FTR configurable test users (#52431)

* initial implementation of configurable test users * user superuser by default to match master * referenced the configs in reporting and api integration * setting the minimum number of default roles * looking for x-pack tests with users and roles * add testUserService in dashboard mode tests * running only ciGroup7 * uncommenting - addign visualization * re-enabling all CI groups to run on CI * reinstating Jenkinsfile * disable Test user for OIDC config * improved logging and added Roles for OSS tests to get better info on the runs. * disable test_user for auth tests * don't fetch enabledPlugins when testuser disabled * fix es-lint * running oss tests with x-pack enabled * [revertme] build default dist for oss tests * updating NOTICE.txt file as it complained in the kibana intake tests * changed to pick OSS builds * trying a license change to trial * switch back to xpack builds * created a new sample data role and used it in homepage tests * revert test/scripts/jenkins_ci_group.sh * only refresh browser and wait for chrome if we are already on Kibana page * fix large_string test to use minimum set of roles and privileges * fix for date nanos custom timestamp with a configured role * changes to the files with addition of new roles for the test_user * reverting to OSS changes and few additions to the time_zone test to run as a test_user * changes to security * changes to the x-pack test to use elastic superuser * fix for chart_types test * fixes to area chart , input control test * fix for dashboard filtering test and a new config role * changes to handle the x-pack tests * additional role for date nanos mixed * added the logstash role to the accessibility tests * removed telemetry setting * docs+few changes to the tests * removed Page navigation * removed pageNavigation which was unused * test/accessibility/apps/management.ts * update management.ts * aria label, and other changes * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * reverted * unloading of logstash data, fixing aria label * aria-label * added the required role * fix for tsvb chart * fix for sample data test reverted home_page pageobject file * changes to sample data test and visualize index file to incorporate OSS changes * changes to describe() and some more changes to incorporate in settings_page * re-adding the after() * removed unwanted roles * replaced kibana_user with kibana_admin * added the check of deprecated kibana_user * testing with kibana_admin role * fix for discover test * incorporated the review comments * incorporated the review comments * incorporate review comments and added restoreDefaults() * removed describe.only * reverted the OSS logic change I had here- pulled into seperate PR * incorporated the review comments * incorporated review changes * adding hidden=true to find hidden kibanaChrome * change field.test.tsx to be same as that of master branch Co-authored-by: spalger <spalger@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2025-04-23 09:19:04 -04:00 · 2020-03-17 10:41:23 -07:00 · 2020-03-17 10:41:23 -07:00 · 89f9260da2
commit 89f9260da2
parent 6b7731bb74
37 changed files with 433 additions and 36 deletions
--- a/docs/developer/core/development-functional-tests.asciidoc
+++ b/docs/developer/core/development-functional-tests.asciidoc
@ -178,6 +178,25 @@ To run tests on Firefox locally, use `config.firefox.js`:
 node scripts/functional_test_runner --config test/functional/config.firefox.js
 -----------

+[float]
+===== Using the test_user service
+
+Tests should run at the positive security boundry condition, meaning that they should be run with the mimimum privileges required (and documented) and not as the superuser.
+ This prevents the type of regression where additional privleges accidentally become required to perform the same action. 
+ 
+The functional UI tests now default to logging in with a user named `test_user` and the roles of this user can be changed dynamically without logging in and out.  
+
+In order to achieve this a new service was introduced called `createTestUserService` (see `test/common/services/security/test_user.ts`). The purpose of this test user service is to create roles defined in the test config files and setRoles() or restoreDefaults().
+
+An example of how to set the role like how its defined below:
+
+`await security.testUser.setRoles(['kibana_user', 'kibana_date_nanos']);`
+
+Here we are setting the `test_user` to have the `kibana_user` role and also role access to a specific data index (`kibana_date_nanos`).
+
+Tests should normally setRoles() in the before() and restoreDefaults() in the after().
+
+
 [float]
 ===== Anatomy of a test file

--- a/packages/kbn-test/src/functional_test_runner/lib/config/schema.ts
+++ b/packages/kbn-test/src/functional_test_runner/lib/config/schema.ts
@ -255,5 +255,20 @@ export const schema = Joi.object()
        fixedHeaderHeight: Joi.number().default(50),
      })
      .default(),
+
+    // settings for the security service if there is no defaultRole defined, then default to superuser role.
+    security: Joi.object()
+      .keys({
+        roles: Joi.object().default(),
+        defaultRoles: Joi.array()
+          .items(Joi.string())
+          .when('$primary', {
+            is: true,
+            then: Joi.array().min(1),
+          })
+          .default(['superuser']),
+        disableTestUser: Joi.boolean(),
+      })
+      .default(),
  })
  .default();
--- a/test/common/services/security/role.ts
+++ b/test/common/services/security/role.ts
@ -43,7 +43,6 @@ export class Role {
        `Expected status code of 204, received ${status} ${statusText}: ${util.inspect(data)}`
      );
    }
-    this.log.debug(`created role ${name}`);
  }

  public async delete(name: string) {
@ -56,6 +55,5 @@ export class Role {
        )}`
      );
    }
-    this.log.debug(`deleted role ${name}`);
  }
 }
--- a/test/common/services/security/security.ts
+++ b/test/common/services/security/security.ts
@ -23,15 +23,21 @@ import { Role } from './role';
 import { User } from './user';
 import { RoleMappings } from './role_mappings';
 import { FtrProviderContext } from '../../ftr_provider_context';
+import { createTestUserService } from './test_user';

