From 03662f2f459a01261a7a67895b28d324240b30db Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Wed, 8 Apr 2020 15:52:36 -0400 Subject: [PATCH 1/7] deprecate kibana user in favor of kibana_system user --- config/kibana.yml | 2 +- docs/user/security/securing-kibana.asciidoc | 2 +- src/cli/serve/serve.js | 2 +- x-pack/plugins/security/common/model/user.ts | 2 + .../management/users/user_utils.test.ts | 53 +++++++++++++++++++ .../public/management/users/user_utils.ts | 14 +++++ .../users/users_grid/users_grid_page.test.tsx | 32 +++++++++++ .../users/users_grid/users_grid_page.tsx | 15 ++++-- 8 files changed, 116 insertions(+), 6 deletions(-) create mode 100644 x-pack/plugins/security/public/management/users/user_utils.test.ts diff --git a/config/kibana.yml b/config/kibana.yml index 0780841ca057e..8725888159506 100644 --- a/config/kibana.yml +++ b/config/kibana.yml @@ -40,7 +40,7 @@ # the username and password that the Kibana server uses to perform maintenance on the Kibana # index at startup. Your Kibana users still need to authenticate with Elasticsearch, which # is proxied through the Kibana server. -#elasticsearch.username: "kibana" +#elasticsearch.username: "kibana_system" #elasticsearch.password: "pass" # Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. diff --git a/docs/user/security/securing-kibana.asciidoc b/docs/user/security/securing-kibana.asciidoc index 24aacd6a47626..8b01702fd61bd 100644 --- a/docs/user/security/securing-kibana.asciidoc +++ b/docs/user/security/securing-kibana.asciidoc @@ -31,7 +31,7 @@ file: [source,yaml] ----------------------------------------------- -elasticsearch.username: "kibana" +elasticsearch.username: "kibana_system" elasticsearch.password: "kibanapassword" ----------------------------------------------- diff --git a/src/cli/serve/serve.js b/src/cli/serve/serve.js index 29d0fe16ee126..471939121143a 100644 --- a/src/cli/serve/serve.js +++ b/src/cli/serve/serve.js @@ -79,7 +79,7 @@ function applyConfigOverrides(rawConfig, opts, extraCliOptions) { set('optimize.watch', true); if (!has('elasticsearch.username')) { - set('elasticsearch.username', 'kibana'); + set('elasticsearch.username', 'kibana_system'); } if (!has('elasticsearch.password')) { diff --git a/x-pack/plugins/security/common/model/user.ts b/x-pack/plugins/security/common/model/user.ts index e1bae2fc44e58..5c852e7a8f03d 100644 --- a/x-pack/plugins/security/common/model/user.ts +++ b/x-pack/plugins/security/common/model/user.ts @@ -12,6 +12,8 @@ export interface User { enabled: boolean; metadata?: { _reserved: boolean; + _deprecated?: boolean; + _deprecated_reason?: string; }; } diff --git a/x-pack/plugins/security/public/management/users/user_utils.test.ts b/x-pack/plugins/security/public/management/users/user_utils.test.ts new file mode 100644 index 0000000000000..572b94ab08037 --- /dev/null +++ b/x-pack/plugins/security/public/management/users/user_utils.test.ts @@ -0,0 +1,53 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { User } from '../../../common/model'; +import { isUserReserved, isUserDeprecated, getExtendedUserDeprecationNotice } from './user_utils'; + +describe('#isUserReserved', () => { + it('returns false for a user with no metadata', () => { + expect(isUserReserved({} as User)).toEqual(false); + }); + + it('returns false for a user with the reserved flag set to false', () => { + expect(isUserReserved({ metadata: { _reserved: false } } as User)).toEqual(false); + }); + + it('returns true for a user with the reserved flag set to true', () => { + expect(isUserReserved({ metadata: { _reserved: true } } as User)).toEqual(true); + }); +}); + +describe('#isUserDeprecated', () => { + it('returns false for a user with no metadata', () => { + expect(isUserDeprecated({} as User)).toEqual(false); + }); + + it('returns false for a user with the deprecated flag set to false', () => { + expect(isUserDeprecated({ metadata: { _deprecated: false } } as User)).toEqual(false); + }); + + it('returns true for a user with the deprecated flag set to true', () => { + expect(isUserDeprecated({ metadata: { _deprecated: true } } as User)).toEqual(true); + }); +}); + +describe('#getExtendedUserDeprecationNotice', () => { + it('returns a notice when no reason is provided', () => { + expect( + getExtendedUserDeprecationNotice({ username: 'test_user' } as User) + ).toMatchInlineSnapshot(`"The test_user user is deprecated. "`); + }); + + it('returns a notice augmented with reason when provided', () => { + expect( + getExtendedUserDeprecationNotice({ + username: 'test_user', + metadata: { _reserved: true, _deprecated_reason: 'some reason' }, + } as User) + ).toMatchInlineSnapshot(`"The test_user user is deprecated. some reason"`); + }); +}); diff --git a/x-pack/plugins/security/public/management/users/user_utils.ts b/x-pack/plugins/security/public/management/users/user_utils.ts index f46f6f897e23b..211aad904d466 100644 --- a/x-pack/plugins/security/public/management/users/user_utils.ts +++ b/x-pack/plugins/security/public/management/users/user_utils.ts @@ -4,6 +4,20 @@ * you may not use this file except in compliance with the Elastic License. */ +import { i18n } from '@kbn/i18n'; import { User } from '../../../common/model'; export const isUserReserved = (user: User) => user.metadata?._reserved ?? false; + +export const isUserDeprecated = (user: User) => user.metadata?._deprecated ?? false; + +export const getExtendedUserDeprecationNotice = (user: User) => { + const reason = user.metadata?._deprecated_reason ?? ''; + return i18n.translate('xpack.security.management.users.extendedUserDeprecationNotice', { + defaultMessage: `The {username} user is deprecated. {reason}`, + values: { + username: user.username, + reason, + }, + }); +}; diff --git a/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.test.tsx b/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.test.tsx index 031b67d5d9122..d3b85b83ff6a4 100644 --- a/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.test.tsx +++ b/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.test.tsx @@ -102,6 +102,38 @@ describe('UsersGridPage', () => { expect(findTestSubject(wrapper, 'userDisabled')).toHaveLength(1); }); + it('renders deprecated users', async () => { + const apiClientMock = userAPIClientMock.create(); + apiClientMock.getUsers.mockImplementation(() => { + return Promise.resolve([ + { + username: 'foo', + email: 'foo@bar.net', + full_name: 'foo bar', + roles: ['kibana_user'], + enabled: true, + metadata: { + _reserved: true, + _deprecated: true, + _deprecated_reason: 'This user is not cool anymore.', + }, + }, + ]); + }); + + const wrapper = mountWithIntl( + + ); + + await waitForRender(wrapper); + + expect(findTestSubject(wrapper, 'userDeprecated')).toHaveLength(1); + }); + it('renders a warning when a user is assigned a deprecated role', async () => { const apiClientMock = userAPIClientMock.create(); apiClientMock.getUsers.mockImplementation(() => { diff --git a/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.tsx b/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.tsx index 6837fcf430fe7..f8882129772f7 100644 --- a/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.tsx +++ b/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.tsx @@ -26,8 +26,8 @@ import { FormattedMessage } from '@kbn/i18n/react'; import { NotificationsStart } from 'src/core/public'; import { User, Role } from '../../../../common/model'; import { ConfirmDeleteUsers } from '../components'; -import { isUserReserved } from '../user_utils'; -import { DisabledBadge, ReservedBadge } from '../../badges'; +import { isUserReserved, getExtendedUserDeprecationNotice, isUserDeprecated } from '../user_utils'; +import { DisabledBadge, ReservedBadge, DeprecatedBadge } from '../../badges'; import { RoleTableDisplay } from '../../role_table_display'; import { RolesAPIClient } from '../../roles'; import { UserAPIClient } from '..'; @@ -360,6 +360,7 @@ export class UsersGridPage extends Component { private getUserStatusBadges = (user: User) => { const enabled = user.enabled; const reserved = isUserReserved(user); + const deprecated = isUserDeprecated(user); const badges = []; if (!enabled) { @@ -378,9 +379,17 @@ export class UsersGridPage extends Component { /> ); } + if (deprecated) { + badges.push( + + ); + } return ( - + {badges.map((badge, index) => ( {badge} From 44815259e84638378eef984a6cf3069b68f8bd20 Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Tue, 28 Apr 2020 11:24:34 -0400 Subject: [PATCH 2/7] add warning to edit user page --- .../users/edit_user/edit_user_page.test.tsx | 30 ++++++++++++++++ .../users/edit_user/edit_user_page.tsx | 35 ++++++++++++++----- 2 files changed, 56 insertions(+), 9 deletions(-) diff --git a/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.test.tsx b/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.test.tsx index be7517ff892b5..a97781ba25ea6 100644 --- a/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.test.tsx +++ b/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.test.tsx @@ -32,6 +32,14 @@ const createUser = (username: string, roles = ['idk', 'something']) => { }; } + if (username === 'deprecated_user') { + user.metadata = { + _reserved: true, + _deprecated: true, + _deprecated_reason: 'beacuse I said so.', + }; + } + return user; }; @@ -162,6 +170,28 @@ describe('EditUserPage', () => { expectSaveButton(wrapper); }); + it('warns when viewing a depreciated user', async () => { + const user = createUser('deprecated_user'); + const { apiClient, rolesAPIClient } = buildClients(user); + const securitySetup = buildSecuritySetup(); + + const wrapper = mountWithIntl( + + ); + + await waitForRender(wrapper); + expect(apiClient.getUser).toBeCalledTimes(1); + expect(securitySetup.authc.getCurrentUser).toBeCalledTimes(1); + + expect(findTestSubject(wrapper, 'deprecatedUserWarning')).toHaveLength(1); + }); + it('warns when user is assigned a deprecated role', async () => { const user = createUser('existing_user', ['deprecated-role']); const { apiClient, rolesAPIClient } = buildClients(user); diff --git a/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx b/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx index 6417ce81b647d..787f5b55b8ee9 100644 --- a/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx +++ b/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx @@ -35,6 +35,7 @@ import { RolesAPIClient } from '../../roles'; import { ConfirmDeleteUsers, ChangePasswordForm } from '../components'; import { UserValidator, UserValidationResult } from './validate_user'; import { RoleComboBox } from '../../role_combo_box'; +import { isUserDeprecated, getExtendedUserDeprecationNotice } from '../user_utils'; import { UserAPIClient } from '..'; interface Props { @@ -241,7 +242,7 @@ export class EditUserPage extends Component { return ( - {user.username === 'kibana' ? ( + {user.username === 'kibana' || user.username === 'kibana_system' ? ( { {reserved && ( - -

- +

+ -

- + /> +

+ + + + )} + + {isUserDeprecated(this.state.user) && ( + + + + )} {showDeleteConfirmation ? ( From 688d8947604827ede0ca29b56f9bd3b99d1cff2e Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Wed, 29 Apr 2020 06:59:50 -0400 Subject: [PATCH 3/7] Review 1: Address feedback --- docs/user/security/securing-kibana.asciidoc | 2 +- packages/kbn-es/src/utils/native_realm.test.js | 16 ++++++++-------- .../server/elasticsearch/elasticsearch_config.ts | 4 ++-- x-pack/README.md | 2 +- x-pack/legacy/plugins/monitoring/README.md | 2 +- x-pack/plugins/monitoring/server/config.ts | 2 +- x-pack/plugins/monitoring/server/deprecations.ts | 2 +- .../users/edit_user/edit_user_page.tsx | 12 ++++++------ x-pack/test/functional/apps/security/users.js | 9 ++++++++- .../functional/page_objects/security_page.js | 2 ++ 10 files changed, 31 insertions(+), 22 deletions(-) diff --git a/docs/user/security/securing-kibana.asciidoc b/docs/user/security/securing-kibana.asciidoc index 8b01702fd61bd..f4178bacb111e 100644 --- a/docs/user/security/securing-kibana.asciidoc +++ b/docs/user/security/securing-kibana.asciidoc @@ -38,7 +38,7 @@ elasticsearch.password: "kibanapassword" The {kib} server submits requests