From 6a6deef1515676aaa41cbcf6a4c78bc6d171c053 Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Tue, 5 May 2020 11:36:40 -0400 Subject: [PATCH] Deprecate kibana user in favor of kibana_system user (#63186) --- config/kibana.yml | 2 +- docs/user/security/securing-kibana.asciidoc | 4 +- .../kbn-es/src/utils/native_realm.test.js | 16 +++--- src/cli/serve/serve.js | 2 +- .../elasticsearch_config.test.ts.snap | 2 +- .../elasticsearch_config.test.ts | 13 ++++- .../elasticsearch/elasticsearch_config.ts | 8 ++- x-pack/README.md | 2 +- x-pack/legacy/plugins/monitoring/README.md | 2 +- .../server/__tests__/deprecations.js | 10 +++- x-pack/plugins/monitoring/server/config.ts | 2 +- .../plugins/monitoring/server/deprecations.ts | 6 ++- x-pack/plugins/security/common/model/user.ts | 2 + .../users/edit_user/edit_user_page.test.tsx | 30 +++++++++++ .../users/edit_user/edit_user_page.tsx | 41 +++++++++----- .../management/users/user_utils.test.ts | 53 +++++++++++++++++++ .../public/management/users/user_utils.ts | 14 +++++ .../users/users_grid/users_grid_page.test.tsx | 32 +++++++++++ .../users/users_grid/users_grid_page.tsx | 15 ++++-- .../translations/translations/ja-JP.json | 1 - .../translations/translations/zh-CN.json | 1 - x-pack/test/functional/apps/security/users.js | 9 +++- .../functional/page_objects/security_page.js | 2 + 23 files changed, 229 insertions(+), 40 deletions(-) create mode 100644 x-pack/plugins/security/public/management/users/user_utils.test.ts diff --git a/config/kibana.yml b/config/kibana.yml index 0780841ca057ed..8725888159506e 100644 --- a/config/kibana.yml +++ b/config/kibana.yml @@ -40,7 +40,7 @@ # the username and password that the Kibana server uses to perform maintenance on the Kibana # index at startup. Your Kibana users still need to authenticate with Elasticsearch, which # is proxied through the Kibana server. -#elasticsearch.username: "kibana" +#elasticsearch.username: "kibana_system" #elasticsearch.password: "pass" # Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. diff --git a/docs/user/security/securing-kibana.asciidoc b/docs/user/security/securing-kibana.asciidoc index 24aacd6a476261..f4178bacb111e8 100644 --- a/docs/user/security/securing-kibana.asciidoc +++ b/docs/user/security/securing-kibana.asciidoc @@ -31,14 +31,14 @@ file: [source,yaml] ----------------------------------------------- -elasticsearch.username: "kibana" +elasticsearch.username: "kibana_system" elasticsearch.password: "kibanapassword" ----------------------------------------------- The {kib} server submits requests as this user to access the cluster monitoring APIs and the `.kibana` index. The server does _not_ need access to user indices. -The password for the built-in `kibana` user is typically set as part of the +The password for the built-in `kibana_system` user is typically set as part of the {security} configuration process on {es}. For more information, see {ref}/built-in-users.html[Built-in users]. -- diff --git a/packages/kbn-es/src/utils/native_realm.test.js b/packages/kbn-es/src/utils/native_realm.test.js index 99c7ed1623014c..54732f7136fcca 100644 --- a/packages/kbn-es/src/utils/native_realm.test.js +++ b/packages/kbn-es/src/utils/native_realm.test.js @@ -109,7 +109,7 @@ describe('setPasswords', () => { mockClient.security.getUser.mockImplementation(() => ({ body: { - kibana: { + kibana_system: { metadata: { _reserved: true, }, @@ -138,7 +138,7 @@ describe('setPasswords', () => { })); await nativeRealm.setPasswords({ - 'password.kibana': 'bar', + 'password.kibana_system': 'bar', }); expect(mockClient.security.changePassword.mock.calls).toMatchInlineSnapshot(` @@ -149,7 +149,7 @@ Array [ "password": "bar", }, "refresh": "wait_for", - "username": "kibana", + "username": "kibana_system", }, ], Array [ @@ -188,7 +188,7 @@ describe('getReservedUsers', () => { it('returns array of reserved usernames', async () => { mockClient.security.getUser.mockImplementation(() => ({ body: { - kibana: { + kibana_system: { metadata: { _reserved: true, }, @@ -206,17 +206,17 @@ describe('getReservedUsers', () => { }, })); - expect(await nativeRealm.getReservedUsers()).toEqual(['kibana', 'logstash_system']); + expect(await nativeRealm.getReservedUsers()).toEqual(['kibana_system', 