Change built-in kibana user to kibana_system

[elasticmachine]

Original comment by @skearns64:

Today, we have 3 built-in users: elastic, a superuser account, kibana the system account that the Kibana server uses for connecting to ES, setting up the .kibana index and pushing monitoring data, and logstash_system, an account for logstash monitoring.

Both the kibana user and the logstash_system users are system accounts that the respective systems use. It's a bit confusing and inconsistent that they don't follow the same naming scheme. There have been a number of cases where customers and users have mistaken the kibana user for an end-user account for logging into Kibana.

I propose that we change the kibana user to kibana_system for consistency.

Alternatively, I would also be comfortable changing logstash_system to logstash to match kibana - the consistency of the naming scheme is more important to me than the scheme itself.

[elasticmachine]

Original comment by @skearns64:

cc @epixa @clintongormley

[elasticmachine]

Original comment by @lcawl:

@epixa noted in LINK REDACTED that if customers use the credentials from the kibana.yml file (i.e. "kibana") to log in then "Kibana wouldn't really function properly", which is another good reason to make it clear that it's a system account.

[elasticmachine]

Original comment by @epixa:

++ to this idea. We have to be careful about how we handle this for backwards compatibility sake, but this will go a long way in helping avoid ambiguity around how this user is used.

[elasticmachine]

Original comment by @skearns64:

Great, glad there is appetite for this..

Is this something that we could fix for 6.0? Given the potential BWC implications, a major version seems like the right time to make the change.

[elasticmachine]

Original comment by @clintongormley:

@tvernum is there any way of doing this transparently (including during a rolling restart)?

[elasticmachine]

Original comment by @tvernum:

We renamed the kibana role from kibana to kibana_system with a BWC layer in place. (LINK REDACTED)
I think it's probably possible to do something similar for the user, but I'd need to investigate more thoroughly.

[elasticmachine]

Original comment by @skearns64:

I think this would be a really good one to get into 6.0, if at all possible. Otherwise, we will have to live with inconsistent default usernames for another major release.

[elasticmachine]

Original comment by @jimgoodwin:

Please discuss solutions...

[tomcallahan]

@skearns64 is this still important?

[skearns64]

Yes, I think that the naming confusion still exists among our customers, so this is still something we should address.

[tomcallahan]

OK. Out of FixItFriday, at least some folks felt it would be better to move logstash_system to be logstash, instead of changing the logstash and kibana users, WDYT?

[tvernum]

at least some folks felt it would be better to move logstash_system to be logstash, instead of changing the logstash and kibana users

Please no!
About once a week we have to explain to someone on the forums not to login to Kibana as the kibana user. We intentionally tried to solve that problem when we created the logstash_system user so that users didn't think it was suitable for use in logstash pipelines. It has helped by not completely.
Related: #29892

[rhoboat]

Unassigned myself so security team could get to this faster.