as this user to access the cluster monitoring APIs and the `.kibana` index. The server does _not_ need access to user indices. -The password for the built-in `kibana` user is typically set as part of the +The password for the built-in `kibana_system` user is typically set as part of the {security} configuration process on {es}. For more information, see {ref}/built-in-users.html[Built-in users]. -- diff --git a/packages/kbn-es/src/utils/native_realm.test.js b/packages/kbn-es/src/utils/native_realm.test.js index 99c7ed1623014..54732f7136fcc 100644 --- a/packages/kbn-es/src/utils/native_realm.test.js +++ b/packages/kbn-es/src/utils/native_realm.test.js @@ -109,7 +109,7 @@ describe('setPasswords', () => { mockClient.security.getUser.mockImplementation(() => ({ body: { - kibana: { + kibana_system: { metadata: { _reserved: true, }, @@ -138,7 +138,7 @@ describe('setPasswords', () => { })); await nativeRealm.setPasswords({ - 'password.kibana': 'bar', + 'password.kibana_system': 'bar', }); expect(mockClient.security.changePassword.mock.calls).toMatchInlineSnapshot(` @@ -149,7 +149,7 @@ Array [ "password": "bar", }, "refresh": "wait_for", - "username": "kibana", + "username": "kibana_system", }, ], Array [ @@ -188,7 +188,7 @@ describe('getReservedUsers', () => { it('returns array of reserved usernames', async () => { mockClient.security.getUser.mockImplementation(() => ({ body: { - kibana: { + kibana_system: { metadata: { _reserved: true, }, @@ -206,17 +206,17 @@ describe('getReservedUsers', () => { }, })); - expect(await nativeRealm.getReservedUsers()).toEqual(['kibana', 'logstash_system']); + expect(await nativeRealm.getReservedUsers()).toEqual(['kibana_system', 'logstash_system']); }); }); describe('setPassword', () => { it('sets password for provided user', async () => { - await nativeRealm.setPassword('kibana', 'foo'); + await nativeRealm.setPassword('kibana_system', 'foo'); expect(mockClient.security.changePassword).toHaveBeenCalledWith({ body: { password: 'foo' }, refresh: 'wait_for', - username: 'kibana', + username: 'kibana_system', }); }); @@ -226,7 +226,7 @@ describe('setPassword', () => { }); await expect( - nativeRealm.setPassword('kibana', 'foo') + nativeRealm.setPassword('kibana_system', 'foo') ).rejects.toThrowErrorMatchingInlineSnapshot(`"SomeError"`); }); }); diff --git a/src/core/server/elasticsearch/elasticsearch_config.ts b/src/core/server/elasticsearch/elasticsearch_config.ts index d3012e361b3ed..0a8b74434a107 100644 --- a/src/core/server/elasticsearch/elasticsearch_config.ts +++ b/src/core/server/elasticsearch/elasticsearch_config.ts @@ -55,7 +55,7 @@ export const configSchema = schema.object({ if (rawConfig === 'elastic') { return ( 'value of "elastic" is forbidden. This is a superuser account that can obfuscate ' + - 'privilege-related issues. You should use the "kibana" user instead.' + 'privilege-related issues. You should use the "kibana_system" user instead.' ); } }, @@ -131,7 +131,7 @@ const deprecations: ConfigDeprecationProvider = () => [ } if (es.username === 'elastic') { log( - `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana" user instead.` + `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.` ); } if (es.ssl?.key !== undefined && es.ssl?.certificate === undefined) { diff --git a/x-pack/README.md b/x-pack/README.md index 42e54aa2f50f9..951d09f1691e8 100644 --- a/x-pack/README.md +++ b/x-pack/README.md @@ -12,7 +12,7 @@ Elasticsearch will run with a basic license. To run with a trial license, includ Example: `yarn es snapshot --license trial --password changeme` -By default, this will also set the password for native realm accounts to the password provided (`changeme` by default). This includes that of the `kibana` user which `elasticsearch.username` defaults to in development. If you wish to specific a password for a given native realm account, you can do that like so: `--password.kibana=notsecure` +By default, this will also set the password for native realm accounts to the password provided (`changeme` by default). This includes that of