-export function SecurityServiceProvider({ getService }: FtrProviderContext) {
+export async function SecurityServiceProvider(context: FtrProviderContext) {
+  const { getService } = context;
  const log = getService('log');
  const config = getService('config');
  const url = formatUrl(config.get('servers.kibana'));
+  const role = new Role(url, log);
+  const user = new User(url, log);
+  const testUser = await createTestUserService(role, user, context);

  return new (class SecurityService {
-    role = new Role(url, log);
    roleMappings = new RoleMappings(url, log);
-    user = new User(url, log);
+    testUser = testUser;
+    role = role;
+    user = user;
  })();
 }
--- a/test/common/services/security/test_user.ts
+++ b/test/common/services/security/test_user.ts
@ -0,0 +1,92 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { Role } from './role';
+import { User } from './user';
+import { FtrProviderContext } from '../../ftr_provider_context';
+import { Browser } from '../../../functional/services/browser';
+import { TestSubjects } from '../../../functional/services/test_subjects';
+
+export async function createTestUserService(
+  role: Role,
+  user: User,
+  { getService, hasService }: FtrProviderContext
+) {
+  const log = getService('log');
+  const config = getService('config');
+  // @ts-ignore browser service is not normally available in common.
+  const browser: Browser | void = hasService('browser') && getService('browser');
+  const testSubjects: TestSubjects | void =
+    // @ts-ignore testSubject service is not normally available in common.
+    hasService('testSubjects') && getService('testSubjects');
+  const kibanaServer = getService('kibanaServer');
+
+  const enabledPlugins = config.get('security.disableTestUser')
+    ? []
+    : await kibanaServer.plugins.getEnabledIds();
+  const isEnabled = () => {
+    return enabledPlugins.includes('security') && !config.get('security.disableTestUser');
+  };
+  if (isEnabled()) {
+    log.debug('===============creating roles and users===============');
+    for (const [name, definition] of Object.entries(config.get('security.roles'))) {
+      // create the defined roles (need to map array to create roles)
+      await role.create(name, definition);
+    }
+    try {
+      // delete the test_user if present (will it error if the user doesn't exist?)
+      await user.delete('test_user');
+    } catch (exception) {
+      log.debug('no test user to delete');
+    }
+
+    // create test_user with username and pwd
+    log.debug(`default roles = ${config.get('security.defaultRoles')}`);
+    await user.create('test_user', {
+      password: 'changeme',
+      roles: config.get('security.defaultRoles'),
+      full_name: 'test user',
+    });
+  }
+
+  return new (class TestUser {
+    async restoreDefaults() {
+      if (isEnabled()) {
+        await this.setRoles(config.get('security.defaultRoles'));
+      }
+    }
+
+    async setRoles(roles: string[]) {
+      if (isEnabled()) {
+        log.debug(`set roles = ${roles}`);
+        await user.create('test_user', {
+          password: 'changeme',
+          roles,
+          full_name: 'test user',
+        });
+
+        if (browser && testSubjects) {
+          if (await testSubjects.exists('kibanaChrome', { allowHidden: true })) {
+            await browser.refresh();
+            await testSubjects.find('kibanaChrome', config.get('timeouts.find') * 10);
+          }
+        }
+      }
+    }
+  })();
+}
--- a/test/functional/apps/context/_date_nanos.js
+++ b/test/functional/apps/context/_date_nanos.js
@ -26,11 +26,13 @@ const TEST_STEP_SIZE = 3;
 export default function({ getService, getPageObjects }) {
  const kibanaServer = getService('kibanaServer');
  const docTable = getService('docTable');
+  const security = getService('security');
  const PageObjects = getPageObjects(['common', 'context', 'timePicker', 'discover']);
  const esArchiver = getService('esArchiver');

  describe('context view for date_nanos', () => {
    before(async function() {
+      await security.testUser.setRoles(['kibana_admin', 'kibana_date_nanos']);
      await esArchiver.loadIfNeeded('date_nanos');
      await kibanaServer.uiSettings.replace({ defaultIndex: TEST_INDEX_PATTERN });
      await kibanaServer.uiSettings.update({
@ -39,8 +41,9 @@ export default function({ getService, getPageObjects }) {
      });
    });

-    after(function unloadMakelogs() {
-      return esArchiver.unload('date_nanos');
+    after(async function unloadMakelogs() {
+      await security.testUser.restoreDefaults();
+      await esArchiver.unload('date_nanos');
    });

    it('displays predessors - anchor - successors in right order ', async function() {
--- a/test/functional/apps/context/_date_nanos_custom_timestamp.js
+++ b/test/functional/apps/context/_date_nanos_custom_timestamp.js
@ -26,12 +26,14 @@ const TEST_STEP_SIZE = 3;
 export default function({ getService, getPageObjects }) {
  const kibanaServer = getService('kibanaServer');
  const docTable = getService('docTable');
+  const security = getService('security');
  const PageObjects = getPageObjects(['common', 'context', 'timePicker', 'discover']);
  const esArchiver = getService('esArchiver');
  // skipped due to a recent change in ES that caused search_after queries with data containing
  // custom timestamp formats like in the testdata to fail
  describe.skip('context view for date_nanos with custom timestamp', () => {
    before(async function() {
+      await security.testUser.setRoles(['kibana_admin', 'kibana_date_nanos_custom']);
      await esArchiver.loadIfNeeded('date_nanos_custom');
      await kibanaServer.uiSettings.replace({ defaultIndex: TEST_INDEX_PATTERN });
      await kibanaServer.uiSettings.update({
@ -40,10 +42,6 @@ export default function({ getService, getPageObjects }) {
      });
    });

