Deprecate the kibana reserved user; introduce kibana_system user #54967
Conversation
legrego
force-pushed
the
security/deprecate-kibana-user
branch
from
b974c0c to
601b05c
Compare
|
Pinging @elastic/es-security (:Security/Security) |
legrego
force-pushed
the
security/deprecate-kibana-user
branch
from
601b05c to
6813965
Compare
legrego
force-pushed
the
security/deprecate-kibana-user
branch
2 times, most recently
from
6e9c434 to
ef8452a
Compare
legrego
force-pushed
the
security/deprecate-kibana-user
branch
from
ef8452a to
7bc702d
Compare
|
@elasticmachine merge upstream |
|
I can't figure out why the |
| @@ -125,10 +126,22 @@ public void testAuthenticationDisabledUserWithStoredPassword() throws Throwable | |||
| verifySuccessfulAuthentication(false); | |||
| } | |||
|
|
|||
| public void testLogDeprecatedUser() throws Exception { | |||
There was a problem hiding this comment.
I don't love this test because it's fixed on the single deprecated kibana user, and won't work once we actually remove this user. I'm open to suggestions on how to rewrite this more generically, because it wasn't immediately obvious to me.
I could make the logDeprercatedUser method public so that it's testable on its own, but that didn't seem like the right solution either.
There was a problem hiding this comment.
I think this is fine, but I would go with:
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmTests.java
@@ -126,16 +126,13 @@ public class ReservedRealmTests extends ESTestCase {
verifySuccessfulAuthentication(false);
}
- public void testLogDeprecatedUser() throws Exception {
- final User expected = new KibanaUser(true);
- this.verifySuccessfulAuthenticationForUser(expected, true);
- assertWarnings("The user [kibana] is deprecated and will be removed in a future version of Elasticsearch. " +
- "Please use the [kibana_system] user instead.");
- }
-
private void verifySuccessfulAuthentication(boolean enabled) throws Exception {
final User expectedUser = randomReservedUser(enabled);
this.verifySuccessfulAuthenticationForUser(expectedUser, enabled);
+ if (new KibanaUser(enabled).equals(expectedUser)) {
+ assertWarnings("The user [kibana] is deprecated and will be removed in a future version of Elasticsearch. " +
+ "Please use the [kibana_system] user instead.");
+ }
}
private void verifySuccessfulAuthenticationForUser(User expectedUser, boolean enabled) throws Exception {
There was a problem hiding this comment.
Overall this looks OK.
But the setup password tool needs more thought. I suggest we prompt only once and set the input password for both users.
Also, docs need to be updated. Here's the list of files that refer to the kibana built-in user, and should instead refer to kibana_system:
- x-pack/docs/en/security/authentication/built-in-users.asciidoc
- x-pack/docs/en/security/auditing/output-logfile.asciidoc
- x-pack/docs/en/security/get-started-kibana-users.asciidoc
- x-pack/docs/en/security/get-started-builtin-users.asciidoc
- x-pack/docs/en/security/auditing/output-logfile.asciidoc
- x-pack/docs/en/security/securing-communications/tutorial-tls-internode.asciidoc
Assuming we plan to remove the kibana user in 8, we should drop a line about it in docs/reference/migration/migrate_8_0/security.asciidoc
| public static final List<String> USERS = asList(ElasticUser.NAME, APMSystemUser.NAME, KibanaUser.NAME, LogstashSystemUser.NAME, | ||
| BeatsSystemUser.NAME, RemoteMonitoringUser.NAME); | ||
| public static final List<String> USERS = asList(ElasticUser.NAME, APMSystemUser.NAME, KibanaUser.NAME, KibanaSystemUser.NAME, | ||
| LogstashSystemUser.NAME, BeatsSystemUser.NAME, RemoteMonitoringUser.NAME); | ||
|
|
There was a problem hiding this comment.
I think it's cumbersome on the user to have password prompts for both kibana and kibana_system.
I suggest we display the prompt for the new kibana_system user and also set the same password for the kibana user.
There was a problem hiding this comment.
Good point, I agree this is cumbersome. I'll take a stab at updating the SetupPasswordTool to support this
| @@ -125,10 +126,22 @@ public void testAuthenticationDisabledUserWithStoredPassword() throws Throwable | |||
| verifySuccessfulAuthentication(false); | |||
| } | |||
|
|
|||
| public void testLogDeprecatedUser() throws Exception { | |||
There was a problem hiding this comment.
I think this is fine, but I would go with:
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmTests.java
@@ -126,16 +126,13 @@ public class ReservedRealmTests extends ESTestCase {
verifySuccessfulAuthentication(false);
}
- public void testLogDeprecatedUser() throws Exception {
- final User expected = new KibanaUser(true);
- this.verifySuccessfulAuthenticationForUser(expected, true);
- assertWarnings("The user [kibana] is deprecated and will be removed in a future version of Elasticsearch. " +
- "Please use the [kibana_system] user instead.");
- }
-
private void verifySuccessfulAuthentication(boolean enabled) throws Exception {
final User expectedUser = randomReservedUser(enabled);
this.verifySuccessfulAuthenticationForUser(expectedUser, enabled);
+ if (new KibanaUser(enabled).equals(expectedUser)) {
+ assertWarnings("The user [kibana] is deprecated and will be removed in a future version of Elasticsearch. " +
+ "Please use the [kibana_system] user instead.");
+ }
}
private void verifySuccessfulAuthenticationForUser(User expectedUser, boolean enabled) throws Exception {
albertzaharovits
added
:Security/Authentication
…lasticsearch into security/deprecate-kibana-user
…ty/deprecate-kibana-user
|
@elasticmachine merge upstream |
…ty/deprecate-kibana-user
…lasticsearch into security/deprecate-kibana-user
|
@albertzaharovits thanks for the review. I took a shot at your suggestion to automatically set the |
|
@elasticmachine update branch |
This should do it. The warning you get is an an |
|
|
||
| Users who were previously assigned the `kibana_user` role should instead be assigned | ||
| the `kibana_admin` role. This role grants the same set of privileges as `kibana_user`, but has been | ||
| renamed to better reflect its intended use. |
There was a problem hiding this comment.
This notice looks dope 👍
|
@albertzaharovits Thanks for the suggested edit for the integration test. I was initially considering something like that, but it felt a bit fragile, so I wasn't sure if there was a pattern used elsewhere that I wasn't aware of. I'll fix this test shortly and get a new version up here for re-review 👍 |
I don't mind taking this on, I'll bug you if I run into any issues :) |
Deprecates the reserved
kibanauser in favor of a newkibana_systemuser with an identical set of privileges.This uses the same
_deprecatedand_deprecated_reasonmetadata attributes that we use to denote deprecated roles. Similarly, this logs a deprecation warning when a deprecated user successfully authenticates to Elasticsearch.Partially addresses elastic/kibana#25879
Companion PRs:
elastic/stack-docs#991
elastic/kibana#63186