the `kibana_system` user which `elasticsearch.username` defaults to in development. If you wish to specific a password for a given native realm account, you can do that like so: `--password.kibana=notsecure` # Testing ## Running specific tests diff --git a/x-pack/legacy/plugins/monitoring/README.md b/x-pack/legacy/plugins/monitoring/README.md index e9ececa8c6350..0222f06e7ae91 100644 --- a/x-pack/legacy/plugins/monitoring/README.md +++ b/x-pack/legacy/plugins/monitoring/README.md @@ -74,7 +74,7 @@ cluster. % cat config/kibana.dev.yml monitoring.ui.elasticsearch: hosts: "http://localhost:9210" - username: "kibana" + username: "kibana_system" password: "changeme" ``` diff --git a/x-pack/plugins/monitoring/server/config.ts b/x-pack/plugins/monitoring/server/config.ts index 6e5092a112744..ad5bf95090186 100644 --- a/x-pack/plugins/monitoring/server/config.ts +++ b/x-pack/plugins/monitoring/server/config.ts @@ -119,7 +119,7 @@ export const configSchema = schema.object({ if (rawConfig === 'elastic') { return ( 'value of "elastic" is forbidden. This is a superuser account that can obfuscate ' + - 'privilege-related issues. You should use the "kibana" user instead.' + 'privilege-related issues. You should use the "kibana_system" user instead.' ); } }, diff --git a/x-pack/plugins/monitoring/server/deprecations.ts b/x-pack/plugins/monitoring/server/deprecations.ts index 3a3ec6ac799d2..a7e9e295e9884 100644 --- a/x-pack/plugins/monitoring/server/deprecations.ts +++ b/x-pack/plugins/monitoring/server/deprecations.ts @@ -59,7 +59,7 @@ export const deprecations = ({ if (es) { if (es.username === 'elastic') { logger( - `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana" user instead.` + `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.` ); } } diff --git a/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx b/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx index 787f5b55b8ee9..52d0b7b946fe4 100644 --- a/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx +++ b/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx @@ -35,7 +35,7 @@ import { RolesAPIClient } from '../../roles'; import { ConfirmDeleteUsers, ChangePasswordForm } from '../components'; import { UserValidator, UserValidationResult } from './validate_user'; import { RoleComboBox } from '../../role_combo_box'; -import { isUserDeprecated, getExtendedUserDeprecationNotice } from '../user_utils'; +import { isUserDeprecated, getExtendedUserDeprecationNotice, isUserReserved } from '../user_utils'; import { UserAPIClient } from '..'; interface Props { @@ -255,9 +255,9 @@ export class EditUserPage extends Component {

@@ -370,7 +370,7 @@ export class EditUserPage extends Component { isNewUser, showDeleteConfirmation, } = this.state; - const reserved = user.metadata && user.metadata._reserved; + const reserved = isUserReserved(user); if (!user || !roles) { return null; } @@ -439,11 +439,11 @@ export class EditUserPage extends Component { )} - {isUserDeprecated(this.state.user) && ( + {isUserDeprecated(user) && ( 0; + const isUserDeprecated = (await user.findAllByTestSubject('userDeprecated', 1)).length > 0; return { username: await usernameElement.getVisibleText(), @@ -242,6 +243,7 @@ export function SecurityPageProvider({ getService, getPageObjects }) { email: await emailElement.getVisibleText(), roles: (await rolesElement.getVisibleText()).split('\n').map(role => role.trim()), reserved: isUserReserved, + deprecated: isUserDeprecated, }; }); } From 85b37debf83a5561ad806f13bf75ae35d3ce135b Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Wed, 29 Apr 2020 08:36:56 -0400 Subject: [PATCH 4/7] fix translations --- x-pack/plugins/translations/translations/ja-JP.json | 1 - x-pack/plugins/translations/translations/zh-CN.json | 1 - 2 files changed, 2 deletions(-) diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index cdff34ec3a603..16d9bb1bd9fd6 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -12966,7 +12966,6 @@ "xpack.security.management.users.editUser.cancelButtonLabel": "キャンセル", "xpack.security.management.users.editUser.changePasswordButtonLabel": "パスワードを変更", "xpack.security.management.users.editUser.changePasswordExtraStepTitle": "追加ステップが必要です", - "xpack.security.management.users.editUser.changePasswordUpdateKibanaTitle": "Kibana ユーザーのパスワードを変更後、{kibana} ファイルを更新し Kibana を再起動する必要があります。", "xpack.security.management.users.editUser.changingUserNameAfterCreationDescription": "ユーザー名は作成後変更できません。", "xpack.security.management.users.editUser.confirmPasswordFormRowLabel": "パスワードの確認", "xpack.security.management.users.editUser.createUserButtonLabel": "ユーザーを作成", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index 819112feb9f57..6bc88e405b9f7 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -12970,7 +12970,6 @@ "xpack.security.management.users.editUser.cancelButtonLabel": "取消", "xpack.security.management.users.editUser.changePasswordButtonLabel": "更改密码", "xpack.security.management.users.editUser.changePasswordExtraStepTitle": "需要额外的步骤", - "xpack.security.management.users.editUser.changePasswordUpdateKibanaTitle": "更改 Kibana 用户的密码后,必须更新 {kibana} 文件并重新启动 Kibana。", "xpack.security.management.users.editUser.changingUserNameAfterCreationDescription": "用户名一经创建,将无法更改。", "xpack.security.management.users.editUser.confirmPasswordFormRowLabel": "确认密码", "xpack.security.management.users.editUser.createUserButtonLabel": "创建用户", From d424da43198666ccab9746b1f8dcb86691b5cb5c Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Fri, 1 May 2020 06:45:43 -0400 Subject: [PATCH 5/7] Apply suggestions from code review Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com> --- src/core/server/elasticsearch/elasticsearch_config.ts | 4 ++++ x-pack/plugins/monitoring/server/deprecations.ts | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/src/core/server/elasticsearch/elasticsearch_config.ts b/src/core/server/elasticsearch/elasticsearch_config.ts index 0a8b74434a107..c87c94bcd0b6a 100644 --- a/src/core/server/elasticsearch/elasticsearch_config.ts +++ b/src/core/server/elasticsearch/elasticsearch_config.ts @@ -133,6 +133,10 @@ const deprecations: ConfigDeprecationProvider = () => [ log( `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.` ); + } else if (es.username === 'kibana') { + log( + `Setting [${fromPath}.username] to "kibana" is deprecated. You should use the "kibana_system" user instead.` + ); } if (es.ssl?.key !== undefined && es.ssl?.certificate === undefined) { log( diff --git a/x-pack/plugins/monitoring/server/deprecations.ts b/x-pack/plugins/monitoring/server/deprecations.ts index a7e9e295e9884..d40837885e198 100644 --- a/x-pack/plugins/monitoring/server/deprecations.ts +++ b/x-pack/plugins/monitoring/server/deprecations.ts @@ -61,6 +61,10 @@ export const deprecations = ({ logger( `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.` ); + } else if (es.username === 'kibana') { + logger( + `Setting [${fromPath}.username] to "kibana" is deprecated. You should use the "kibana_system" user instead.` + ); } } return config; From 26470fb275d143c89d4f430e7b6a2c7cdfa235ab Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Sat, 2 May 2020 14:53:07 -0400 Subject: [PATCH 6/7] test deprecation logging when kibana user is specified --- .../__snapshots__/elasticsearch_config.test.ts.snap | 2 +- .../elasticsearch/elasticsearch_config.test.ts | 13 +++++++++++-- .../monitoring/server/__tests__/deprecations.js | 10 +++++++++- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/src/core/server/elasticsearch/__snapshots__/elasticsearch_config.test.ts.snap b/src/core/server/elasticsearch/__snapshots__/elasticsearch_config.test.ts.snap index e81336c8863f5..75627f311d9a5 100644 --- a/src/core/server/elasticsearch/__snapshots__/elasticsearch_config.test.ts.snap +++ b/src/core/server/elasticsearch/__snapshots__/elasticsearch_config.test.ts.snap @@ -1,3 +1,3 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP -exports[`#username throws if equal to "elastic", only while running from source 1`] = `"[username]: value of \\"elastic\\" is forbidden. This is a superuser account that can obfuscate privilege-related issues. You should use the \\"kibana\\" user instead."