Forbid using elasticsearch.username: elastic in production (#122722)

2025-04-24 17:59:23 -04:00 · 2022-01-12 09:23:09 -05:00 · 2022-01-12 09:23:09 -05:00 · 48efabead7
commit 48efabead7
parent 1d97c74e52
4 changed files with 16 additions and 36 deletions
--- a/src/core/server/core_usage_data/core_usage_data_service.test.ts
+++ b/src/core/server/core_usage_data/core_usage_data_service.test.ts
@ -435,10 +435,6 @@ describe('CoreUsageDataService', () => {
          );
        }

-        it('returns expected usage data for elastic.username "elastic"', async () => {
-          return doTest({ username: 'elastic', expectedPrincipal: 'elastic_user' });
-        });
-
        it('returns expected usage data for elastic.username "kibana"', async () => {
          return doTest({ username: 'kibana', expectedPrincipal: 'kibana_user' });
        });
--- a/src/core/server/core_usage_data/core_usage_data_service.ts
+++ b/src/core/server/core_usage_data/core_usage_data_service.ts
@ -530,7 +530,6 @@ function getEsPrincipalUsage({ username, serviceAccountToken }: ElasticsearchCon
  let value: CoreConfigUsageData['elasticsearch']['principal'] = 'unknown';
  if (isConfigured.string(username)) {
    switch (username) {
-      case 'elastic': // deprecated
      case 'kibana': // deprecated
      case 'kibana_system':
        value = `${username}_user` as const;
--- a/src/core/server/elasticsearch/elasticsearch_config.test.ts
+++ b/src/core/server/elasticsearch/elasticsearch_config.test.ts
@ -318,15 +318,6 @@ describe('throws when config is invalid', () => {
 });

 describe('deprecations', () => {
-  it('logs a warning if elasticsearch.username is set to "elastic"', () => {
-    const { messages } = applyElasticsearchDeprecations({ username: 'elastic' });
-    expect(messages).toMatchInlineSnapshot(`
-      Array [
-        "Kibana is configured to authenticate to Elasticsearch with the \\"elastic\\" user. Use a service account token instead.",
-      ]
-    `);
-  });
-
  it('logs a warning if elasticsearch.username is set to "kibana"', () => {
    const { messages } = applyElasticsearchDeprecations({ username: 'kibana' });
    expect(messages).toMatchInlineSnapshot(`
@ -370,19 +361,17 @@ describe('deprecations', () => {
  });
 });

-test('#username throws if equal to "elastic", only while running from source', () => {
+test('#username throws if equal to "elastic"', () => {
  const obj = {
    username: 'elastic',
  };
-  expect(() => config.schema.validate(obj, { dist: false })).toThrowErrorMatchingInlineSnapshot(
-    `"[username]: value of \\"elastic\\" is forbidden. This is a superuser account that can obfuscate privilege-related issues. You should use the \\"kibana_system\\" user instead."`
-  );
-  expect(() => config.schema.validate(obj, { dist: true })).not.toThrow();
+
+  expect(() => config.schema.validate(obj)).toThrow('[username]: value of "elastic" is forbidden');
 });

 test('serviceAccountToken throws if username is also set', () => {
  const obj = {
-    username: 'elastic',
+    username: 'kibana',
    serviceAccountToken: 'abc123',
  };

--- a/src/core/server/elasticsearch/elasticsearch_config.ts
+++ b/src/core/server/elasticsearch/elasticsearch_config.ts
@ -37,21 +37,17 @@ export const configSchema = schema.object({
    defaultValue: 'http://localhost:9200',
  }),
  username: schema.maybe(
-    schema.conditional(
-      schema.contextRef('dist'),
-      false,
-      schema.string({
-        validate: (rawConfig) => {
-          if (rawConfig === 'elastic') {
-            return (
-              'value of "elastic" is forbidden. This is a superuser account that can obfuscate ' +
-              'privilege-related issues. You should use the "kibana_system" user instead.'
-            );
-          }
-        },
-      }),
-      schema.string()
-    )
+    schema.string({
+      validate: (rawConfig) => {
+        if (rawConfig === 'elastic') {
+          return (
+            'value of "elastic" is forbidden. This is a superuser account that cannot write to system indices that Kibana needs to ' +
+            'function. Use a service account token instead. Learn more: ' +
+            'https://www.elastic.co/guide/en/elasticsearch/reference/8.0/service-accounts.html' // we don't have a way to pass a branch into the config schema; hardcoding this one link to the 8.0 docs is OK
+          );
+        }
+      },
+    })
  ),
  password: schema.maybe(schema.string()),
  serviceAccountToken: schema.maybe(
@ -178,7 +174,7 @@ const deprecations: ConfigDeprecationProvider = () => [
      return;
    }

-    if (es.username === 'elastic' || es.username === 'kibana') {
+    if (es.username === 'kibana') {
      const username = es.username;
      addDeprecation({
        configPath: `${fromPath}.username`,