Deprecate kibana user in favor of kibana_system user

docs/user/security/securing-kibana.asciidoc

@@ -38,7 +38,7 @@ elasticsearch.password: "kibanapassword"
 The {kib} server submits requests as this user to access the cluster monitoring
 APIs and the `.kibana` index. The server does _not_ need access to user indices.
 
-The password for the built-in `kibana` user is typically set as part of the
+The password for the built-in `kibana_system` user is typically set as part of the
 {security} configuration process on {es}. For more information, see
 {ref}/built-in-users.html[Built-in users].
 --

packages/kbn-es/src/utils/native_realm.test.js

@@ -109,7 +109,7 @@ describe('setPasswords', () => {
 
     mockClient.security.getUser.mockImplementation(() => ({
       body: {
-        kibana: {
+        kibana_system: {
           metadata: {
             _reserved: true,
           },
@@ -138,7 +138,7 @@ describe('setPasswords', () => {
     }));
 
     await nativeRealm.setPasswords({
-      'password.kibana': 'bar',
+      'password.kibana_system': 'bar',
     });
 
     expect(mockClient.security.changePassword.mock.calls).toMatchInlineSnapshot(`
@@ -149,7 +149,7 @@ Array [
         "password": "bar",
       },
       "refresh": "wait_for",
-      "username": "kibana",
+      "username": "kibana_system",
     },
   ],
   Array [
@@ -188,7 +188,7 @@ describe('getReservedUsers', () => {
   it('returns array of reserved usernames', async () => {
     mockClient.security.getUser.mockImplementation(() => ({
       body: {
-        kibana: {
+        kibana_system: {
           metadata: {
             _reserved: true,
           },
@@ -206,17 +206,17 @@ describe('getReservedUsers', () => {
       },
     }));
 
-    expect(await nativeRealm.getReservedUsers()).toEqual(['kibana', 'logstash_system']);
+    expect(await nativeRealm.getReservedUsers()).toEqual(['kibana_system', 'logstash_system']);
   });
 });
 
 describe('setPassword', () => {
   it('sets password for provided user', async () => {
-    await nativeRealm.setPassword('kibana', 'foo');
+    await nativeRealm.setPassword('kibana_system', 'foo');
     expect(mockClient.security.changePassword).toHaveBeenCalledWith({
       body: { password: 'foo' },
       refresh: 'wait_for',
-      username: 'kibana',
+      username: 'kibana_system',
     });
   });
 
@@ -226,7 +226,7 @@ describe('setPassword', () => {
     });
 
     await expect(
-      nativeRealm.setPassword('kibana', 'foo')
+      nativeRealm.setPassword('kibana_system', 'foo')
     ).rejects.toThrowErrorMatchingInlineSnapshot(`"SomeError"`);
   });
 });

src/core/server/elasticsearch/elasticsearch_config.ts

@@ -55,7 +55,7 @@ export const configSchema = schema.object({
           if (rawConfig === 'elastic') {
             return (
               'value of "elastic" is forbidden. This is a superuser account that can obfuscate ' +
-              'privilege-related issues. You should use the "kibana" user instead.'
+              'privilege-related issues. You should use the "kibana_system" user instead.'
             );
           }
         },
@@ -131,7 +131,7 @@ const deprecations: ConfigDeprecationProvider = () => [
     }
     if (es.username === 'elastic') {
       log(
-        `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana" user instead.`
+        `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.`
       );
     }
     if (es.ssl?.key !== undefined && es.ssl?.certificate === undefined) {

x-pack/README.md

@@ -12,7 +12,7 @@ Elasticsearch will run with a basic license. To run with a trial license, includ
 
 Example: `yarn es snapshot --license trial --password changeme`
 
-By default, this will also set the password for native realm accounts to the password provided (`changeme` by default). This includes that of the `kibana` user which `elasticsearch.username` defaults to in development. If you wish to specific a password for a given native realm account, you can do that like so: `--password.kibana=notsecure`
+By default, this will also set the password for native realm accounts to the password provided (`changeme` by default). This includes that of the `kibana_system` user which `elasticsearch.username` defaults to in development. If you wish to specific a password for a given native realm account, you can do that like so: `--password.kibana=notsecure`
 