`; +exports[`#username throws if equal to "elastic", only while running from source 1`] = `"[username]: value of \\"elastic\\" is forbidden. This is a superuser account that can obfuscate privilege-related issues. You should use the \\"kibana_system\\" user instead."`; diff --git a/src/core/server/elasticsearch/elasticsearch_config.test.ts b/src/core/server/elasticsearch/elasticsearch_config.test.ts index de3f57298f461..cb4501a51e849 100644 --- a/src/core/server/elasticsearch/elasticsearch_config.test.ts +++ b/src/core/server/elasticsearch/elasticsearch_config.test.ts @@ -315,12 +315,21 @@ describe('deprecations', () => { const { messages } = applyElasticsearchDeprecations({ username: 'elastic' }); expect(messages).toMatchInlineSnapshot(` Array [ - "Setting [${CONFIG_PATH}.username] to \\"elastic\\" is deprecated. You should use the \\"kibana\\" user instead.", + "Setting [${CONFIG_PATH}.username] to \\"elastic\\" is deprecated. You should use the \\"kibana_system\\" user instead.", ] `); }); - it('does not log a warning if elasticsearch.username is set to something besides "elastic"', () => { + it('logs a warning if elasticsearch.username is set to "kibana"', () => { + const { messages } = applyElasticsearchDeprecations({ username: 'kibana' }); + expect(messages).toMatchInlineSnapshot(` + Array [ + "Setting [${CONFIG_PATH}.username] to \\"kibana\\" is deprecated. You should use the \\"kibana_system\\" user instead.", + ] + `); + }); + + it('does not log a warning if elasticsearch.username is set to something besides "elastic" or "kibana"', () => { const { messages } = applyElasticsearchDeprecations({ username: 'otheruser' }); expect(messages).toHaveLength(0); }); diff --git a/x-pack/plugins/monitoring/server/__tests__/deprecations.js b/x-pack/plugins/monitoring/server/__tests__/deprecations.js index aa8008346af85..5fc5debfa139e 100644 --- a/x-pack/plugins/monitoring/server/__tests__/deprecations.js +++ b/x-pack/plugins/monitoring/server/__tests__/deprecations.js @@ -92,7 +92,15 @@ describe('monitoring plugin deprecations', function() { expect(log.called).to.be(true); }); - it('does not log a warning if elasticsearch.username is set to something besides "elastic"', () => { + it('logs a warning if elasticsearch.username is set to "kibana"', () => { + const settings = { elasticsearch: { username: 'kibana' } }; + + const log = sinon.spy(); + transformDeprecations(settings, fromPath, log); + expect(log.called).to.be(true); + }); + + it('does not log a warning if elasticsearch.username is set to something besides "elastic" or "kibana"', () => { const settings = { elasticsearch: { username: 'otheruser' } }; const log = sinon.spy(); From 4055603894d9455d64584cfd3fe54ab31c655c35 Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Tue, 5 May 2020 07:32:07 -0400 Subject: [PATCH 7/7] Update x-pack/README.md Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com> --- x-pack/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/README.md b/x-pack/README.md index 951d09f1691e8..744d97ca02c75 100644 --- a/x-pack/README.md +++ b/x-pack/README.md @@ -12,7 +12,7 @@ Elasticsearch will run with a basic license. To run with a trial license, includ Example: `yarn es snapshot --license trial --password changeme` -By default, this will also set the password for native realm accounts to the password provided (`changeme` by default). This includes that of the `kibana_system` user which `elasticsearch.username` defaults to in development. If you wish to specific a password for a given native realm account, you can do that like so: `--password.kibana=notsecure` +By default, this will also set the password for native realm accounts to the password provided (`changeme` by default). This includes that of the `kibana_system` user which `elasticsearch.username` defaults to in development. If you wish to specify a password for a given native realm account, you can do that like so: `--password.kibana_system=notsecure` # Testing ## Running specific tests