[ftr] fix test users for serverless (#161280)

## Summary

This PR fixes few issues occurring while running FTR API tests against
actual serverless project.

How to run:
```
TEST_CLOUD=1 ES_SECURITY_ENABLED=1 NODE_TLS_REJECT_UNAUTHORIZED=0 TEST_ES_URL=<your_es_url_with_credentials> TEST_KIBANA_URL=<your_es_url_with_credentials> node  --no-warnings scripts/functional_test_runner --es-version=8.9.0 --config x-pack/test_serverless/api_integration/test_suites/search/config.ts --bail
```

The first error is faced during Elasticsearch version validation

```
ERROR Error: attempted to use the "es" service to fetch Elasticsearch version info but the request failed: ResponseError: {"ok":false,"message":"Unknown resource."}
          at SniffingTransport.request (/Users/dmle/github/kibana/node_modules/@elastic/transport/src/Transport.ts:535:17)
          at processTicksAndRejections (node:internal/process/task_queues:96:5)
          at Client.InfoApi [as info] (/Users/dmle/github/kibana/node_modules/@elastic/elasticsearch/src/api/api/info.ts:60:10)
          at FunctionalTestRunner.validateEsVersion (functional_test_runner.ts:129:16)
          at functional_test_runner.ts:64:11
          at FunctionalTestRunner.runHarness (functional_test_runner.ts:251:14)
          at FunctionalTestRunner.run (functional_test_runner.ts:48:12)
          at log.defaultLevel (cli.ts:112:32)
          at run.ts:70:7
          at withProcRunner (with_proc_runner.ts:29:5)
          at run (run.ts:69:5)
          at FunctionalTestRunner.validateEsVersion (functional_test_runner.ts:131:13)
          at processTicksAndRejections (node:internal/process/task_queues:96:5)
          at functional_test_runner.ts:64:11
          at FunctionalTestRunner.runHarness (functional_test_runner.ts:251:14)
          at FunctionalTestRunner.run (functional_test_runner.ts:48:12)
          at log.defaultLevel (cli.ts:112:32)
          at run.ts:70:7
          at withProcRunner (with_proc_runner.ts:29:5)
          at run (run.ts:69:5)
```

Since there is no version term in case of serverless, we can skip
version check by using newly added to FTR schema `serverless` property
(`false` by default). It is set to `true` in root FTR config
`/shared/config.base`.

The next error is related to ESArchiver relying on `ES` FTR service to
provide ESClient.

```
ResponseError: security_exception
   │ 	Root causes:
   │ 		security_exception: unable to authenticate user [system_indices_superuser] for REST request [/kibana_sample_data_flights]
```

It is fixed by using the default user (from host url) instead of
`system_indices_superuser` we use in stateful run.

packages/kbn-ftr-common-functional-services/services/es.ts

@@ -13,9 +13,15 @@ import { FtrProviderContext } from './ftr_provider_context';
 
 export function EsProvider({ getService }: FtrProviderContext): Client {
   const config = getService('config');
+  const isServerless = !!config.get('serverless');
 
-  return createEsClientForFtrConfig(config, {
-    // Use system indices user so tests can write to system indices
-    authOverride: systemIndicesSuperuser,
-  });
+  return createEsClientForFtrConfig(
+    config,
+    isServerless
+      ? {}
+      : {
+          // Use system indices user so tests can write to system indices
+          authOverride: systemIndicesSuperuser,
+        }
+  );
 }

packages/kbn-test/src/functional_test_runner/functional_test_runner.ts

@@ -60,7 +60,8 @@ export class FunctionalTestRunner {
         : this.getStubProviderCollection(coreProviders);
 
       if (realServices) {
-        if (providers.hasService('es')) {
+        // Skip ES version validation for serverless project
+        if (!this.config.get('serverless') && providers.hasService('es')) {
           await this.validateEsVersion();
         }
         await providers.loadAll();

packages/kbn-test/src/functional_test_runner/lib/config/schema.ts

@@ -89,6 +89,7 @@ export const schema = Joi.object()
     rootTags: Joi.array().items(Joi.string()),
     testFiles: Joi.array().items(Joi.string()),
     testRunner: Joi.func(),
+    serverless: Joi.boolean().default(false),
 
     suiteFiles: Joi.object()
       .keys({
@@ -200,7 +201,7 @@ export const schema = Joi.object()
       .keys({
         license: Joi.valid('basic', 'trial', 'gold').default('basic'),
         from: Joi.string().default('snapshot'),
-        serverArgs: Joi.array().items(Joi.string()),
+        serverArgs: Joi.array().items(Joi.string()).default([]),
         esJavaOpts: Joi.string(),
         dataArchive: Joi.string(),
         ssl: Joi.boolean().default(false),

packages/kbn-test/src/functional_tests/lib/run_elasticsearch.ts

@@ -34,7 +34,7 @@ function getEsConfig({
 }: RunElasticsearchOptions) {
   const ssl = !!config.get('esTestCluster.ssl');
   const license: 'basic' | 'trial' | 'gold' = config.get('esTestCluster.license');
-  const esArgs: string[] = config.get('esTestCluster.serverArgs') ?? [];
+  const esArgs: string[] = config.get('esTestCluster.serverArgs');
   const esJavaOpts: string | undefined = config.get('esTestCluster.esJavaOpts');
   const isSecurityEnabled = esArgs.includes('xpack.security.enabled=true');
 

test/common/services/security/system_indices_user.ts

@@ -68,8 +68,9 @@ export async function createSystemIndicesUser(ctx: FtrProviderContext) {
   const enabled = !config
     .get('esTestCluster.serverArgs')
     .some((arg: string) => arg === 'xpack.security.enabled=false');
+  const isServerless = !!config.get('serverless');
 
