Three weeks ago, on May 6th, we announced the availability of TheHive 4.0 RC-2 release and the active community made the usual hard work of testing the release to find bugs and ask for enhancements.
Special thanks to Christopher, alias crackytsi who has already created 122 Github issues, 11 of them are just for 4.0-RC-3 milestone.
We are thrilled to present our third release candidate before the final release of TheHive 4. As the RC-2, this milestone brings new features and fixes a nice set of issues.
This blog post will focus on the following new features:
- Multi-orgs users
- Switch organisation
- OAuth2
- Migration tool performance
- Case sharing overview
If you are curious about all the issues that have been addressed, you can read the full changelog
Multi-orgs users
This feature doesn’t introduce UI changes, but it allows a superadmin or an org-admin to add an existing user to an organisation.
Users in TheHive 4 are identified by their email addresses, so when an administrator adds a new user, with an email address that already exists, TheHive 4 links that existing user to the organisation being updated.
This ends up with a single User record on the database, linked to multiple organisations. Thanks to the new graph data model. This means the given user has:
- the same credentials
- the same api key, if enabled
- the same 2FA settings, if enables
- the same status (locked or not)
With that being said, the user can have a different profile for on the organisation (s)he belongs to.
What happens when a user is logged in?
As we mentioned earlier, a user belonging to several organisations, has the same authentication settings, and after the login, his/her workspace is opened with the context of the first organisation (s)he has been created on.
For example, if John was firstly created on the *SocLevel2* organisation, and was later attached to *CTI* organisation, then after signing in, the user is redirected to the workspace of *SocLevel2* organisation.
Future improvements
We will consider allowing the user to define a default organisation to be displayed juste after the login. We are examining the possibility to allow the user to define a default organisation to be displayed just after the login process. Hopefully, we will be able to add this feature in TheHive 4.0.0 release.
Switch organisation
This feature empowers the multi-tenancy capabilities brought to you by TheHive 4. Following what has been showcased above, how can a user, who belongs to more than one organisation, switch between his/her tenants?
The UI introduces a simple feature, available to “multi-org” users only, as a button on the right hand side of the page’s header, aka. the navigation bar.
This button is just hidden for users who belong to a single organisation.
Once clicked, that button show a dialog that displays the following details:
- user’s organisations
- user’s profile on each organisation
- the current organisation
Clicking on an item of this list, refreshes the page by loading the context of the selected organisation, and the UI behaves like if the user was logged in a a member of that selected organisation.
Very useful.
OAuth2
We had a considerable amount of users asking for SSO and OAuth support in TheHive. We tried to make it more robust in TheHive 4, and let it rely on a redirectUri provided by the backend (/api/ssoLogin) instead of the old redirectUri that some OAuth providers don’t support (index.html/#!/ssoLogin).
In TheHive 4.0 RC-2, OAuth 2 partially worked, and failed to redirect the user to the home page after the authentication success. Yes, sorry for that.
We spent some time testing the new implementation. We will devote some blog posts to it, but firstly, here is a working example relying on Keycloak
auth {
providers: [
{name: session} # required !
{name: basic, realm: thehive}
{name: local}
{name: key}
{
##############
# Keycloak
##############
name: oauth2
clientId: "CLIENT_ID"
clientSecret: "CLIENT_SECRET" # or empty
redirectUri: "http://THEHIVE/api/ssoLogin"
responseType: "code"
grantType: "authorization_code"
authorizationUrl: "http://KEYCLOAK/auth/realms/TENANT/protocol/openid-connect/auth"
authorizationHeader: "Bearer"
tokenUrl: "http://KEYCLOAK/auth/realms/TENANT/protocol/openid-connect/token"
userUrl: "http://KEYCLOAK/auth/realms/TENANT/protocol/openid-connect/userinfo"
scope: ["openid", "email"]
userIdField: "email"
}
]
}After a question asked on Twitter, we tried to test our OAuth implementation with the providers mentioned in the answers, and we have successfully tested:
Migration tool performance
The migration tool we implemented in TheHive 4.0 RC-2 suffered from important performance issues as a result of our desire for a clean design.
In fact, enabling database locks during a parallelised and asynchronous processing of the migration operations produce a migration tool with poor performance.
We changed the strategy, by disabling locks and programmatically handling duplicates if they happen. This ended by a significant improvement of performance
We hope you can test it and provide us with your feedback.
Case sharing overview
Case sharing is the most important feature that the multi-tenancy support adds to TheHive. Allowing users to quickly spot if a case is owned or is coming from a share (made by another organisation) improves the user’s experience.
The other handy information is: the number of organisations having access to a certain case
This screenshot shows all the case sharing related UI element:
- The blue line, indicates that the case is coming from another organisation
- The green line, indicates that the case is owned by the current organisation
- The red line, highlights the column that show the number of organisation having access to the corresponding case
How to report issues
Please open an issue on GitHub using the template made for TheHive4 if you’d like to report a bug on this version. We will monitor those closely and respond accordingly.
TheHive Project 