Additional validation for elasticsearch username (#48247)

* Additional validation for elasticsearch username

If "elastic" user is set in config:
* In dev mode, throws an error
* In prod mode, logs a deprecation warning

* Fix user for functional tests

* Revert last two commits

Revert "Fix user for functional tests" and
"Fix user for plugin functional tests in Jenkinsfile"

* Change elasticsearch creds for test server

Now uses "kibana" user instead of "elastic" user

* Fix plugin API functional tests

* Fix PKI API integration test

* Change log messages, now conditional on `dist: false` not `dev: true`

Author: jportner

src/core/server/elasticsearch/__snapshots__/elasticsearch_config.test.ts.snap

@@ -107,3 +107,11 @@ test('#ssl.certificateAuthorities accepts both string and array of strings', ()
   );
   expect(configValue.ssl.certificateAuthorities).toEqual(['some-path', 'another-path']);
 });
+
+test('#username throws if equal to "elastic", only while running from source', () => {
+  const obj = {
+    username: 'elastic',
+  };
+  expect(() => config.schema.validate(obj, { dist: false })).toThrowErrorMatchingSnapshot();
+  expect(() => config.schema.validate(obj, { dist: true })).not.toThrow();
+});

src/core/server/elasticsearch/elasticsearch_config.test.ts

@@ -19,6 +19,7 @@
 
 import { schema, TypeOf } from '@kbn/config-schema';
 import { Duration } from 'moment';
+import { Logger } from '../logging';
 
 const hostURISchema = schema.uri({ scheme: ['http', 'https'] });
 
@@ -39,7 +40,23 @@ export const config = {
       defaultValue: 'http://localhost:9200',
     }),
     preserveHost: schema.boolean({ defaultValue: true }),
-    username: schema.maybe(schema.string()),
+    username: schema.maybe(
+      schema.conditional(
+        schema.contextRef('dist'),
+        false,
+        schema.string({
+          validate: rawConfig => {
+            if (rawConfig === 'elastic') {
+              return (
+                'value of "elastic" is forbidden. This is a superuser account that can obfuscate ' +
+                'privilege-related issues. You should use the "kibana" user instead.'
+              );
+            }
+          },
+        }),
+        schema.string()
+      )
+    ),
     password: schema.maybe(schema.string()),
     requestHeadersWhitelist: schema.oneOf([schema.string(), schema.arrayOf(schema.string())], {
       defaultValue: ['authorization'],
@@ -166,7 +183,7 @@ export class ElasticsearchConfig {
    */
   public readonly customHeaders: ElasticsearchConfigType['customHeaders'];
 
-  constructor(rawConfig: ElasticsearchConfigType) {
+  constructor(rawConfig: ElasticsearchConfigType, log?: Logger) {
     this.ignoreVersionMismatch = rawConfig.ignoreVersionMismatch;
     this.apiVersion = rawConfig.apiVersion;
     this.logQueries = rawConfig.logQueries;
@@ -195,5 +212,14 @@ export class ElasticsearchConfig {
       ...rawConfig.ssl,
       certificateAuthorities,
     };
+
+    if (this.username === 'elastic' && log !== undefined) {
+      // logger is optional / not used during tests
+      // TODO: logger can be removed when issue #40255 is resolved to support deprecations in NP config service
+      log.warn(
+        `Setting the elasticsearch username to "elastic" is deprecated. You should use the "kibana" user instead.`,
+        { tags: ['deprecation'] }
+      );
+    }
   }
 }

src/core/server/elasticsearch/elasticsearch_config.ts

@@ -51,7 +51,7 @@ export class ElasticsearchService implements CoreService<InternalElasticsearchSe
     this.log = coreContext.logger.get('elasticsearch-service');
     this.config$ = coreContext.configService
       .atPath<ElasticsearchConfigType>('elasticsearch')
-      .pipe(map(rawConfig => new ElasticsearchConfig(rawConfig)));
+      .pipe(map(rawConfig => new ElasticsearchConfig(rawConfig, coreContext.logger.get('config'))));
   }
 
   public async setup(deps: SetupDeps): Promise<InternalElasticsearchServiceSetup> {

src/core/server/elasticsearch/elasticsearch_service.ts

@@ -270,17 +270,17 @@ export function createTestServers({
         // Override provided configs, we know what the elastic user is now
         kbnSettings.elasticsearch = {
           hosts: [esTestConfig.getUrl()],
-          username: esTestConfig.getUrlParts().username,
-          password: esTestConfig.getUrlParts().password,
+          username: kibanaServerTestUser.username,
+          password: kibanaServerTestUser.password,
         };
       }
 