'logstash_system']); }); }); describe('setPassword', () => { it('sets password for provided user', async () => { - await nativeRealm.setPassword('kibana', 'foo'); + await nativeRealm.setPassword('kibana_system', 'foo'); expect(mockClient.security.changePassword).toHaveBeenCalledWith({ body: { password: 'foo' }, refresh: 'wait_for', - username: 'kibana', + username: 'kibana_system', }); }); @@ -226,7 +226,7 @@ describe('setPassword', () => { }); await expect( - nativeRealm.setPassword('kibana', 'foo') + nativeRealm.setPassword('kibana_system', 'foo') ).rejects.toThrowErrorMatchingInlineSnapshot(`"SomeError"`); }); }); diff --git a/src/cli/serve/serve.js b/src/cli/serve/serve.js index 29d0fe16ee126a..471939121143a1 100644 --- a/src/cli/serve/serve.js +++ b/src/cli/serve/serve.js @@ -79,7 +79,7 @@ function applyConfigOverrides(rawConfig, opts, extraCliOptions) { set('optimize.watch', true); if (!has('elasticsearch.username')) { - set('elasticsearch.username', 'kibana'); + set('elasticsearch.username', 'kibana_system'); } if (!has('elasticsearch.password')) { diff --git a/src/core/server/elasticsearch/__snapshots__/elasticsearch_config.test.ts.snap b/src/core/server/elasticsearch/__snapshots__/elasticsearch_config.test.ts.snap index e81336c8863f56..75627f311d9a58 100644 --- a/src/core/server/elasticsearch/__snapshots__/elasticsearch_config.test.ts.snap +++ b/src/core/server/elasticsearch/__snapshots__/elasticsearch_config.test.ts.snap @@ -1,3 +1,3 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP -exports[`#username throws if equal to "elastic", only while running from source 1`] = `"[username]: value of \\"elastic\\" is forbidden. This is a superuser account that can obfuscate privilege-related issues. You should use the \\"kibana\\" user instead."`; +exports[`#username throws if equal to "elastic", only while running from source 1`] = `"[username]: value of \\"elastic\\" is forbidden. This is a superuser account that can obfuscate privilege-related issues. You should use the \\"kibana_system\\" user instead."`; diff --git a/src/core/server/elasticsearch/elasticsearch_config.test.ts b/src/core/server/elasticsearch/elasticsearch_config.test.ts index de3f57298f461f..cb4501a51e849d 100644 --- a/src/core/server/elasticsearch/elasticsearch_config.test.ts +++ b/src/core/server/elasticsearch/elasticsearch_config.test.ts @@ -315,12 +315,21 @@ describe('deprecations', () => { const { messages } = applyElasticsearchDeprecations({ username: 'elastic' }); expect(messages).toMatchInlineSnapshot(` Array [ - "Setting [${CONFIG_PATH}.username] to \\"elastic\\" is deprecated. You should use the \\"kibana\\" user instead.", + "Setting [${CONFIG_PATH}.username] to \\"elastic\\" is deprecated. You should use the \\"kibana_system\\" user instead.", ] `); }); - it('does not log a warning if elasticsearch.username is set to something besides "elastic"', () => { + it('logs a warning if elasticsearch.username is set to "kibana"', () => { + const { messages } = applyElasticsearchDeprecations({ username: 'kibana' }); + expect(messages).toMatchInlineSnapshot(` + Array [ + "Setting [${CONFIG_PATH}.username] to \\"kibana\\" is deprecated. You should use the \\"kibana_system\\" user instead.", + ] + `); + }); + + it('does not log a warning if elasticsearch.username is set to something besides "elastic" or "kibana"', () => { const { messages } = applyElasticsearchDeprecations({ username: 'otheruser' }); expect(messages).toHaveLength(0); }); diff --git a/src/core/server/elasticsearch/elasticsearch_config.ts b/src/core/server/elasticsearch/elasticsearch_config.ts index d3012e361b3ed0..c87c94bcd0b6af 100644 --- a/src/core/server/elasticsearch/elasticsearch_config.ts +++ b/src/core/server/elasticsearch/elasticsearch_config.ts @@ -55,7 +55,7 @@ export const configSchema = schema.object({ if (rawConfig === 'elastic') { return ( 'value of "elastic" is forbidden. This is a superuser account that can obfuscate ' + - 'privilege-related issues. You should use the "kibana" user instead.' + 'privilege-related issues. You should use the "kibana_system" user instead.' ); } }, @@ -131,7 +131,11 @@ const deprecations: ConfigDeprecationProvider = () => [ } if (es.username === 'elastic') { log( - `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana" user instead.