the tools repo README for full documentation.
 
-# SaaS Tenant Lockdown - Remove plugins that tenants should not access
-# Allowed: Discover, Dashboards, Visualize, Alerting, Dev Tools, Home
-# Keeping: alertingDashboards, notificationsDashboards (alerting dependency),
-#          securityDashboards (proxy auth/multitenancy), ganttChartDashboards (viz type)
+FROM opensearchproject/opensearch-dashboards:2.11.1
 
 RUN /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove queryWorkbenchDashboards && \
     /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove reportsDashboards && \
diff --git a/docker/opensearch-security/roles.yml b/docker/opensearch-security/roles.yml
@@ -82,7 +82,7 @@ customer_template_rw:
     - "indices:data/read/scroll*"
     # Required for Dashboards saved objects (bulk writes to .kibana_* tenant indices)
     - "indices:data/write/bulk"
-    # Alerting: monitor CRUD, execution, alerts, and destinations
+    # Alerting: monitor CRUD, execution, alerts, and destinations (legacy endpoints)
     - "cluster:admin/opendistro/alerting/monitor/get"
     - "cluster:admin/opendistro/alerting/monitor/search"
     - "cluster:admin/opendistro/alerting/monitor/write"
@@ -92,6 +92,12 @@ customer_template_rw:
     - "cluster:admin/opendistro/alerting/destination/get"
     - "cluster:admin/opendistro/alerting/destination/write"
     - "cluster:admin/opendistro/alerting/destination/delete"
+    # Notifications plugin (OpenSearch 2.x): channel features + config CRUD
+    - "cluster:admin/opensearch/notifications/features"
+    - "cluster:admin/opensearch/notifications/configs/get"
+    - "cluster:admin/opensearch/notifications/configs/create"
+    - "cluster:admin/opensearch/notifications/configs/update"
+    - "cluster:admin/opensearch/notifications/configs/delete"
   index_permissions:
     - index_patterns:
         - "CUSTOMER_ID_PLACEHOLDER-*"
@@ -102,6 +108,15 @@ customer_template_rw:
         - "indices:data/read/*"
         - "indices:data/write/*"
         - "indices:admin/mapping/put"
+    - index_patterns:
+        - ".kibana*"
+      allowed_actions:
+        - "read"
+        - "write"
+        - "create_index"
+        - "indices:data/read/*"
+        - "indices:data/write/*"
+        - "indices:admin/mapping/put"
   tenant_permissions:
     - tenant_patterns:
         - "CUSTOMER_ID_PLACEHOLDER"
@@ -118,7 +133,7 @@ customer_template_ro:
     - "cluster_composite_ops_ro"
     # Required for Dashboards saved objects (bulk writes to .kibana_* tenant indices)
     - "indices:data/write/bulk"
-    # Alerting: monitor CRUD, execution, alerts, and destinations
+    # Alerting: monitor CRUD, execution, alerts, and destinations (legacy endpoints)
     - "cluster:admin/opendistro/alerting/monitor/get"
     - "cluster:admin/opendistro/alerting/monitor/search"
     - "cluster:admin/opendistro/alerting/monitor/write"
@@ -128,12 +143,27 @@ customer_template_ro:
     - "cluster:admin/opendistro/alerting/destination/get"
     - "cluster:admin/opendistro/alerting/destination/write"
     - "cluster:admin/opendistro/alerting/destination/delete"
+    # Notifications plugin (OpenSearch 2.x): channel features + config CRUD
+    - "cluster:admin/opensearch/notifications/features"
+    - "cluster:admin/opensearch/notifications/configs/get"
+    - "cluster:admin/opensearch/notifications/configs/create"
+    - "cluster:admin/opensearch/notifications/configs/update"
+    - "cluster:admin/opensearch/notifications/configs/delete"
   index_permissions:
     - index_patterns:
         - "CUSTOMER_ID_PLACEHOLDER-*"
       allowed_actions:
         - "read"
         - "indices:data/read/*"
+    - index_patterns:
+        - ".kibana*"
+      allowed_actions:
+        - "read"
+        - "write"
+        - "create_index"
+        - "indices:data/read/*"
+        - "indices:data/write/*"
+        - "indices:admin/mapping/put"
   tenant_permissions:
     - tenant_patterns:
         - "CUSTOMER_ID_PLACEHOLDER"
diff --git a/justfile b/justfile