 # Testing
 ## Running specific tests

x-pack/legacy/plugins/monitoring/README.md

@@ -74,7 +74,7 @@ cluster.
   % cat config/kibana.dev.yml
   monitoring.ui.elasticsearch:
     hosts: "http://localhost:9210"
-    username: "kibana"
+    username: "kibana_system"
     password: "changeme"
   ```
 

x-pack/plugins/monitoring/server/config.ts

@@ -119,7 +119,7 @@ export const configSchema = schema.object({
               if (rawConfig === 'elastic') {
                 return (
                   'value of "elastic" is forbidden. This is a superuser account that can obfuscate ' +
-                  'privilege-related issues. You should use the "kibana" user instead.'
+                  'privilege-related issues. You should use the "kibana_system" user instead.'
                 );
               }
             },

x-pack/plugins/monitoring/server/deprecations.ts

@@ -59,7 +59,7 @@ export const deprecations = ({
       if (es) {
         if (es.username === 'elastic') {
           logger(
-            `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana" user instead.`
+            `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.`
           );
         }
       }

x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx

@@ -35,7 +35,7 @@ import { RolesAPIClient } from '../../roles';
 import { ConfirmDeleteUsers, ChangePasswordForm } from '../components';
 import { UserValidator, UserValidationResult } from './validate_user';
 import { RoleComboBox } from '../../role_combo_box';
-import { isUserDeprecated, getExtendedUserDeprecationNotice } from '../user_utils';
+import { isUserDeprecated, getExtendedUserDeprecationNotice, isUserReserved } from '../user_utils';
 import { UserAPIClient } from '..';
 
 interface Props {
@@ -255,9 +255,9 @@ export class EditUserPage extends Component<Props, State> {
               <p>
                 <FormattedMessage
                   id="xpack.security.management.users.editUser.changePasswordUpdateKibanaTitle"
-                  defaultMessage="After you change the password for the kibana user, you must update the {kibana}
+                  defaultMessage="After you change the password for the {username} user, you must update the {kibana}
                   file and restart Kibana."
-                  values={{ kibana: 'kibana.yml' }}
+                  values={{ kibana: 'kibana.yml', username: user.username }}
                 />
               </p>
             </EuiCallOut>
@@ -370,7 +370,7 @@ export class EditUserPage extends Component<Props, State> {
       isNewUser,
       showDeleteConfirmation,
     } = this.state;
-    const reserved = user.metadata && user.metadata._reserved;
+    const reserved = isUserReserved(user);
     if (!user || !roles) {
       return null;
     }
@@ -439,11 +439,11 @@ export class EditUserPage extends Component<Props, State> {
               </Fragment>
             )}
 
-            {isUserDeprecated(this.state.user) && (
+            {isUserDeprecated(user) && (
               <Fragment>
                 <EuiCallOut
                   data-test-subj="deprecatedUserWarning"
-                  title={getExtendedUserDeprecationNotice(this.state.user)}
+                  title={getExtendedUserDeprecationNotice(user)}
                   color="warning"
                   iconType="alert"
                   size="s"

x-pack/test/functional/apps/security/users.js

@@ -18,15 +18,22 @@ export default function({ getService, getPageObjects }) {
       await PageObjects.security.clickElasticsearchUsers();
     });
 
-    it('should show the default elastic and kibana users', async function() {
+    it('should show the default elastic and kibana_system users', async function() {
       const users = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username');
       log.info('actualUsers = %j', users);
       log.info('config = %j', config.get('servers.elasticsearch.hostname'));
       if (config.get('servers.elasticsearch.hostname') === 'localhost') {
         expect(users.elastic.roles).to.eql(['superuser']);
         expect(users.elastic.reserved).to.be(true);
+        expect(users.elastic.deprecated).to.be(false);
+
+        expect(users.kibana_system.roles).to.eql(['kibana_system']);
+        expect(users.kibana_system.reserved).to.be(true);
+        expect(users.kibana_system.deprecated).to.be(false);
+
         expect(users.kibana.roles).to.eql(['kibana_system']);
         expect(users.kibana.reserved).to.be(true);
+        expect(users.kibana.deprecated).to.be(true);
       } else {
         expect(users.anonymous.roles).to.eql(['anonymous']);
         expect(users.anonymous.reserved).to.be(true);

x-pack/test/functional/page_objects/security_page.js

@@ -235,13 +235,15 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
         const rolesElement = await user.findByTestSubject('userRowRoles');
         // findAll is substantially faster than `find.descendantExistsByCssSelector for negative cases
         const isUserReserved = (await user.findAllByTestSubject('userReserved', 1)).length > 0;
+        const isUserDeprecated = (await user.findAllByTestSubject('userDeprecated', 1)).length > 0;
 
         return {
           username: await usernameElement.getVisibleText(),
           fullname: await fullnameElement.getVisibleText(),
           email: await emailElement.getVisibleText(),
           roles: (await rolesElement.getVisibleText()).split('\n').map(role => role.trim()),
           reserved: isUserReserved,
+          deprecated: isUserDeprecated,
         };
       });
     }