` + `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.` + ); + } else if (es.username === 'kibana') { + log( + `Setting [${fromPath}.username] to "kibana" is deprecated. You should use the "kibana_system" user instead.` ); } if (es.ssl?.key !== undefined && es.ssl?.certificate === undefined) { diff --git a/x-pack/README.md b/x-pack/README.md index 42e54aa2f50f9b..744d97ca02c75e 100644 --- a/x-pack/README.md +++ b/x-pack/README.md @@ -12,7 +12,7 @@ Elasticsearch will run with a basic license. To run with a trial license, includ Example: `yarn es snapshot --license trial --password changeme` -By default, this will also set the password for native realm accounts to the password provided (`changeme` by default). This includes that of the `kibana` user which `elasticsearch.username` defaults to in development. If you wish to specific a password for a given native realm account, you can do that like so: `--password.kibana=notsecure` +By default, this will also set the password for native realm accounts to the password provided (`changeme` by default). This includes that of the `kibana_system` user which `elasticsearch.username` defaults to in development. If you wish to specify a password for a given native realm account, you can do that like so: `--password.kibana_system=notsecure` # Testing ## Running specific tests diff --git a/x-pack/legacy/plugins/monitoring/README.md b/x-pack/legacy/plugins/monitoring/README.md index e9ececa8c63503..0222f06e7ae91a 100644 --- a/x-pack/legacy/plugins/monitoring/README.md +++ b/x-pack/legacy/plugins/monitoring/README.md @@ -74,7 +74,7 @@ cluster. % cat config/kibana.dev.yml monitoring.ui.elasticsearch: hosts: "http://localhost:9210" - username: "kibana" + username: "kibana_system" password: "changeme" ``` diff --git a/x-pack/plugins/monitoring/server/__tests__/deprecations.js b/x-pack/plugins/monitoring/server/__tests__/deprecations.js index aa8008346af85e..5fc5debfa139ef 100644 --- a/x-pack/plugins/monitoring/server/__tests__/deprecations.js +++ b/x-pack/plugins/monitoring/server/__tests__/deprecations.js @@ -92,7 +92,15 @@ describe('monitoring plugin deprecations', function() { expect(log.called).to.be(true); }); - it('does not log a warning if elasticsearch.username is set to something besides "elastic"', () => { + it('logs a warning if elasticsearch.username is set to "kibana"', () => { + const settings = { elasticsearch: { username: 'kibana' } }; + + const log = sinon.spy(); + transformDeprecations(settings, fromPath, log); + expect(log.called).to.be(true); + }); + + it('does not log a warning if elasticsearch.username is set to something besides "elastic" or "kibana"', () => { const settings = { elasticsearch: { username: 'otheruser' } }; const log = sinon.spy(); diff --git a/x-pack/plugins/monitoring/server/config.ts b/x-pack/plugins/monitoring/server/config.ts index 6e5092a1127447..ad5bf950901868 100644 --- a/x-pack/plugins/monitoring/server/config.ts +++ b/x-pack/plugins/monitoring/server/config.ts @@ -119,7 +119,7 @@ export const configSchema = schema.object({ if (rawConfig === 'elastic') { return ( 'value of "elastic" is forbidden. This is a superuser account that can obfuscate ' + - 'privilege-related issues. You should use the "kibana" user instead.' + 'privilege-related issues. You should use the "kibana_system" user instead.' ); } }, diff --git a/x-pack/plugins/monitoring/server/deprecations.ts b/x-pack/plugins/monitoring/server/deprecations.ts index 3a3ec6ac799d20..d40837885e1983 100644 --- a/x-pack/plugins/monitoring/server/deprecations.ts +++ b/x-pack/plugins/monitoring/server/deprecations.ts @@ -59,7 +59,11 @@ export const deprecations = ({ if (es) { if (es.username === 'elastic') { logger( - `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana" user instead.` + `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.` + ); + } else if (es.username === 'kibana') { + logger( + `Setting [${fromPath}.username] to "kibana" is deprecated. You should use the "kibana_system" user instead.