-    after(function unloadMakelogs() {
-      return esArchiver.unload('date_nanos_custom');
-    });
-
    it('displays predessors - anchor - successors in right order ', async function() {
      await PageObjects.context.navigateTo(TEST_INDEX_PATTERN, '1');
      const actualRowsText = await docTable.getRowsText();
@ -54,5 +52,10 @@ export default function({ getService, getPageObjects }) {
      ];
      expect(actualRowsText).to.eql(expectedRowsText);
    });
+
+    after(async function() {
+      await security.testUser.restoreDefaults();
+      await esArchiver.unload('date_nanos_custom');
+    });
  });
 }
--- a/test/functional/apps/dashboard/dashboard_filtering.js
+++ b/test/functional/apps/dashboard/dashboard_filtering.js
@ -33,6 +33,7 @@ export default function({ getService, getPageObjects }) {
  const filterBar = getService('filterBar');
  const esArchiver = getService('esArchiver');
  const kibanaServer = getService('kibanaServer');
+  const security = getService('security');
  const dashboardPanelActions = getService('dashboardPanelActions');
  const PageObjects = getPageObjects(['common', 'dashboard', 'header', 'visualize', 'timePicker']);

@ -41,6 +42,7 @@ export default function({ getService, getPageObjects }) {

    before(async () => {
      await esArchiver.load('dashboard/current/kibana');
+      await security.testUser.setRoles(['kibana_admin', 'test_logstash_reader', 'animals']);
      await kibanaServer.uiSettings.replace({
        defaultIndex: '0bf35f60-3dc9-11e8-8660-4d65aa086b3c',
      });
@ -49,6 +51,10 @@ export default function({ getService, getPageObjects }) {
      await PageObjects.dashboard.gotoDashboardLandingPage();
    });

+    after(async () => {
+      await security.testUser.restoreDefaults();
+    });
+
    describe('adding a filter that excludes all data', () => {
      before(async () => {
        await PageObjects.dashboard.clickNewDashboard();
--- a/test/functional/apps/dashboard/index.js
+++ b/test/functional/apps/dashboard/index.js
@ -23,6 +23,7 @@ export default function({ getService, loadTestFile }) {

  async function loadCurrentData() {
    await browser.setWindowSize(1300, 900);
+    await esArchiver.unload('logstash_functional');
    await esArchiver.loadIfNeeded('dashboard/current/data');
  }

--- a/test/functional/apps/dashboard/time_zones.js
+++ b/test/functional/apps/dashboard/time_zones.js
@ -22,7 +22,6 @@ import expect from '@kbn/expect';

 export default function({ getService, getPageObjects }) {
  const pieChart = getService('pieChart');
-  const browser = getService('browser');
  const esArchiver = getService('esArchiver');
  const kibanaServer = getService('kibanaServer');
  const PageObjects = getPageObjects(['dashboard', 'timePicker', 'settings', 'common']);
@ -48,7 +47,6 @@ export default function({ getService, getPageObjects }) {

    after(async () => {
      await kibanaServer.uiSettings.replace({ 'dateFormat:tz': 'UTC' });
-      await browser.refresh();
    });

    it('Exported dashboard adjusts EST time to UTC', async () => {
--- a/test/functional/apps/discover/_date_nanos.js
+++ b/test/functional/apps/discover/_date_nanos.js
@ -23,6 +23,7 @@ export default function({ getService, getPageObjects }) {
  const esArchiver = getService('esArchiver');
  const PageObjects = getPageObjects(['common', 'timePicker', 'discover']);
  const kibanaServer = getService('kibanaServer');
+  const security = getService('security');
  const fromTime = 'Sep 22, 2019 @ 20:31:44.000';
  const toTime = 'Sep 23, 2019 @ 03:31:44.000';

@ -30,12 +31,14 @@ export default function({ getService, getPageObjects }) {
    before(async function() {
      await esArchiver.loadIfNeeded('date_nanos');
      await kibanaServer.uiSettings.replace({ defaultIndex: 'date-nanos' });
+      await security.testUser.setRoles(['kibana_admin', 'kibana_date_nanos']);
      await PageObjects.common.navigateToApp('discover');
      await PageObjects.timePicker.setAbsoluteRange(fromTime, toTime);
    });

