Interactive setup mode server-side functionality

## Summary

In the scope of this issue we're going to implement server-side functionality that's absolutely necessary for the initial phase of the interactive setup mode provided by the `userSetup` plugin:

- [x] :heavy_check_mark: @azasypkin Add `userSetup` plugin skeleton. (https://github.com/elastic/kibana/pull/101610)
- [x] :heavy_check_mark: @thomheymann / @azasypkin - Functionality to detect if "interactive setup mode" should be enabled [2W] (https://github.com/elastic/kibana/pull/108835)
- [x] :heavy_check_mark: @azasypkin  - Functionality to interact with Elasticsearch Enrollment APIs (https://github.com/elastic/kibana/pull/108835)
- [x] :heavy_check_mark: @thomheymann / @azasypkin - Functionality to write `elasticsearch.*` configuration to the disk [1W] (https://github.com/elastic/kibana/pull/108835)
- [x] :heavy_check_mark: @azasypkin Functionality to validate server certificate fingerprint (https://github.com/elastic/kibana/pull/108514)
- [x] :heavy_check_mark: @thomheymann - Validate and parse enrollment token (https://github.com/elastic/kibana/pull/106881)
- [x] :heavy_check_mark: @thomheymann - Secure interactive setup mode with verification code (https://github.com/elastic/kibana/pull/110856) 
- [x] :heavy_check_mark: @thomheymann - Redirect user to default Kibana location once it's up and running(https://github.com/elastic/kibana/pull/110856) 
- [x] :heavy_check_mark: @azasypkin Make sure interactive setup mode is properly triggered when Kibana is run in Docker (https://github.com/elastic/kibana/pull/110629, see [this](https://github.com/elastic/kibana/blob/507da3ee8bbfb0d987154b32363b9cc2ac2245ec/src/dev/build/tasks/os_packages/docker_generator/templates/kibana_yml.template.ts#L22))
- [x] :arrow_right:  ~~@azasypkin Functional and API integration tests~~ (will be handled in the scope of https://github.com/elastic/kibana/issues/111336)
- [x] :heavy_check_mark: @azasypkin Make sure we don't activate interactive setup in k8s/ECK
By default ECK sets up TLS for both Elasticsearch and Kibana. [TLS can be disabled](https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-tls-certificates.html#k8s-disable-tls), but [Security is assumed to be enabled all the time](https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-reserved-settings.html). **However**, ECK Kibana [can be configured to connect to external Elasticsearch](https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-kibana-es.html#k8s-kibana-external-es) , and if the ES happens to be `http://localhost:9200` that Kibana cannot connect to we'll activate interactive setup.
- [x] :heavy_check_mark: @azasypkin Make sure Kibana installed with OS-specific packages (DEB/RPM) can write to configuration file. The `kibana` group has permissions to write to `kibana.yml`:
https://github.com/elastic/kibana/blob/4a541883557bcee83baf09b2c0ddab702f780e45/src/dev/build/tasks/os_packages/package_scripts/post_install.sh#L11-L29)
https://github.com/elastic/kibana/blob/4a541883557bcee83baf09b2c0ddab702f780e45/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Dockerfile#L58-L73
https://github.com/elastic/kibana/blob/4a541883557bcee83baf09b2c0ddab702f780e45/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile#L95-L113
- [x] :arrow_right:  ~~Telemetry to record user behavior and common sources of errors~~ (will be handled in the scope of https://github.com/elastic/kibana/issues/111341)
- [x] :arrow_right: ~~Find a way to expose ES config schema to preboot plugins~~ (will be handled in the scope of https://github.com/elastic/kibana/issues/111340)
- [x] :arrow_right:  ~~Support keystore for credentials?~~ (will be handled in the scope of https://github.com/elastic/kibana/issues/111337)

__Related:__ #89287, #102538

__Blocked by:__ ~~https://github.com/elastic/kibana/pull/103636~~, ~~https://github.com/elastic/clients-team/issues/423~~, ~~https://github.com/elastic/kibana/pull/102121~~

	set_chmod() {
	chmod -f 660 ${KBN_PATH_CONF}/kibana.yml \|\| true
	chmod -f 2750 <%= dataDir %> \|\| true
	chmod -f 2750 ${KBN_PATH_CONF} \|\| true
	chmod -f 2750 <%= logDir %> \|\| true
	}

	set_chown() {
	chown <%= user %>:<%= group %> <%= logDir %>
	chown <%= user %>:<%= group %> <%= pidDir %>
	chown -R <%= user %>:<%= group %> <%= dataDir %>
	chown -R root:<%= group %> ${KBN_PATH_CONF}
	}

	setup() {
	[ ! -d "<%= logDir %>" ] && mkdir "<%= logDir %>"
	set_chmod
	set_chown
	}

	COPY --chown=1000:0 config/kibana.yml /usr/share/kibana/config/kibana.yml

	# Add the launcher/wrapper script. It knows how to interpret environment
	# variables and translate them to Kibana CLI options.
	COPY --chown=1000:0 scripts/kibana-docker /usr/local/bin/

	# Remove the suid bit everywhere to mitigate "Stack Clash"
	RUN find / -xdev -perm -4000 -exec chmod u-s {} +

	# Provide a non-root user to run the process.
	RUN groupadd --gid 1000 kibana && \
	useradd --uid 1000 --gid 1000 -G 0 \
	--home-dir /usr/share/kibana --no-create-home \
	kibana

	USER kibana

	# Set some Kibana configuration defaults.
	COPY --chown=1000:0 config/kibana.yml /usr/share/kibana/config/kibana.yml

	# Add the launcher/wrapper script. It knows how to interpret environment
	# variables and translate them to Kibana CLI options.
	COPY --chown=1000:0 bin/kibana-docker /usr/local/bin/

	# Ensure gid 0 write permissions for OpenShift.
	RUN chmod g+ws /usr/share/kibana && \
	find /usr/share/kibana -gid 0 -and -not -perm /g+w -exec chmod g+w {} \;

	# Remove the suid bit everywhere to mitigate "Stack Clash"
	RUN find / -xdev -perm -4000 -exec chmod u-s {} +

	# Provide a non-root user to run the process.
	RUN groupadd --gid 1000 kibana && \
	useradd --uid 1000 --gid 1000 -G 0 \
	--home-dir /usr/share/kibana --no-create-home \
	kibana

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Interactive setup mode server-side functionality #104068

azasypkin
openedon Jul 1, 2021

Summary

Assignees

Labels

Type

Projects

Milestone

Relationships

Development