Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Moved reset_creds call to reset_internal_creds #176410

Merged
merged 8 commits into from
Feb 13, 2024
Merged

[Security] Moved reset_creds call to reset_internal_creds #176410

merged 8 commits into from
Feb 13, 2024

Conversation

dkirchan
Copy link
Contributor

@dkirchan dkirchan commented Feb 7, 2024
edited
Loading

Summary

Actions needed following the email that was sent about the breaking change :

API: rather than returning credentials for a privileged "elastic" user, we'll return credentials for a much-less privileged "admin" user. Note this is the user that can be manipulated by customers. This new user won't be an "operator" user anymore: any test that relies on this user being able to do things such as retrieving the cluster health, role mappings, node stats, etc. would therefore break.

A second set of credentials can be retrieved for a privileged "testing-internal" user through a dedicated API endpoint.
To retrieve credentials for that user, please update your automation with a small change:

  1. rather than calling the _reset-credentials endpoint, please call the[_reset-internal-credentials
  2. remove any hard-coded reference of the "elastic" user: the new username is returned in the API response

@apmmachine
Copy link
Contributor

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
  • /oblt-deploy-serverless : Deploy a serverless Kibana instance using the Observability test environments.
  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@dkirchan dkirchan marked this pull request as ready for review February 9, 2024 14:51
@dkirchan dkirchan self-assigned this Feb 9, 2024
@dkirchan dkirchan added release_note:skip Skip the PR/issue when compiling release notes backport:skip This commit does not require backporting Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Feb 9, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@dkirchan dkirchan requested a review from a team as a code owner February 9, 2024 14:55
MadameSheema
MadameSheema approved these changes Feb 9, 2024
View reviewed changes
Copy link
Member

@MadameSheema MadameSheema left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!!! Thanks!! :)

maximpn
maximpn approved these changes Feb 10, 2024
View reviewed changes
Copy link
Contributor

@maximpn maximpn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dkirchan thank you for updating the user related logic promptly 👍

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #44 / Screenshots - serverless observability UI response ops docs observability connectors server log connector "before each" hook for "server log connector screenshots"
  • [job] [logs] FTR Configs #61 / X-Pack Accessibility Tests - Group 2 transform Accessibility for user with full Transform access with data loaded "after all" hook for "runs the latest transform and displays management page"

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @dkirchan

@dkirchan dkirchan merged commit 28d46a8 into main Feb 13, 2024
36 checks passed
@dkirchan dkirchan deleted the reset-creds-update branch February 13, 2024 15:35
CoenWarmer pushed a commit to CoenWarmer/kibana that referenced this pull request Feb 15, 2024
@dkirchan @MadameSheema @CoenWarmer
[Security] Moved reset_creds call to reset_internal_creds (elastic#17…
41ce478 
…6410)

## Summary

Actions needed following the email that was sent about the breaking
change :

> API: rather than returning credentials for a privileged "elastic"
user, [we'll return](https://elasticco.atlassian.net/browse/CP-5477)
credentials for a much-less privileged "admin" user. Note this is the
user that can be manipulated by customers. This new user won't be an
"operator" user anymore: any test that relies on this user being able to
do things such as retrieving the cluster health, role mappings, node
stats, etc. would therefore break.

> A second set of credentials can be retrieved for a privileged
"testing-internal" user through a dedicated API endpoint.
To retrieve credentials for that user, please update your automation
with a small change:
> 1. rather than calling the _reset-credentials endpoint, please call
the[_reset-internal-credentials
> 2. remove any hard-coded reference of the "elastic" user: the new
username is returned in the API response

---------

Co-authored-by: Gloria Hornero <[email protected]>
fkanout pushed a commit to fkanout/kibana that referenced this pull request Mar 4, 2024
@dkirchan @MadameSheema @fkanout
[Security] Moved reset_creds call to reset_internal_creds (elastic#17…
beaa289 
…6410)

## Summary

Actions needed following the email that was sent about the breaking
change :

> API: rather than returning credentials for a privileged "elastic"
user, [we'll return](https://elasticco.atlassian.net/browse/CP-5477)
credentials for a much-less privileged "admin" user. Note this is the
user that can be manipulated by customers. This new user won't be an
"operator" user anymore: any test that relies on this user being able to
do things such as retrieving the cluster health, role mappings, node
stats, etc. would therefore break.

> A second set of credentials can be retrieved for a privileged
"testing-internal" user through a dedicated API endpoint.
To retrieve credentials for that user, please update your automation
with a small change:
> 1. rather than calling the _reset-credentials endpoint, please call
the[_reset-internal-credentials
> 2. remove any hard-coded reference of the "elastic" user: the new
username is returned in the API response

---------

Co-authored-by: Gloria Hornero <[email protected]>
@mgiota mgiota mentioned this pull request May 27, 2024
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@semd semd semd approved these changes

@MadameSheema MadameSheema MadameSheema approved these changes

@maximpn maximpn maximpn approved these changes

@jbudz jbudz jbudz approved these changes

@patrykkopycinski patrykkopycinski Awaiting requested review from patrykkopycinski

@oatkiller oatkiller Awaiting requested review from oatkiller

@banderror banderror Awaiting requested review from banderror

Assignees

@dkirchan dkirchan

Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.13.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@dkirchan @apmmachine @elasticmachine @kibana-ci @jbudz @maximpn @MadameSheema @semd @kibanamachine