-    after(function unloadMakelogs() {
-      return esArchiver.unload('date_nanos');
+    after(async function unloadMakelogs() {
+      await security.testUser.restoreDefaults();
+      await esArchiver.unload('date_nanos');
    });

    it('should show a timestamp with nanoseconds in the first result row', async function() {
--- a/test/functional/apps/discover/_date_nanos_mixed.js
+++ b/test/functional/apps/discover/_date_nanos_mixed.js
@ -23,6 +23,7 @@ export default function({ getService, getPageObjects }) {
  const esArchiver = getService('esArchiver');
  const PageObjects = getPageObjects(['common', 'timePicker', 'discover']);
  const kibanaServer = getService('kibanaServer');
+  const security = getService('security');
  const fromTime = 'Jan 1, 2019 @ 00:00:00.000';
  const toTime = 'Jan 1, 2019 @ 23:59:59.999';

@ -30,12 +31,14 @@ export default function({ getService, getPageObjects }) {
    before(async function() {
      await esArchiver.loadIfNeeded('date_nanos_mixed');
      await kibanaServer.uiSettings.replace({ defaultIndex: 'timestamp-*' });
+      await security.testUser.setRoles(['kibana_admin', 'kibana_date_nanos_mixed']);
      await PageObjects.common.navigateToApp('discover');
      await PageObjects.timePicker.setAbsoluteRange(fromTime, toTime);
    });

-    after(function unloadMakelogs() {
-      return esArchiver.unload('date_nanos_mixed');
+    after(async () => {
+      await security.testUser.restoreDefaults();
+      esArchiver.unload('date_nanos_mixed');
    });

    it('shows a list of records of indices with date & date_nanos fields in the right order', async function() {
--- a/test/functional/apps/discover/_discover_histogram.js
+++ b/test/functional/apps/discover/_discover_histogram.js
@ -25,6 +25,7 @@ export default function({ getService, getPageObjects }) {
  const browser = getService('browser');
  const elasticChart = getService('elasticChart');
  const kibanaServer = getService('kibanaServer');
+  const security = getService('security');
  const PageObjects = getPageObjects(['settings', 'common', 'discover', 'header', 'timePicker']);
  const defaultSettings = {
    defaultIndex: 'long-window-logstash-*',
@ -35,6 +36,11 @@ export default function({ getService, getPageObjects }) {
    before(async function() {
      log.debug('load kibana index with default index pattern');
      await PageObjects.common.navigateToApp('home');
+      await security.testUser.setRoles([
+        'kibana_admin',
+        'test_logstash_reader',
+        'long_window_logstash',
+      ]);
      await esArchiver.loadIfNeeded('logstash_functional');
      await esArchiver.load('long_window_logstash');
      await esArchiver.load('visualize');
@ -56,6 +62,7 @@ export default function({ getService, getPageObjects }) {
      await esArchiver.unload('long_window_logstash');
      await esArchiver.unload('visualize');
      await esArchiver.unload('discover');
+      await security.testUser.restoreDefaults();
    });

    it('should visualize monthly data with different day intervals', async () => {
--- a/test/functional/apps/discover/_large_string.js
+++ b/test/functional/apps/discover/_large_string.js
@ -25,10 +25,12 @@ export default function({ getService, getPageObjects }) {
  const retry = getService('retry');
  const kibanaServer = getService('kibanaServer');
  const queryBar = getService('queryBar');
+  const security = getService('security');
  const PageObjects = getPageObjects(['common', 'home', 'settings', 'discover']);

  describe('test large strings', function() {
    before(async function() {
+      await security.testUser.setRoles(['kibana_admin', 'kibana_large_strings']);
      await esArchiver.load('empty_kibana');
      await esArchiver.loadIfNeeded('hamlet');
      await kibanaServer.uiSettings.replace({ defaultIndex: 'testlargestring' });
@ -77,6 +79,7 @@ export default function({ getService, getPageObjects }) {
    });

    after(async () => {
+      await security.testUser.restoreDefaults();
      await esArchiver.unload('hamlet');
    });
  });
--- a/test/functional/apps/getting_started/_shakespeare.js
+++ b/test/functional/apps/getting_started/_shakespeare.js
@ -23,6 +23,7 @@ export default function({ getService, getPageObjects }) {
  const log = getService('log');
  const esArchiver = getService('esArchiver');
  const retry = getService('retry');
+  const security = getService('security');
  const PageObjects = getPageObjects([
    'console',
    'common',
@ -46,11 +47,16 @@ export default function({ getService, getPageObjects }) {
        'Load empty_kibana and Shakespeare Getting Started data\n' +
          'https://www.elastic.co/guide/en/kibana/current/tutorial-load-dataset.html'
      );
+      await security.testUser.setRoles(['kibana_admin', 'test_shakespeare_reader']);
      await esArchiver.load('empty_kibana', { skipExisting: true });
      log.debug('Load shakespeare data');
      await esArchiver.loadIfNeeded('getting_started/shakespeare');
    });

