[kbn/scout] move samlAuth call to create ES security indexes after servers start (#247630)

dmlemeshko · dmlemeshko · commit 156a5bdcccdd · 2026-01-05T10:41:20.000Z
Originally we added this code as part of `preCreateSecurityIndexesFixture` called in `globalSetupHook`. It automatically enforces `global.setup.ts` creation even if the hook has no tests-specific logic: file existence triggers the hook call. This PR moves the logic to server start assuming it is only needed for the local cluster and it should simplify Scout/Playwright hook logic and make hook optional as it was originally intended. From CI logs we can see indexes were created before Playwright tests were started: ``` 2025-12-30 15:41:35 UTC | info [o.e.x.s.s.SecurityIndexManager] [scout] security index does not exist, creating [.security-tokens-7] with alias [.security-tokens] in project [default] 2025-12-30 15:41:35 UTC | info [o.e.c.m.MetadataCreateIndexService] [scout] creating index [.security-tokens-7] in project [default], cause [api], templates [], shards [1]/[1] 2025-12-30 15:41:35 UTC | info [o.e.c.r.a.AllocationService] [scout] in project [default] updating number_of_replicas to [0] for indices [.security-tokens-7] 2025-12-30 15:41:35 UTC | info [o.e.c.r.a.AllocationService] [scout] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.security-tokens-7][0]]])." previous.health="YELLOW" reason="shards started [[.security-tokens-7][0]]" 2025-12-30 15:41:35 UTC | info [o.e.x.s.s.SecurityIndexManager] [scout] security index does not exist, creating [.security-profile-8] with alias [.security-profile] in project [default] 2025-12-30 15:41:35 UTC | info [o.e.c.m.MetadataCreateIndexService] [scout] creating index [.security-profile-8] in project [default], cause [api], templates [], shards [1]/[1] 2025-12-30 15:41:35 UTC | info [o.e.c.r.a.AllocationService] [scout] in project [default] updating number_of_replicas to [0] for indices [.security-profile-8] 2025-12-30 15:41:36 UTC | info [o.e.c.r.a.AllocationService] [scout] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.security-profile-8][0]]])." previous.health="YELLOW" reason="shards started [[.security-profile-8][0]]" 2025-12-30 15:41:37 UTC | proc [kibana] [2025-12-30T15:41:37.010+00:00][INFO ][plugins.security.authentication] Login attempt with "saml" provider succeeded (requires redirect: true). {"service":{"node":{"roles":["background_tasks","ui"]}}} 2025-12-30 15:41:37 UTC | info starting [playwright] > /<redacted>kibana/node_modules/.bin/playwright test --config=x-pack/platform/plugins/private/discover_enhanced/test/scout/ui/parallel.playwright.config.ts --grep=@ess --project=local ``` (cherry picked from commit f109902)
diff --git a/src/platform/packages/shared/kbn-scout/src/playwright/runner/run_tests.ts b/src/platform/packages/shared/kbn-scout/src/playwright/runner/run_tests.ts
@@ -16,7 +16,11 @@ import type { ToolingLog } from '@kbn/tooling-log';
 import { pickLevelFromFlags } from '@kbn/tooling-log';
 import { resolve } from 'path';
 import { silence } from '../../common';
-import { runElasticsearch, runKibanaServer } from '../../servers';
+import {
+  preCreateSecurityIndexesViaSamlAuth,
+  runElasticsearch,
+  runKibanaServer,
+} from '../../servers';
 import { getConfigRootDir, loadServersConfig } from '../../servers/configs';
 import { getExtraKbnOpts } from '../../servers/run_kibana_server';
 import type { ScoutPlaywrightProjects } from '../types';
@@ -125,6 +129,9 @@ async function runLocalServersAndTests(
     // wait for 5 seconds
     await silence(log, 5000);
 
+    // Pre-create Elasticsearch Security indexes after server startup
+    await preCreateSecurityIndexesViaSamlAuth(config, log);
+
     await runPlaywrightTest(procs, cmd, cmdArgs, env);
   } finally {
     try {
diff --git a/src/platform/packages/shared/kbn-scout/src/playwright/test/ui/parallel_run_fixtures.ts b/src/platform/packages/shared/kbn-scout/src/playwright/test/ui/parallel_run_fixtures.ts
@@ -17,7 +17,6 @@ import {
 } from '../../fixtures/scope/worker';
 import type {
   ApiServicesFixture,
-  CoreWorkerFixtures,
   EsClient,
   KbnClient,
   KibanaUrl,
@@ -61,34 +60,9 @@ export interface ScoutParallelWorkerFixtures {
   apiServices: ApiServicesFixture;
 }
 