` ); } } diff --git a/x-pack/plugins/security/common/model/user.ts b/x-pack/plugins/security/common/model/user.ts index e1bae2fc44e584..5c852e7a8f03d4 100644 --- a/x-pack/plugins/security/common/model/user.ts +++ b/x-pack/plugins/security/common/model/user.ts @@ -12,6 +12,8 @@ export interface User { enabled: boolean; metadata?: { _reserved: boolean; + _deprecated?: boolean; + _deprecated_reason?: string; }; } diff --git a/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.test.tsx b/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.test.tsx index be7517ff892b58..a97781ba25ea6a 100644 --- a/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.test.tsx +++ b/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.test.tsx @@ -32,6 +32,14 @@ const createUser = (username: string, roles = ['idk', 'something']) => { }; } + if (username === 'deprecated_user') { + user.metadata = { + _reserved: true, + _deprecated: true, + _deprecated_reason: 'beacuse I said so.', + }; + } + return user; }; @@ -162,6 +170,28 @@ describe('EditUserPage', () => { expectSaveButton(wrapper); }); + it('warns when viewing a depreciated user', async () => { + const user = createUser('deprecated_user'); + const { apiClient, rolesAPIClient } = buildClients(user); + const securitySetup = buildSecuritySetup(); + + const wrapper = mountWithIntl( + + ); + + await waitForRender(wrapper); + expect(apiClient.getUser).toBeCalledTimes(1); + expect(securitySetup.authc.getCurrentUser).toBeCalledTimes(1); + + expect(findTestSubject(wrapper, 'deprecatedUserWarning')).toHaveLength(1); + }); + it('warns when user is assigned a deprecated role', async () => { const user = createUser('existing_user', ['deprecated-role']); const { apiClient, rolesAPIClient } = buildClients(user); diff --git a/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx b/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx index 1c8130029bb501..7172ff178eb6bb 100644 --- a/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx +++ b/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx @@ -38,6 +38,7 @@ import { RolesAPIClient } from '../../roles'; import { ConfirmDeleteUsers, ChangePasswordForm } from '../components'; import { UserValidator, UserValidationResult } from './validate_user'; import { RoleComboBox } from '../../role_combo_box'; +import { isUserDeprecated, getExtendedUserDeprecationNotice, isUserReserved } from '../user_utils'; import { UserAPIClient } from '..'; interface Props { @@ -244,7 +245,7 @@ export class EditUserPage extends Component { return ( - {user.username === 'kibana' ? ( + {user.username === 'kibana' || user.username === 'kibana_system' ? ( {

@@ -372,7 +373,7 @@ export class EditUserPage extends Component { isNewUser, showDeleteConfirmation, } = this.state; - const reserved = user.metadata && user.metadata._reserved; + const reserved = isUserReserved(user); if (!user || !roles) { return null; } @@ -427,15 +428,31 @@ export class EditUserPage extends Component { {reserved && ( - -

- +

+ -

- + /> +

+ + + + )} + + {isUserDeprecated(user) && ( + + + + )} {showDeleteConfirmation ? ( diff --git a/x-pack/plugins/security/public/management/users/user_utils.test.ts b/x-pack/plugins/security/public/management/users/user_utils.test.ts new file mode 100644 index 00000000000000..572b94ab080375 --- /dev/null +++ b/x-pack/plugins/security/public/management/users/user_utils.test.ts @@ -0,0 +1,53 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { User } from '../../../common/model'; +import { isUserReserved, isUserDeprecated, getExtendedUserDeprecationNotice } from './user_utils'; + +describe('#isUserReserved', () => { + it('returns false for a user with no metadata', () => { + expect(isUserReserved({} as User)).toEqual(false); + }); + + it('returns false for a user with the reserved flag set to false', () => { + expect(isUserReserved({ metadata: { _reserved: false } } as User)).toEqual(false); + }); + + it('returns true for a user with the reserved flag set to true', () => { + expect(isUserReserved({ metadata: { _reserved: true } } as User)).toEqual(true); + }); +}); + +describe('#isUserDeprecated', () => { + it('returns false for a user with no metadata', () => { + expect(isUserDeprecated({} as User)).toEqual(false); + }); + + it('returns false for a user with the deprecated flag set to false', () => { + expect(isUserDeprecated({ metadata: { _deprecated: false } } as User)).toEqual(false); + }); + + it('returns true for a user with the deprecated flag set to true', () => { + expect(isUserDeprecated({ metadata: { _deprecated: true } } as User)).toEqual(true); + }); +}); + +describe('#getExtendedUserDeprecationNotice', () => { + it('returns a notice when no reason is provided', () => { + expect( + getExtendedUserDeprecationNotice({ username: 'test_user' } as User) + ).toMatchInlineSnapshot(`"The test_user user is deprecated. "`); + }); + + it('returns a notice augmented with reason when provided', () => { + expect( + getExtendedUserDeprecationNotice({ + username: 'test_user', + metadata: { _reserved: true, _deprecated_reason: 'some reason' }, + } as User) + ).toMatchInlineSnapshot(`"The test_user user is deprecated. some reason"`); + }); +}); diff --git a/x-pack/plugins/security/public/management/users/user_utils.ts b/x-pack/plugins/security/public/management/users/user_utils.ts index f46f6f897e23b3..211aad904d4665 100644 --- a/x-pack/plugins/security/public/management/users/user_utils.ts +++ b/x-pack/plugins/security/public/management/users/user_utils.ts @@ -4,6 +4,20 @@ * you may not use this file except in compliance with the Elastic License. */ +import { i18n } from '@kbn/i18n'; import { User } from '../../../common/model'; export const isUserReserved = (user: User) => user.metadata?._reserved ?? false; + +export const isUserDeprecated = (user: User) => user.metadata?._deprecated ?? false; + +export const getExtendedUserDeprecationNotice = (user: User) => { + const reason = user.metadata?._deprecated_reason ?? ''; + return i18n.translate('xpack.security.management.users.extendedUserDeprecationNotice', { + defaultMessage: `The {username} user is deprecated. {reason}`, + values: { + username: user.username, + reason, + }, + }); +}; diff --git a/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.test.tsx b/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.test.tsx index 031b67d5d9122e..d3b85b83ff6a41 100644 --- a/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.test.tsx +++ b/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.test.tsx @@ -102,6 +102,38 @@ describe('UsersGridPage', () => { expect(findTestSubject(wrapper, 'userDisabled')).toHaveLength(1); }); + it('renders deprecated users', async () => { + const apiClientMock = userAPIClientMock.create(); + apiClientMock.getUsers.mockImplementation(() => { + return Promise.resolve([ + { + username: 'foo', + email: 'foo@bar.net', + full_name: 'foo bar', + roles: ['kibana_user'], + enabled: true, + metadata: { + _reserved: true, + _deprecated: true, + _deprecated_reason: 'This user is not cool anymore.', + }, + }, + ]); + }); + + const wrapper = mountWithIntl( + + ); + + await waitForRender(wrapper); + + expect(findTestSubject(wrapper, 'userDeprecated')).toHaveLength(1); + }); + it('renders a warning when a user is assigned a deprecated role', async () => { const apiClientMock = userAPIClientMock.create(); apiClientMock.getUsers.mockImplementation(() => { diff --git a/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.tsx b/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.tsx index 6837fcf430fe7b..f8882129772f70 100644 --- a/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.tsx +++ b/x-pack/plugins/security/public/management/users/users_grid/users_grid_page.tsx @@ -26,8 +26,8 @@ import { FormattedMessage } from '@kbn/i18n/react'; import { NotificationsStart } from 'src/core/public'; import { User, Role } from '../../../../common/model'; import { ConfirmDeleteUsers } from '../components'; -import { isUserReserved } from '../user_utils'; -import { DisabledBadge, ReservedBadge } from '../../badges'; +import { isUserReserved, getExtendedUserDeprecationNotice, isUserDeprecated } from '../user_utils'; +import { DisabledBadge, ReservedBadge, DeprecatedBadge } from '../../badges'; import { RoleTableDisplay } from '../../role_table_display'; import { RolesAPIClient } from '../../roles'; import { UserAPIClient } from '..'; @@ -360,6 +360,7 @@ export class UsersGridPage extends Component { private getUserStatusBadges = (user: User) => { const enabled = user.enabled; const reserved = isUserReserved(user); + const deprecated = isUserDeprecated(user); const