+    after(async () => {
+      await security.testUser.restoreDefaults();
+    });
+
    it('should create shakespeare index pattern', async function() {
      log.debug('Create shakespeare index pattern');
      await PageObjects.settings.createIndexPattern('shakes', null);
--- a/test/functional/apps/home/_sample_data.ts
+++ b/test/functional/apps/home/_sample_data.ts
@ -25,6 +25,7 @@ export default function({ getService, getPageObjects }: FtrProviderContext) {
  const retry = getService('retry');
  const find = getService('find');
  const log = getService('log');
+  const security = getService('security');
  const pieChart = getService('pieChart');
  const renderable = getService('renderable');
  const dashboardExpect = getService('dashboardExpect');
@ -34,10 +35,15 @@ export default function({ getService, getPageObjects }: FtrProviderContext) {
    this.tags('smoke');

    before(async () => {
+      await security.testUser.setRoles(['kibana_admin', 'kibana_sample_admin']);
      await PageObjects.common.navigateToUrl('home', 'tutorial_directory/sampleData');
      await PageObjects.header.waitUntilLoadingHasFinished();
    });

+    after(async () => {
+      await security.testUser.restoreDefaults();
+    });
+
    it('should display registered flights sample data sets', async () => {
      await retry.try(async () => {
        const exists = await PageObjects.home.doesSampleDataSetExist('flights');
--- a/test/functional/apps/management/_handle_alias.js
+++ b/test/functional/apps/management/_handle_alias.js
@ -23,11 +23,13 @@ export default function({ getService, getPageObjects }) {
  const esArchiver = getService('esArchiver');
  const es = getService('legacyEs');
  const retry = getService('retry');
+  const security = getService('security');
  const PageObjects = getPageObjects(['common', 'home', 'settings', 'discover', 'timePicker']);

  // FLAKY: https://github.com/elastic/kibana/issues/59717
  describe.skip('Index patterns on aliases', function() {
    before(async function() {
+      await security.testUser.setRoles(['kibana_admin', 'test_alias_reader']);
      await esArchiver.loadIfNeeded('alias');
      await esArchiver.load('empty_kibana');
      await es.indices.updateAliases({
@ -84,6 +86,7 @@ export default function({ getService, getPageObjects }) {
    });

    after(async () => {
+      await security.testUser.restoreDefaults();
      await esArchiver.unload('alias');
    });
  });
--- a/test/functional/apps/management/_test_huge_fields.js
+++ b/test/functional/apps/management/_test_huge_fields.js
@ -21,6 +21,7 @@ import expect from '@kbn/expect';

 export default function({ getService, getPageObjects }) {
  const esArchiver = getService('esArchiver');
+  const security = getService('security');
  const PageObjects = getPageObjects(['common', 'home', 'settings']);

  describe('test large number of fields', function() {
@ -28,6 +29,7 @@ export default function({ getService, getPageObjects }) {

    const EXPECTED_FIELD_COUNT = '10006';
    before(async function() {
+      await security.testUser.setRoles(['kibana_admin', 'test_testhuge_reader']);
      await esArchiver.loadIfNeeded('large_fields');
      await PageObjects.settings.createIndexPattern('testhuge', 'date');
    });
@ -38,6 +40,7 @@ export default function({ getService, getPageObjects }) {
    });

    after(async () => {
+      await security.testUser.restoreDefaults();
      await esArchiver.unload('large_fields');
    });
  });
--- a/test/functional/apps/visualize/_area_chart.js
+++ b/test/functional/apps/visualize/_area_chart.js
@ -24,6 +24,7 @@ export default function({ getService, getPageObjects }) {
  const inspector = getService('inspector');
  const browser = getService('browser');
  const retry = getService('retry');
+  const security = getService('security');
  const PageObjects = getPageObjects([
    'common',
    'visualize',
@ -58,7 +59,14 @@ export default function({ getService, getPageObjects }) {
      return PageObjects.visEditor.clickGo();
    };

-    before(initAreaChart);
+    before(async function() {
+      await security.testUser.setRoles([
+        'kibana_admin',
+        'long_window_logstash',
+        'test_logstash_reader',
+      ]);
+      await initAreaChart();
+    });

    it('should save and load with special characters', async function() {
      const vizNamewithSpecialChars = vizName1 + '/?&=%';
@ -284,6 +292,7 @@ export default function({ getService, getPageObjects }) {
          .pop()
          .replace('embed=true', '');
        await PageObjects.common.navigateToUrl('visualize', embedUrl);
+        await security.testUser.restoreDefaults();
      });
    });

--- a/test/functional/apps/visualize/_experimental_vis.js
+++ b/test/functional/apps/visualize/_experimental_vis.js
@ -23,7 +23,7 @@ export default ({ getService, getPageObjects }) => {
  const log = getService('log');
  const PageObjects = getPageObjects(['visualize']);

-  describe('visualize app', function() {
+  describe('experimental visualizations in visualize app ', function() {
    this.tags('smoke');

    describe('experimental visualizations', () => {
--- a/test/functional/apps/visualize/_linked_saved_searches.ts
+++ b/test/functional/apps/visualize/_linked_saved_searches.ts
@ -32,7 +32,7 @@ export default function({ getService, getPageObjects }: FtrProviderContext) {
    'visChart',
  ]);

-  describe('visualize app', function describeIndexTests() {
+  describe('saved search visualizations from visualize app', function describeIndexTests() {
    describe('linked saved searched', () => {
      const savedSearchName = 'vis_saved_search';

--- a/test/functional/apps/visualize/_markdown_vis.js
+++ b/test/functional/apps/visualize/_markdown_vis.js
@ -29,7 +29,7 @@ export default function({ getPageObjects, getService }) {
 <h3>Inline HTML that should not be rendered as html</h3>
  `;

