diff --git a/src/core/server/elasticsearch/__snapshots__/elasticsearch_config.test.ts.snap b/src/core/server/elasticsearch/__snapshots__/elasticsearch_config.test.ts.snap new file mode 100644 index 00000000000000..e81336c8863f56 --- /dev/null +++ b/src/core/server/elasticsearch/__snapshots__/elasticsearch_config.test.ts.snap @@ -0,0 +1,3 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`#username throws if equal to "elastic", only while running from source 1`] = `"[username]: value of \\"elastic\\" is forbidden. This is a superuser account that can obfuscate privilege-related issues. You should use the \\"kibana\\" user instead."`; diff --git a/src/core/server/elasticsearch/elasticsearch_config.test.ts b/src/core/server/elasticsearch/elasticsearch_config.test.ts index b1aca2ef081ee3..4fcaea2b39b194 100644 --- a/src/core/server/elasticsearch/elasticsearch_config.test.ts +++ b/src/core/server/elasticsearch/elasticsearch_config.test.ts @@ -107,3 +107,11 @@ test('#ssl.certificateAuthorities accepts both string and array of strings', () ); expect(configValue.ssl.certificateAuthorities).toEqual(['some-path', 'another-path']); }); + +test('#username throws if equal to "elastic", only while running from source', () => { + const obj = { + username: 'elastic', + }; + expect(() => config.schema.validate(obj, { dist: false })).toThrowErrorMatchingSnapshot(); + expect(() => config.schema.validate(obj, { dist: true })).not.toThrow(); +}); diff --git a/src/core/server/elasticsearch/elasticsearch_config.ts b/src/core/server/elasticsearch/elasticsearch_config.ts index 678c1e3ca44d5d..4ad1aef87ec2be 100644 --- a/src/core/server/elasticsearch/elasticsearch_config.ts +++ b/src/core/server/elasticsearch/elasticsearch_config.ts @@ -19,6 +19,7 @@ import { schema, TypeOf } from '@kbn/config-schema'; import { Duration } from 'moment'; +import { Logger } from '../logging'; const hostURISchema = schema.uri({ scheme: ['http', 'https'] }); @@ -39,7 +40,23 @@ export const config = { defaultValue: 'http://localhost:9200', }), preserveHost: schema.boolean({ defaultValue: true }), - username: schema.maybe(schema.string()), + username: schema.maybe( + schema.conditional( + schema.contextRef('dist'), + false, + schema.string({ + validate: rawConfig => { + if (rawConfig === 'elastic') { + return ( + 'value of "elastic" is forbidden. This is a superuser account that can obfuscate ' + + 'privilege-related issues. You should use the "kibana" user instead.' + ); + } + }, + }), + schema.string() + ) + ), password: schema.maybe(schema.string()), requestHeadersWhitelist: schema.oneOf([schema.string(), schema.arrayOf(schema.string())], { defaultValue: ['authorization'], @@ -166,7 +183,7 @@ export class ElasticsearchConfig { */ public readonly customHeaders: ElasticsearchConfigType['customHeaders']; - constructor(rawConfig: ElasticsearchConfigType) { + constructor(rawConfig: ElasticsearchConfigType, log?: Logger) { this.ignoreVersionMismatch = rawConfig.ignoreVersionMismatch; this.apiVersion = rawConfig.apiVersion; this.logQueries = rawConfig.logQueries; @@ -195,5 +212,14 @@ export class ElasticsearchConfig { ...rawConfig.ssl, certificateAuthorities, }; + + if (this.username === 'elastic' && log !== undefined) { + // logger is optional / not used during tests + // TODO: logger can be removed when issue #40255 is resolved to support deprecations in NP config service + log.warn( + `Setting the elasticsearch username to "elastic" is deprecated. You should use the "kibana" user instead.`, + { tags: ['deprecation'] } + ); + } } } diff --git a/src/core/server/elasticsearch/elasticsearch_service.ts b/src/core/server/elasticsearch/elasticsearch_service.ts index 1f062412edaf22..be0a817c54146c 100644 --- a/src/core/server/elasticsearch/elasticsearch_service.ts +++ b/src/core/server/elasticsearch/elasticsearch_service.ts @@ -51,7 +51,7 @@ export class ElasticsearchService implements CoreService('elasticsearch') - .pipe(map(rawConfig => new ElasticsearchConfig(rawConfig))); + .pipe(map(rawConfig => new ElasticsearchConfig(rawConfig, coreContext.logger.get('config')))); } public async setup(deps: SetupDeps): Promise { diff --git a/src/test_utils/kbn_server.ts b/src/test_utils/kbn_server.ts index 380d21b66ec50a..cda7e005bf75eb 100644 --- a/src/test_utils/kbn_server.ts +++ b/src/test_utils/kbn_server.ts @@ -267,8 +267,8 @@ export function createTestServers({ // Override provided configs, we know what the elastic user is now kbnSettings.elasticsearch = { hosts: [esTestConfig.getUrl()], - username: esTestConfig.getUrlParts().username, - password: esTestConfig.getUrlParts().password, + username: kibanaServerTestUser.username, + password: kibanaServerTestUser.password, }; } @@ -276,8 +276,8 @@ export function createTestServers({ stop: async () => await es.cleanup(), es, hosts: [esTestConfig.getUrl()], - username: esTestConfig.getUrlParts().username, - password: esTestConfig.getUrlParts().password, + username: kibanaServerTestUser.username, + password: kibanaServerTestUser.password, }; }, startKibana: async () => { diff --git a/test/common/config.js b/test/common/config.js index 58161e545bd06a..03a9a34a975e5e 100644 --- a/test/common/config.js +++ b/test/common/config.js @@ -19,7 +19,7 @@ import path from 'path'; import { format as formatUrl } from 'url'; -import { OPTIMIZE_BUNDLE_DIR, esTestConfig, kbnTestConfig } from '@kbn/test'; +import { OPTIMIZE_BUNDLE_DIR, esTestConfig, kbnTestConfig, kibanaServerTestUser } from '@kbn/test'; import { services } from './services'; export default function () { @@ -53,8 +53,8 @@ export default function () { '--status.allowAnonymous=true', '--optimize.enabled=true', `--elasticsearch.hosts=${formatUrl(servers.elasticsearch)}`, - `--elasticsearch.username=${servers.elasticsearch.username}`, - `--elasticsearch.password=${servers.elasticsearch.password}`, + `--elasticsearch.username=${kibanaServerTestUser.username}`, + `--elasticsearch.password=${kibanaServerTestUser.password}`, `--kibana.disableWelcomeScreen=true`, '--telemetry.banner=false', `--server.maxPayloadBytes=1679958`, diff --git a/x-pack/test/pki_api_integration/apis/security/pki_auth.ts b/x-pack/test/pki_api_integration/apis/security/pki_auth.ts index 8c29db674aaf3d..afb27168d6d5c3 100644 --- a/x-pack/test/pki_api_integration/apis/security/pki_auth.ts +++ b/x-pack/test/pki_api_integration/apis/security/pki_auth.ts @@ -113,7 +113,7 @@ export default function({ getService }: FtrProviderContext) { enabled: true, metadata: { pki_delegated_by_realm: 'reserved', - pki_delegated_by_user: 'elastic', + pki_delegated_by_user: 'kibana', pki_dn: 'CN=first_client', }, authentication_realm: { name: 'pki1', type: 'pki' }, @@ -155,7 +155,7 @@ export default function({ getService }: FtrProviderContext) { enabled: true, metadata: { pki_delegated_by_realm: 'reserved', - pki_delegated_by_user: 'elastic', + pki_delegated_by_user: 'kibana', pki_dn: 'CN=second_client', }, authentication_realm: { name: 'pki1', type: 'pki' }, diff --git a/x-pack/test/plugin_api_integration/plugins/task_manager/index.js b/x-pack/test/plugin_api_integration/plugins/task_manager/index.js index 85dd0fed9a000b..938324c12a3779 100644 --- a/x-pack/test/plugin_api_integration/plugins/task_manager/index.js +++ b/x-pack/test/plugin_api_integration/plugins/task_manager/index.js @@ -41,7 +41,7 @@ export default function TaskTestingAPI(kibana) { const callCluster = server.plugins.elasticsearch.getCluster('admin').callWithInternalUser; await callCluster('index', { - index: '.task_manager_test_result', + index: '.kibana_task_manager_test_result', body: { type: 'task', taskId: taskInstance.id, diff --git a/x-pack/test/plugin_api_integration/test_suites/task_manager/task_manager_integration.js b/x-pack/test/plugin_api_integration/test_suites/task_manager/task_manager_integration.js index 07877f3c09d847..a8ff03dc71d247 100644 --- a/x-pack/test/plugin_api_integration/test_suites/task_manager/task_manager_integration.js +++ b/x-pack/test/plugin_api_integration/test_suites/task_manager/task_manager_integration.js @@ -16,7 +16,7 @@ export default function ({ getService }) { const log = getService('log'); const retry = getService('retry'); const config = getService('config'); - const testHistoryIndex = '.task_manager_test_result'; + const testHistoryIndex = '.kibana_task_manager_test_result'; const supertest = supertestAsPromised(url.format(config.get('servers.kibana'))); describe('scheduling and running tasks', () => { diff --git a/x-pack/test/reporting/configs/generate_api.js b/x-pack/test/reporting/configs/generate_api.js index 92f16d0951ee51..8b8a95ad19a338 100644 --- a/x-pack/test/reporting/configs/generate_api.js +++ b/x-pack/test/reporting/configs/generate_api.js @@ -4,7 +4,7 @@ * you may not use this file except in compliance with the Elastic License. */ -import { esTestConfig, kbnTestConfig } from '@kbn/test'; +import { esTestConfig, kbnTestConfig, kibanaServerTestUser } from '@kbn/test'; import { format as formatUrl } from 'url'; import { getApiIntegrationConfig } from '../../api_integration/config'; import { getReportingApiConfig } from './api'; @@ -35,8 +35,8 @@ export default async function ({ readConfigFile }) { `--server.maxPayloadBytes=1679958`, `--server.port=${kbnTestConfig.getPort()}`, `--elasticsearch.hosts=${formatUrl(servers.elasticsearch)}`, - `--elasticsearch.password=${servers.elasticsearch.password}`, - `--elasticsearch.username=${servers.elasticsearch.username}`, + `--elasticsearch.username=${kibanaServerTestUser.username}`, + `--elasticsearch.password=${kibanaServerTestUser.password}`, `--xpack.reporting.csv.enablePanelActionDownload=true`, `--xpack.reporting.csv.maxSizeBytes=2850`, `--xpack.reporting.queue.pollInterval=3000`,