badges = []; if (!enabled) { @@ -378,9 +379,17 @@ export class UsersGridPage extends Component { /> ); } + if (deprecated) { + badges.push( + + ); + } return ( - + {badges.map((badge, index) => ( {badge} diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index 23672658620442..710642b03e3298 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -12883,7 +12883,6 @@ "xpack.security.management.users.editUser.cancelButtonLabel": "キャンセル", "xpack.security.management.users.editUser.changePasswordButtonLabel": "パスワードを変更", "xpack.security.management.users.editUser.changePasswordExtraStepTitle": "追加ステップが必要です", - "xpack.security.management.users.editUser.changePasswordUpdateKibanaTitle": "Kibana ユーザーのパスワードを変更後、{kibana} ファイルを更新し Kibana を再起動する必要があります。", "xpack.security.management.users.editUser.changingUserNameAfterCreationDescription": "ユーザー名は作成後変更できません。", "xpack.security.management.users.editUser.confirmPasswordFormRowLabel": "パスワードの確認", "xpack.security.management.users.editUser.createUserButtonLabel": "ユーザーを作成", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index ab7710b81d479d..cf52ee6f3b515f 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -12890,7 +12890,6 @@ "xpack.security.management.users.editUser.cancelButtonLabel": "取消", "xpack.security.management.users.editUser.changePasswordButtonLabel": "更改密码", "xpack.security.management.users.editUser.changePasswordExtraStepTitle": "需要额外的步骤", - "xpack.security.management.users.editUser.changePasswordUpdateKibanaTitle": "更改 Kibana 用户的密码后,必须更新 {kibana} 文件并重新启动 Kibana。", "xpack.security.management.users.editUser.changingUserNameAfterCreationDescription": "用户名一经创建,将无法更改。", "xpack.security.management.users.editUser.confirmPasswordFormRowLabel": "确认密码", "xpack.security.management.users.editUser.createUserButtonLabel": "创建用户", diff --git a/x-pack/test/functional/apps/security/users.js b/x-pack/test/functional/apps/security/users.js index 04d59334a01c47..bfc6950faecc64 100644 --- a/x-pack/test/functional/apps/security/users.js +++ b/x-pack/test/functional/apps/security/users.js @@ -18,15 +18,22 @@ export default function({ getService, getPageObjects }) { await PageObjects.security.clickElasticsearchUsers(); }); - it('should show the default elastic and kibana users', async function() { + it('should show the default elastic and kibana_system users', async function() { const users = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username'); log.info('actualUsers = %j', users); log.info('config = %j', config.get('servers.elasticsearch.hostname')); if (config.get('servers.elasticsearch.hostname') === 'localhost') { expect(users.elastic.roles).to.eql(['superuser']); expect(users.elastic.reserved).to.be(true); + expect(users.elastic.deprecated).to.be(false); + + expect(users.kibana_system.roles).to.eql(['kibana_system']); + expect(users.kibana_system.reserved).to.be(true); + expect(users.kibana_system.deprecated).to.be(false); + expect(users.kibana.roles).to.eql(['kibana_system']); expect(users.kibana.reserved).to.be(true); + expect(users.kibana.deprecated).to.be(true); } else { expect(users.anonymous.roles).to.eql(['anonymous']); expect(users.anonymous.reserved).to.be(true); diff --git a/x-pack/test/functional/page_objects/security_page.js b/x-pack/test/functional/page_objects/security_page.js index 84eb0cc378771c..08895de815b396 100644 --- a/x-pack/test/functional/page_objects/security_page.js +++ b/x-pack/test/functional/page_objects/security_page.js @@ -235,6 +235,7 @@ export function SecurityPageProvider({ getService, getPageObjects }) { const rolesElement = await user.findByTestSubject('userRowRoles'); // findAll is substantially faster than `find.descendantExistsByCssSelector for negative cases const isUserReserved = (await user.findAllByTestSubject('userReserved', 1)).length > 0; + const isUserDeprecated = (await user.findAllByTestSubject('userDeprecated', 1)).length > 0; return { username: await usernameElement.getVisibleText(), @@ -242,6 +243,7 @@ export function SecurityPageProvider({ getService, getPageObjects }) { email: await emailElement.getVisibleText(), roles: (await rolesElement.getVisibleText()).split('\n').map(role => role.trim()), reserved: isUserReserved, + deprecated: isUserDeprecated, }; }); }