-  describe('visualize app', () => {
+  describe('markdown app in visualize app', () => {
    before(async function() {
      await PageObjects.visualize.navigateToNewVisualization();
      await PageObjects.visualize.clickMarkdownWidget();
--- a/test/functional/apps/visualize/_tsvb_chart.ts
+++ b/test/functional/apps/visualize/_tsvb_chart.ts
@ -25,11 +25,13 @@ export default function({ getService, getPageObjects }: FtrProviderContext) {
  const esArchiver = getService('esArchiver');
  const log = getService('log');
  const inspector = getService('inspector');
+  const security = getService('security');
  const PageObjects = getPageObjects(['visualize', 'visualBuilder', 'timePicker', 'visChart']);

  describe('visual builder', function describeIndexTests() {
    this.tags('smoke');
    beforeEach(async () => {
+      await security.testUser.setRoles(['kibana_admin', 'test_logstash_reader']);
      await PageObjects.visualize.navigateToNewVisualization();
      await PageObjects.visualize.clickVisualBuilder();
      await PageObjects.visualBuilder.checkVisualBuilderIsPresent();
@ -111,8 +113,10 @@ export default function({ getService, getPageObjects }: FtrProviderContext) {
        await PageObjects.visualBuilder.resetPage();
        await PageObjects.visualBuilder.clickMetric();
        await PageObjects.visualBuilder.checkMetricTabIsPresent();
+        await security.testUser.setRoles(['kibana_admin', 'kibana_sample_admin']);
      });
      after(async () => {
+        await security.testUser.restoreDefaults();
        await esArchiver.unload('kibana_sample_data_flights');
      });

--- a/test/functional/apps/visualize/_vega_chart.js
+++ b/test/functional/apps/visualize/_vega_chart.js
@ -25,7 +25,7 @@ export default function({ getService, getPageObjects }) {
  const inspector = getService('inspector');
  const log = getService('log');

-  describe('visualize app', () => {
+  describe('vega chart in visualize app', () => {
    before(async () => {
      log.debug('navigateToApp visualize');
      await PageObjects.visualize.navigateToNewVisualization();
--- a/test/functional/apps/visualize/input_control_vis/input_control_range.ts
+++ b/test/functional/apps/visualize/input_control_vis/input_control_range.ts
@ -25,10 +25,12 @@ export default function({ getService, getPageObjects }: FtrProviderContext) {
  const esArchiver = getService('esArchiver');
  const kibanaServer = getService('kibanaServer');
  const find = getService('find');
+  const security = getService('security');
  const { visualize, visEditor } = getPageObjects(['visualize', 'visEditor']);

  describe('input control range', () => {
    before(async () => {
+      await security.testUser.setRoles(['kibana_admin', 'kibana_sample_admin']);
      await esArchiver.load('kibana_sample_data_flights_index_pattern');
      await visualize.navigateToNewVisualization();
      await visualize.clickInputControlVis();
@ -63,6 +65,7 @@ export default function({ getService, getPageObjects }: FtrProviderContext) {
      await esArchiver.loadIfNeeded('long_window_logstash');
      await esArchiver.load('visualize');
      await kibanaServer.uiSettings.replace({ defaultIndex: 'logstash-*' });
+      await security.testUser.restoreDefaults();
    });
  });
 }
--- a/test/functional/config.js
+++ b/test/functional/config.js
@ -103,5 +103,172 @@ export default async function({ readConfigFile }) {
    browser: {
      type: 'chrome',
    },
+
+    security: {
+      roles: {
+        test_logstash_reader: {
+          elasticsearch: {
+            cluster: [],
+            indices: [
+              {
+                names: ['logstash*'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: { grant: ['*'], except: [] },
+              },
+            ],
+            run_as: [],
+          },
+          kibana: [],
+        },
+        test_shakespeare_reader: {
+          elasticsearch: {
+            cluster: [],
+            indices: [
+              {
+                names: ['shakes*'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: { grant: ['*'], except: [] },
+              },
+            ],
+            run_as: [],
+          },
+          kibana: [],
+        },
+        test_testhuge_reader: {
+          elasticsearch: {
+            cluster: [],
+            indices: [
+              {
+                names: ['testhuge*'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: { grant: ['*'], except: [] },
+              },
+            ],
+            run_as: [],
+          },
+          kibana: [],
+        },
+        test_alias_reader: {
+          elasticsearch: {
+            cluster: [],
+            indices: [
+              {
+                names: ['alias*'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: { grant: ['*'], except: [] },
+              },
+            ],
+            run_as: [],
+          },
+          kibana: [],
+        },
+        //for sample data - can remove but not add sample data.( not ml)- for ml use built in role.
+        kibana_sample_admin: {
+          elasticsearch: {
+            cluster: [],
+            indices: [
+              {
+                names: ['kibana_sample*'],
+                privileges: ['read', 'view_index_metadata', 'manage', 'create_index', 'index'],
+                field_security: { grant: ['*'], except: [] },
+              },
+            ],
+            run_as: [],
+          },
+          kibana: [],
+        },
+
+        kibana_date_nanos: {
+          elasticsearch: {
+            cluster: [],
+            indices: [
+              {
+                names: ['date-nanos'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: { grant: ['*'], except: [] },
+              },
+            ],
+            run_as: [],
+          },
+          kibana: [],
+        },
+
+        kibana_date_nanos_custom: {
+          elasticsearch: {
+            cluster: [],
+            indices: [
+              {
+                names: ['date_nanos_custom_timestamp'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: { grant: ['*'], except: [] },
+              },
+            ],
+            run_as: [],
+          },
+          kibana: [],
+        },
+
+        kibana_date_nanos_mixed: {
+          elasticsearch: {
+            cluster: [],
+            indices: [
+              {
+                names: ['date_nanos_mixed', 'timestamp-*'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: { grant: ['*'], except: [] },
+              },
+            ],
+            run_as: [],
+          },
+          kibana: [],
+        },
+
+        kibana_large_strings: {
+          elasticsearch: {
+            cluster: [],
+            indices: [
+              {
+                names: ['testlargestring'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: { grant: ['*'], except: [] },
+              },
+            ],
+            run_as: [],
+          },
+          kibana: [],
+        },
+
+        long_window_logstash: {
+          elasticsearch: {
+            cluster: [],
+            indices: [
+              {
+                names: ['long-window-logstash-*'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: { grant: ['*'], except: [] },
+              },
+            ],
+            run_as: [],
+          },
+          kibana: [],
+        },
+
+        animals: {
+          elasticsearch: {
+            cluster: [],
+            indices: [
+              {
+                names: ['animals-*'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: { grant: ['*'], except: [] },
+              },
+            ],
+            run_as: [],
+          },
+          kibana: [],
+        },
+      },
+      defaultRoles: ['test_logstash_reader', 'kibana_admin'],
+    },
  };
 }
--- a/test/functional/page_objects/common_page.ts
+++ b/test/functional/page_objects/common_page.ts
@ -105,13 +105,16 @@ export function CommonPageProvider({ getService, getPageObjects }: FtrProviderCo
      const wantedLoginPage = appUrl.includes('/login') || appUrl.includes('/logout');