-  if (!enabled) {
+  if (!enabled || isServerless) {
     return;
   }
 

x-pack/test_serverless/api_integration/test_suites/common/security_users.ts

@@ -11,7 +11,9 @@ export default function ({ getService }: FtrProviderContext) {
   const svlCommonApi = getService('svlCommonApi');
   const supertest = getService('supertest');
 
-  describe('security/users', function () {
+  // Test should be unskipped when the API is disabled
+  // https://github.com/elastic/kibana/issues/161337
+  describe.skip('security/users', function () {
     it('rejects request to create user', async () => {
       const { body, status } = await supertest
         .post(`/internal/security/users/some_testuser`)

x-pack/test_serverless/api_integration/test_suites/observability/index.ts

@@ -9,7 +9,6 @@ import { FtrProviderContext } from '../../ftr_provider_context';
 
 export default function ({ loadTestFile }: FtrProviderContext) {
   describe('serverless observability API', function () {
-    loadTestFile(require.resolve('./security_users'));
     loadTestFile(require.resolve('./snapshot_telemetry'));
   });
 }

x-pack/test_serverless/api_integration/test_suites/observability/security_users.ts

@@ -1,31 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { FtrProviderContext } from '../../ftr_provider_context';
-
-export default function ({ getService }: FtrProviderContext) {
-  const svlCommonApi = getService('svlCommonApi');
-  const supertest = getService('supertest');
-
-  /*
-   * This is a placeholder test to demonstrate usage.
-   * This test case is actually already covered in the `serverless` plugin tests
-   * and should be replaced with something specific to the observability project
-   * once it modifies / adds / disables Kibana APIs.
-   */
-  describe('security/users', function () {
-    it('rejects request to create user', async () => {
-      const { body, status } = await supertest
-        .post(`/internal/security/users/some_testuser`)
-        .set(svlCommonApi.getCommonRequestHeader())
-        .send({ username: 'some_testuser', password: 'testpassword', roles: [] });
-
-      // in a non-serverless environment this would succeed with a 200
-      svlCommonApi.assertResponseStatusCode(400, status, body);
-    });
-  });
-}

x-pack/test_serverless/api_integration/test_suites/search/index.ts

@@ -9,7 +9,6 @@ import { FtrProviderContext } from '../../ftr_provider_context';
 
 export default function ({ loadTestFile }: FtrProviderContext) {
   describe('serverless search API', function () {
-    loadTestFile(require.resolve('./security_users'));
     loadTestFile(require.resolve('./snapshot_telemetry'));
   });
 }

x-pack/test_serverless/api_integration/test_suites/search/security_users.ts

@@ -1,31 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { FtrProviderContext } from '../../ftr_provider_context';
-
-export default function ({ getService }: FtrProviderContext) {
-  const svlCommonApi = getService('svlCommonApi');
-  const supertest = getService('supertest');
-
-  /*
-   * This is a placeholder test to demonstrate usage.
-   * This test case is actually already covered in the `serverless` plugin tests
-   * and should be replaced with something specific to the search project
-   * once it modifies / adds / disables Kibana APIs.
-   */
-  describe('security/users', function () {
-    it('rejects request to create user', async () => {
-      const { body, status } = await supertest
-        .post(`/internal/security/users/some_testuser`)
-        .set(svlCommonApi.getCommonRequestHeader())
-        .send({ username: 'some_testuser', password: 'testpassword', roles: [] });
-
-      // in a non-serverless environment this would succeed with a 200
-      svlCommonApi.assertResponseStatusCode(400, status, body);
-    });
-  });
-}

x-pack/test_serverless/api_integration/test_suites/security/index.ts

@@ -9,7 +9,6 @@ import { FtrProviderContext } from '../../ftr_provider_context';
 
 export default function ({ loadTestFile }: FtrProviderContext) {
   describe('serverless security API', function () {
-    loadTestFile(require.resolve('./security_users'));
     loadTestFile(require.resolve('./snapshot_telemetry'));
   });
 }

x-pack/test_serverless/api_integration/test_suites/security/security_users.ts

@@ -1,31 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { FtrProviderContext } from '../../ftr_provider_context';
-
-export default function ({ getService }: FtrProviderContext) {
-  const svlCommonApi = getService('svlCommonApi');
-  const supertest = getService('supertest');
-
-  /*
-   * This is a placeholder test to demonstrate usage.
-   * This test case is actually already covered in the `serverless` plugin tests
-   * and should be replaced with something specific to the security project
-   * once it modifies / adds / disables Kibana APIs.
-   */
-  describe('security/users', function () {
-    it('rejects request to create user', async () => {
-      const { body, status } = await supertest
-        .post(`/internal/security/users/some_testuser`)
-        .set(svlCommonApi.getCommonRequestHeader())
-        .send({ username: 'some_testuser', password: 'testpassword', roles: [] });
-
-      // in a non-serverless environment this would succeed with a 200
-      svlCommonApi.assertResponseStatusCode(400, status, body);
-    });
-  });
-}

x-pack/test_serverless/shared/config.base.ts

@@ -23,7 +23,6 @@ export default async () => {
     esTestCluster: {
       license: 'trial',
       from: 'snapshot',
-      serverArgs: ['xpack.security.enabled=false'],
     },
 
     kbnTestServer: {
@@ -62,6 +61,11 @@ export default async () => {
       ],
     },
 
+    security: { disableTestUser: true },
+
+    // Used by FTR to recognize serverless project and change its behavior accordingly
+    serverless: true,
+
     // overriding default timeouts from packages/kbn-test/src/functional_test_runner/lib/config/schema.ts
     // so we can easily adjust them for serverless where needed
     timeouts: {