       return {
         stop: async () => await es.cleanup(),
         es,
         hosts: [esTestConfig.getUrl()],
-        username: esTestConfig.getUrlParts().username,
-        password: esTestConfig.getUrlParts().password,
+        username: kibanaServerTestUser.username,
+        password: kibanaServerTestUser.password,
       };
     },
     startKibana: async () => {

src/test_utils/kbn_server.ts

@@ -19,7 +19,7 @@
 
 import path from 'path';
 import { format as formatUrl } from 'url';
-import { OPTIMIZE_BUNDLE_DIR, esTestConfig, kbnTestConfig } from '@kbn/test';
+import { OPTIMIZE_BUNDLE_DIR, esTestConfig, kbnTestConfig, kibanaServerTestUser } from '@kbn/test';
 import { services } from './services';
 
 export default function () {
@@ -53,8 +53,8 @@ export default function () {
         '--status.allowAnonymous=true',
         '--optimize.enabled=true',
         `--elasticsearch.hosts=${formatUrl(servers.elasticsearch)}`,
-        `--elasticsearch.username=${servers.elasticsearch.username}`,
-        `--elasticsearch.password=${servers.elasticsearch.password}`,
+        `--elasticsearch.username=${kibanaServerTestUser.username}`,
+        `--elasticsearch.password=${kibanaServerTestUser.password}`,
         `--kibana.disableWelcomeScreen=true`,
         '--telemetry.banner=false',
         `--server.maxPayloadBytes=1679958`,

test/common/config.js

@@ -113,7 +113,7 @@ export default function({ getService }: FtrProviderContext) {
         enabled: true,
         metadata: {
           pki_delegated_by_realm: 'reserved',
-          pki_delegated_by_user: 'elastic',
+          pki_delegated_by_user: 'kibana',
           pki_dn: 'CN=first_client',
         },
         authentication_realm: { name: 'pki1', type: 'pki' },
@@ -155,7 +155,7 @@ export default function({ getService }: FtrProviderContext) {
           enabled: true,
           metadata: {
             pki_delegated_by_realm: 'reserved',
-            pki_delegated_by_user: 'elastic',
+            pki_delegated_by_user: 'kibana',
             pki_dn: 'CN=second_client',
           },
           authentication_realm: { name: 'pki1', type: 'pki' },

x-pack/test/pki_api_integration/apis/security/pki_auth.ts

@@ -41,7 +41,7 @@ export default function TaskTestingAPI(kibana) {
 
               const callCluster = server.plugins.elasticsearch.getCluster('admin').callWithInternalUser;
               await callCluster('index', {
-                index: '.task_manager_test_result',
+                index: '.kibana_task_manager_test_result',
                 body: {
                   type: 'task',
                   taskId: taskInstance.id,

x-pack/test/plugin_api_integration/plugins/task_manager/index.js

@@ -16,7 +16,7 @@ export default function ({ getService }) {
   const log = getService('log');
   const retry = getService('retry');
   const config = getService('config');
-  const testHistoryIndex = '.task_manager_test_result';
+  const testHistoryIndex = '.kibana_task_manager_test_result';
   const supertest = supertestAsPromised(url.format(config.get('servers.kibana')));
 
   describe('scheduling and running tasks', () => {

x-pack/test/plugin_api_integration/test_suites/task_manager/task_manager_integration.js

@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { esTestConfig, kbnTestConfig } from '@kbn/test';
+import { esTestConfig, kbnTestConfig, kibanaServerTestUser } from '@kbn/test';
 import { format as formatUrl } from 'url';
 import { getApiIntegrationConfig } from '../../api_integration/config';
 import { getReportingApiConfig } from './api';
@@ -35,8 +35,8 @@ export default async function ({ readConfigFile }) {
         `--server.maxPayloadBytes=1679958`,
         `--server.port=${kbnTestConfig.getPort()}`,
         `--elasticsearch.hosts=${formatUrl(servers.elasticsearch)}`,
-        `--elasticsearch.password=${servers.elasticsearch.password}`,
-        `--elasticsearch.username=${servers.elasticsearch.username}`,
+        `--elasticsearch.username=${kibanaServerTestUser.username}`,
+        `--elasticsearch.password=${kibanaServerTestUser.password}`,
         `--xpack.reporting.csv.enablePanelActionDownload=true`,
         `--xpack.reporting.csv.maxSizeBytes=2850`,
         `--xpack.reporting.queue.pollInterval=3000`,