      if (loginPage && !wantedLoginPage) {
-        log.debug(
-          `Found login page.  Logging in with username = ${config.get('servers.kibana.username')}`
-        );
-        await PageObjects.shield.login(
-          config.get('servers.kibana.username'),
-          config.get('servers.kibana.password')
-        );
+        log.debug('Found login page');
+        if (config.get('security.disableTestUser')) {
+          await PageObjects.shield.login(
+            config.get('servers.kibana.username'),
+            config.get('servers.kibana.password')
+          );
+        } else {
+          await PageObjects.shield.login('test_user', 'changeme');
+        }
+
        await find.byCssSelector(
          '[data-test-subj="kibanaChrome"] nav:not(.ng-hide)',
          6 * defaultFindTimeout
--- a/test/functional/services/browser.ts
+++ b/test/functional/services/browser.ts
@ -21,6 +21,7 @@ import { cloneDeep } from 'lodash';
 import { Key, Origin } from 'selenium-webdriver';
 // @ts-ignore internal modules are not typed
 import { LegacyActionSequence } from 'selenium-webdriver/lib/actions';
+import { ProvidedType } from '@kbn/test/types/ftr';

 import Jimp from 'jimp';
 import { modifyUrl } from '../../../src/core/utils';
@ -28,6 +29,7 @@ import { WebElementWrapper } from './lib/web_element_wrapper';
 import { FtrProviderContext } from '../ftr_provider_context';
 import { Browsers } from './remote/browsers';

+export type Browser = ProvidedType<typeof BrowserProvider>;
 export async function BrowserProvider({ getService }: FtrProviderContext) {
  const log = getService('log');
  const { driver, browserType } = await getService('__webdriver__').init();
--- a/test/functional/services/test_subjects.ts
+++ b/test/functional/services/test_subjects.ts
@ -19,6 +19,7 @@

 import testSubjSelector from '@kbn/test-subj-selector';
 import { map as mapAsync } from 'bluebird';
+import { ProvidedType } from '@kbn/test/types/ftr';
 import { WebElementWrapper } from './lib/web_element_wrapper';
 import { FtrProviderContext } from '../ftr_provider_context';

@ -32,6 +33,7 @@ interface SetValueOptions {
  typeCharByChar?: boolean;
 }

+export type TestSubjects = ProvidedType<typeof TestSubjectsProvider>;
 export function TestSubjectsProvider({ getService }: FtrProviderContext) {
  const log = getService('log');
  const retry = getService('retry');
--- a/x-pack/test/api_integration/config.js
+++ b/x-pack/test/api_integration/config.js
@ -15,6 +15,7 @@ export async function getApiIntegrationConfig({ readConfigFile }) {
    testFiles: [require.resolve('./apis')],
    services,
    servers: xPackFunctionalTestsConfig.get('servers'),
+    security: xPackFunctionalTestsConfig.get('security'),
    esArchiver: xPackFunctionalTestsConfig.get('esArchiver'),
    junit: {
      reportName: 'X-Pack API Integration Tests',
--- a/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js
+++ b/x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js
@ -12,6 +12,7 @@ export default function({ getService, getPageObjects }) {
  const browser = getService('browser');
  const log = getService('log');
  const pieChart = getService('pieChart');
+  const security = getService('security');
  const testSubjects = getService('testSubjects');
  const dashboardAddPanel = getService('dashboardAddPanel');
  const dashboardPanelActions = getService('dashboardPanelActions');
@ -109,13 +110,15 @@ export default function({ getService, getPageObjects }) {
        await PageObjects.security.clickSaveEditUser();
      });