-/**
- * Pre-creates Elasticsearch Security indexes (.security-tokens, .security-profile)
- * during global setup to prevent race conditions when parallel tests perform their first SAML authentication.
- */
-const preCreateSecurityIndexesFixture = coreWorkerFixtures.extend<
-  {},
-  { samlAuth: CoreWorkerFixtures['samlAuth']; preCreateSecurityIndexes: void }
->({
-  preCreateSecurityIndexes: [
-    async (
-      {
-        samlAuth,
-        log,
-      }: { samlAuth: CoreWorkerFixtures['samlAuth']; log: CoreWorkerFixtures['log'] },
-      use: (arg: void) => Promise<void>
-    ) => {
-      log.debug('Running SAML authentication to pre-create Elasticsearch .security indexes');
-      await samlAuth.session.getInteractiveUserSessionCookieWithRoleScope('admin');
-      await use();
-    },
-    { scope: 'worker', auto: true },
-  ],
-});
-
 export const globalSetupFixtures = mergeTests(
   coreWorkerFixtures,
   esArchiverFixture,
   synthtraceFixture,
-  apiServicesFixture,
-  preCreateSecurityIndexesFixture
+  apiServicesFixture
 );
diff --git a/src/platform/packages/shared/kbn-scout/src/servers/index.ts b/src/platform/packages/shared/kbn-scout/src/servers/index.ts
@@ -11,5 +11,6 @@ export { parseServerFlags, SERVER_FLAG_OPTIONS } from './flags';
 export { startServers } from './start_servers';
 export { runKibanaServer } from './run_kibana_server';
 export { runElasticsearch } from './run_elasticsearch';
+export { preCreateSecurityIndexesViaSamlAuth } from './pre_create_security_indexes';
 
 export type { StartServerOptions } from './flags';
diff --git a/src/platform/packages/shared/kbn-scout/src/servers/pre_create_security_indexes.ts b/src/platform/packages/shared/kbn-scout/src/servers/pre_create_security_indexes.ts
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import type { ToolingLog } from '@kbn/tooling-log';
+import { createSamlSessionManager, ScoutLogger } from '../common';
+import type { Config } from './configs';
+
+/**
+ * Pre-creates Elasticsearch Security indexes (.security-tokens, .security-profile)
+ * by performing SAML authentication. This prevents race conditions when parallel tests
+ * perform their first SAML authentication, as the security indexes will already exist.
+ *
+ * @param config - The server configuration containing Scout test config
+ * @param log - Logger instance for logging operations
+ */
+export async function preCreateSecurityIndexesViaSamlAuth(
+  config: Config,
+  log: ToolingLog
+): Promise<void> {
+  const session = createSamlSessionManager(
+    config.getScoutTestConfig(),
+    new ScoutLogger('pre-create-security-indexes', 'info')
+  );
+  await session.getInteractiveUserSessionCookieWithRoleScope('admin');
+  log.debug('Successfully pre-created Elasticsearch Security indexes');
+}
diff --git a/src/platform/packages/shared/kbn-scout/src/servers/start_servers.ts b/src/platform/packages/shared/kbn-scout/src/servers/start_servers.ts
@@ -15,6 +15,7 @@ import { silence } from '../common';
 import { getPlaywrightGrepTag } from '../playwright/utils';
 import { getConfigRootDir, loadServersConfig } from './configs';
 import type { StartServerOptions } from './flags';
+import { preCreateSecurityIndexesViaSamlAuth } from './pre_create_security_indexes';
 import { runElasticsearch } from './run_elasticsearch';
 import { getExtraKbnOpts, runKibanaServer } from './run_kibana_server';
 
@@ -53,6 +54,9 @@ export async function startServers(log: ToolingLog, options: StartServerOptions)
     // success message so that it doesn't get buried
     await silence(log, 5000);
 
+    // Pre-create Elasticsearch Security indexes after server startup
+    await preCreateSecurityIndexesViaSamlAuth(config, log);
+
     log.success(
       '\n\n' +
         dedent`
