-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate kibana user in favor of kibana_system user #63186
Deprecate kibana user in favor of kibana_system user #63186
Conversation
bfb081d
to
03662f2
Compare
Pinging @elastic/kibana-security (Team:Security) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
EDIT: tested locally and works great! A few nits aside from the changes you directly made... (using permalinks to the current HEAD in master so they render properly in my comment)
- In Additional validation for elasticsearch username #48247 we deprecated using the
elastic
user in config in favor of using thekibana
user. I'm thinking we should probably change that to deprecate it in favor ofkibana_system
too. This is in a few files...
kibana/src/core/server/elasticsearch/elasticsearch_config.ts
Lines 132 to 136 in 129cf4f
if (es.username === 'elastic') { | |
log( | |
`Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana" user instead.` | |
); | |
} |
kibana/x-pack/plugins/monitoring/server/config.ts
Lines 119 to 124 in 129cf4f
if (rawConfig === 'elastic') { | |
return ( | |
'value of "elastic" is forbidden. This is a superuser account that can obfuscate ' + | |
'privilege-related issues. You should use the "kibana" user instead.' | |
); | |
} |
kibana/x-pack/plugins/monitoring/server/deprecations.ts
Lines 60 to 64 in 129cf4f
if (es.username === 'elastic') { | |
logger( | |
`Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana" user instead.` | |
); | |
} |
- Should we update this functional test assertion for the
kibana_system
user instead?
kibana/x-pack/test/functional/apps/security/users.js
Lines 28 to 29 in 129cf4f
expect(users.kibana.roles).to.eql(['kibana_system']); | |
expect(users.kibana.reserved).to.be(true); |
- This is really nitpicky, but do we want to change the wording from "
kibana user
" to "Kibana user
" to differentiate the intent from the username itself? Or split this into two messages for thekibana
andkibana_system
users? 😛 I don't feel super strongly about it, just wanted to point it out in case you missed it.
kibana/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx
Line 257 in 129cf4f
defaultMessage="After you change the password for the kibana user, you must update the {kibana} |
- I found a few more references to the deprecated
kibana
user:
Line 15 in 129cf4f
By default, this will also set the password for native realm accounts to the password provided (`changeme` by default). This includes that of the `kibana` user which `elasticsearch.username` defaults to in development. If you wish to specific a password for a given native realm account, you can do that like so: `--password.kibana=notsecure` |
The password for the built-in `kibana` user is typically set as part of the |
username: "kibana" |
kibana/packages/kbn-es/src/utils/native_realm.test.js
Lines 191 to 209 in 129cf4f
kibana: { | |
metadata: { | |
_reserved: true, | |
}, | |
}, | |
non_native: { | |
metadata: { | |
_reserved: false, | |
}, | |
}, | |
logstash_system: { | |
metadata: { | |
_reserved: true, | |
}, | |
}, | |
}, | |
})); | |
expect(await nativeRealm.getReservedUsers()).toEqual(['kibana', 'logstash_system']); |
There were a couple more in code comments, but those don't matter as much IMO.
metadata: { | ||
_reserved: true, | ||
_deprecated: true, | ||
_deprecated_reason: 'This user is not cool anymore.', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😄
x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx
Outdated
Show resolved
Hide resolved
export const getExtendedUserDeprecationNotice = (user: User) => { | ||
const reason = user.metadata?._deprecated_reason ?? ''; | ||
return i18n.translate('xpack.security.management.users.extendedUserDeprecationNotice', { | ||
defaultMessage: `The {username} user is deprecated. {reason}`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps this should change so it will be consistent with the reason?
defaultMessage: `The {username} user is deprecated. {reason}`, | |
defaultMessage: `The [{username}] user is deprecated. {reason}`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current text is consistent with the deprecation message we display for roles today. Gail had actually requested that we remove the brackets from the reason when we did the role deprecations, but then that change would have been inconsistent with the rest of the messages in ES. Overall, I'm 🤷♂️ about it, I could go either way.
Given my beautiful backstory, which would you prefer? I'll defer to you 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for config/kibana.yml
changes
@jportner thanks for the review! I'm not sure how my search missed those other references, so good looking out 🥇 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I could have been clearer in my last comment, a couple more suggestions!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Operations changes to kbn-es LGTM
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
…ort-deprecated-users
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@jportner ready for another look whenever you get a chance |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
@elasticmachine merge upstream |
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
This updates the User Grid page and Edit User page to warn about deprecated users. Support for deprecated users was added to Elasticsearch in elastic/elasticsearch#54967, and is used to denote that the
kibana
user is deprecated in favor of thekibana_system
user.Companion PRs:
elastic/stack-docs#991
elastic/elasticsearch#54967
Resolves #25879