Create apm_server user

[elasticmachine]

Original comment by @tvernum:

The 6.2 docs for APM say:

If you are using an X-Pack secured version of Elastic Stack, you need to specify credentials in the config file before you run the commands that set up and start APM Server. For example:

output.elasticsearch:
  hosts: ["ElasticsearchAddress:9200"]
  username: "elastic"
  password: "elastic"

It is LINK REDACTED to being running things as "elastic", but we don't have an apm_server user/role to recommend instead.

We should create a builtin user+role for APM and the update the docs accordingly.

[elasticmachine]

Original comment by @tvernum:

/CC: @elastic/apm @elastic/es-security

[elasticmachine]

Original comment by @jalvz:

fyi this has been merged recently:
elastic/apm-server#546

it is adapted from current beats documentation.

[elasticmachine]

Original comment by @tvernum:

@jalvz We can ship with a builtin role that already has the required privileges.
How common is it for customers to change the target indices for APM (is that even possible?)

If the standard setup uses a fixed index name, then it's better to just ship with the user + role preconfigured in X-Pack.
We don't do that for ingest (beats/logstash) because it very common to configure your own target indices, but I think we can get a better out-of-the-box experience for APM.

[elasticmachine]

Original comment by @jalvz:

Is hard to say how common it is at this point, but probably not common at all. It is possible to change it, but I don't see any reason why the should, everything works out of the box with the default names.

A preconfigured user/role makes sense to me. See also LINK REDACTED