Forbid using elasticsearch.username: elastic in production (#122722) (

#122776) (cherry picked from commit 48efabe) Co-authored-by: Joe Portner <[email protected]>
elastic · Jan 12, 2022 · 73651aa · 73651aa
1 parent 05e6e12
commit 73651aa
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 36 deletions.
diff --git a/src/core/server/core_usage_data/core_usage_data_service.test.ts b/src/core/server/core_usage_data/core_usage_data_service.test.ts
@@ -435,10 +435,6 @@ describe('CoreUsageDataService', () => {
           );
         }
 
-        it('returns expected usage data for elastic.username "elastic"', async () => {
-          return doTest({ username: 'elastic', expectedPrincipal: 'elastic_user' });
-        });
-
         it('returns expected usage data for elastic.username "kibana"', async () => {
           return doTest({ username: 'kibana', expectedPrincipal: 'kibana_user' });
         });

diff --git a/src/core/server/core_usage_data/core_usage_data_service.ts b/src/core/server/core_usage_data/core_usage_data_service.ts
@@ -520,7 +520,6 @@ function getEsPrincipalUsage({ username, serviceAccountToken }: ElasticsearchCon
   let value: CoreConfigUsageData['elasticsearch']['principal'] = 'unknown';
   if (isConfigured.string(username)) {
     switch (username) {
-      case 'elastic': // deprecated
       case 'kibana': // deprecated
       case 'kibana_system':
         value = `${username}_user` as const;

diff --git a/src/core/server/elasticsearch/elasticsearch_config.test.ts b/src/core/server/elasticsearch/elasticsearch_config.test.ts
@@ -318,15 +318,6 @@ describe('throws when config is invalid', () => {
 });
 
 describe('deprecations', () => {
-  it('logs a warning if elasticsearch.username is set to "elastic"', () => {
-    const { messages } = applyElasticsearchDeprecations({ username: 'elastic' });
-    expect(messages).toMatchInlineSnapshot(`
-      Array [
-        "Kibana is configured to authenticate to Elasticsearch with the \\"elastic\\" user. Use a service account token instead.",
-      ]
-    `);
-  });
-
   it('logs a warning if elasticsearch.username is set to "kibana"', () => {
     const { messages } = applyElasticsearchDeprecations({ username: 'kibana' });
     expect(messages).toMatchInlineSnapshot(`
@@ -370,19 +361,17 @@ describe('deprecations', () => {
   });
 });
 
-test('#username throws if equal to "elastic", only while running from source', () => {
+test('#username throws if equal to "elastic"', () => {
   const obj = {
     username: 'elastic',
   };
-  expect(() => config.schema.validate(obj, { dist: false })).toThrowErrorMatchingInlineSnapshot(
-    `"[username]: value of \\"elastic\\" is forbidden. This is a superuser account that can obfuscate privilege-related issues. You should use the \\"kibana_system\\" user instead."`
-  );
-  expect(() => config.schema.validate(obj, { dist: true })).not.toThrow();
+
+  expect(() => config.schema.validate(obj)).toThrow('[username]: value of "elastic" is forbidden');
 });
 
 test('serviceAccountToken throws if username is also set', () => {
   const obj = {
-    username: 'elastic',
+    username: 'kibana',
     serviceAccountToken: 'abc123',
   };
 

diff --git a/src/core/server/elasticsearch/elasticsearch_config.ts b/src/core/server/elasticsearch/elasticsearch_config.ts
@@ -37,21 +37,17 @@ export const configSchema = schema.object({
     defaultValue: 'http://localhost:9200',
   }),
   username: schema.maybe(
-    schema.conditional(
-      schema.contextRef('dist'),
-      false,
-      schema.string({
-        validate: (rawConfig) => {
-          if (rawConfig === 'elastic') {
-            return (
-              'value of "elastic" is forbidden. This is a superuser account that can obfuscate ' +
-              'privilege-related issues. You should use the "kibana_system" user instead.'
-            );
-          }
-        },
-      }),
-      schema.string()
-    )
+    schema.string({
+      validate: (rawConfig) => {
+        if (rawConfig === 'elastic') {
+          return (
+            'value of "elastic" is forbidden. This is a superuser account that cannot write to system indices that Kibana needs to ' +
+            'function. Use a service account token instead. Learn more: ' +
+            'https://www.elastic.co/guide/en/elasticsearch/reference/8.0/service-accounts.html' // we don't have a way to pass a branch into the config schema; hardcoding this one link to the 8.0 docs is OK
+          );
+        }
+      },
+    })
   ),
   password: schema.maybe(schema.string()),
   serviceAccountToken: schema.maybe(
@@ -178,7 +174,7 @@ const deprecations: ConfigDeprecationProvider = () => [
       return;
     }
 
-    if (es.username === 'elastic' || es.username === 'kibana') {
+    if (es.username === 'kibana') {
       const username = es.username;
       addDeprecation({
         configPath: `${fromPath}.username`,