-      after('logout', async () => {
-        await PageObjects.security.forceLogout();
+      after(async () => {
+        await security.testUser.restoreDefaults();
      });

      it('shows only the dashboard app link', async () => {
+        await security.testUser.setRoles(['test_logstash_reader', 'kibana_dashboard_only_user']);
+        await PageObjects.header.waitUntilLoadingHasFinished();
        await PageObjects.security.forceLogout();
-        await PageObjects.security.login('dashuser', '123456');
+        await PageObjects.security.login('test_user', 'changeme');

        const appLinks = await appsMenu.readLinks();
        expect(appLinks).to.have.length(1);
@ -194,8 +197,12 @@ export default function({ getService, getPageObjects }) {
      });

      it('is loaded for a user who is assigned a non-dashboard mode role', async () => {
-        await PageObjects.security.forceLogout();
-        await PageObjects.security.login('mixeduser', '123456');
+        await security.testUser.setRoles([
+          'test_logstash_reader',
+          'kibana_dashboard_only_user',
+          'kibana_admin',
+        ]);
+        await PageObjects.header.waitUntilLoadingHasFinished();

        if (await appsMenu.linkExists('Management')) {
          throw new Error('Expected management nav link to not be shown');
@ -203,8 +210,8 @@ export default function({ getService, getPageObjects }) {
      });

      it('is not loaded for a user who is assigned a superuser role', async () => {
-        await PageObjects.security.forceLogout();
-        await PageObjects.security.login('mysuperuser', '123456');
+        await security.testUser.setRoles(['kibana_dashboard_only_user', 'superuser']);
+        await PageObjects.header.waitUntilLoadingHasFinished();

        if (!(await appsMenu.linkExists('Management'))) {
          throw new Error('Expected management nav link to be shown');
--- a/x-pack/test/functional/config.js
+++ b/x-pack/test/functional/config.js
@ -217,5 +217,24 @@ export default async function({ readConfigFile }) {
    junit: {
      reportName: 'Chrome X-Pack UI Functional Tests',
    },
+    security: {
+      roles: {
+        test_logstash_reader: {
+          elasticsearch: {
+            cluster: [],
+            indices: [
+              {
+                names: ['logstash*'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: { grant: ['*'], except: [] },
+              },
+            ],
+            run_as: [],
+          },
+          kibana: [],
+        },
+      },
+      defaultRoles: ['superuser'],
+    },
  };
 }
--- a/x-pack/test/oidc_api_integration/config.ts
+++ b/x-pack/test/oidc_api_integration/config.ts
@ -17,6 +17,7 @@ export default async function({ readConfigFile }: FtrConfigProviderContext) {
  return {
    testFiles: [require.resolve('./apis/authorization_code_flow')],
    servers: xPackAPITestsConfig.get('servers'),
+    security: { disableTestUser: true },
    services,
    junit: {
      reportName: 'X-Pack OpenID Connect API Integration Tests',
--- a/x-pack/test/pki_api_integration/config.ts
+++ b/x-pack/test/pki_api_integration/config.ts
@ -28,6 +28,7 @@ export default async function({ readConfigFile }: FtrConfigProviderContext) {
  return {
    testFiles: [require.resolve('./apis')],
    servers,
+    security: { disableTestUser: true },
    services,
    junit: {
      reportName: 'X-Pack PKI API Integration Tests',
--- a/x-pack/test/reporting/configs/chromium_functional.js
+++ b/x-pack/test/reporting/configs/chromium_functional.js
@ -33,5 +33,6 @@ export default async function({ readConfigFile }) {
    },
    esArchiver: functionalConfig.get('esArchiver'),
    esTestCluster: functionalConfig.get('esTestCluster'),
+    security: { disableTestUser: true },
  };
 }
--- a/x-pack/test/saml_api_integration/config.ts
+++ b/x-pack/test/saml_api_integration/config.ts
@ -19,6 +19,7 @@ export default async function({ readConfigFile }: FtrConfigProviderContext) {
  return {
    testFiles: [require.resolve('./apis')],
    servers: xPackAPITestsConfig.get('servers'),
+    security: { disableTestUser: true },
    services: {
      randomness: kibanaAPITestsConfig.get('services.randomness'),
      legacyEs: kibanaAPITestsConfig.get('services.legacyEs'),
--- a/x-pack/test/token_api_integration/config.js
+++ b/x-pack/test/token_api_integration/config.js
@ -10,6 +10,7 @@ export default async function({ readConfigFile }) {
  return {
    testFiles: [require.resolve('./auth')],
    servers: xPackAPITestsConfig.get('servers'),
+    security: { disableTestUser: true },
    services: {
      legacyEs: xPackAPITestsConfig.get('services.legacyEs'),
      supertestWithoutAuth: xPackAPITestsConfig.get('services.supertestWithoutAuth'),