Deprecate kibana user in favor of kibana_system user

[legrego]

This updates the User Grid page and Edit User page to warn about deprecated users. Support for deprecated users was added to Elasticsearch in elastic/elasticsearch#54967, and is used to denote that the kibana user is deprecated in favor of the kibana_system user.

Companion PRs:
elastic/stack-docs#991
elastic/elasticsearch#54967

Resolves #25879

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[jportner]

EDIT: tested locally and works great! A few nits aside from the changes you directly made... (using permalinks to the current HEAD in master so they render properly in my comment)

---

1. In #48247 we deprecated using the elastic user in config in favor of using the kibana user. I'm thinking we should probably change that to deprecate it in favor of kibana_system too. This is in a few files...

kibana/src/core/server/elasticsearch/elasticsearch_config.ts

Lines 132 to 136 in 129cf4f

	if (es.username === 'elastic') {
	log(
	`Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana" user instead.`
	);
	}

kibana/x-pack/plugins/monitoring/server/config.ts

Lines 119 to 124 in 129cf4f

	if (rawConfig === 'elastic') {
	return (
	'value of "elastic" is forbidden. This is a superuser account that can obfuscate ' +
	'privilege-related issues. You should use the "kibana" user instead.'
	);
	}

kibana/x-pack/plugins/monitoring/server/deprecations.ts

Lines 60 to 64 in 129cf4f

	if (es.username === 'elastic') {
	logger(
	`Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana" user instead.`
	);
	}

---

2. Should we update this functional test assertion for the kibana_system user instead?

kibana/x-pack/test/functional/apps/security/users.js

Lines 28 to 29 in 129cf4f

	expect(users.kibana.roles).to.eql(['kibana_system']);
	expect(users.kibana.reserved).to.be(true);

---

3. This is really nitpicky, but do we want to change the wording from "kibana user" to "Kibana user" to differentiate the intent from the username itself? Or split this into two messages for the kibana and kibana_system users? 😛 I don't feel super strongly about it, just wanted to point it out in case you missed it.

kibana/x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx

Line 257 in 129cf4f

defaultMessage="After you change the password for the kibana user, you must update the {kibana}

---

4. I found a few more references to the deprecated kibana user:

kibana/x-pack/README.md

Line 15 in 129cf4f

By default, this will also set the password for native realm accounts to the password provided (`changeme` by default). This includes that of the `kibana` user which `elasticsearch.username` defaults to in development. If you wish to specific a password for a given native realm account, you can do that like so: `--password.kibana=notsecure`

kibana/docs/user/security/securing-kibana.asciidoc

Line 41 in 129cf4f

The password for the built-in `kibana` user is typically set as part of the

kibana/x-pack/legacy/plugins/monitoring/README.md

Line 77 in 129cf4f

username: "kibana"

kibana/packages/kbn-es/src/utils/native_realm.test.js

Lines 191 to 209 in 129cf4f

	kibana: {
	metadata: {
	_reserved: true,
	},
	},
	non_native: {
	metadata: {
	_reserved: false,
	},
	},
	logstash_system: {
	metadata: {
	_reserved: true,
	},
	},
	},
	}));
	expect(await nativeRealm.getReservedUsers()).toEqual(['kibana', 'logstash_system']);

There were a couple more in code comments, but those don't matter as much IMO.

[jportner]

😄

[jportner]

Perhaps this should change so it will be consistent with the reason?

Suggested change

	defaultMessage: `The {username} user is deprecated. {reason}`,
	defaultMessage: `The [{username}] user is deprecated. {reason}`,

[legrego]

The current text is consistent with the deprecation message we display for roles today. Gail had actually requested that we remove the brackets from the reason when we did the role deprecations, but then that change would have been inconsistent with the rest of the messages in ES. Overall, I'm 🤷‍♂️ about it, I could go either way.

Given my beautiful backstory, which would you prefer? I'll defer to you 😄

[pgayvallet]

LGTM for config/kibana.yml changes

[legrego]

@jportner thanks for the review! I'm not sure how my search missed those other references, so good looking out 🥇

[jportner]

Sorry, I could have been clearer in my last comment, a couple more suggestions!

[tylersmalley]

Operations changes to kbn-es LGTM

[legrego]

@elasticmachine merge upstream

[legrego]

@elasticmachine merge upstream

[legrego]

@jportner ready for another look whenever you get a chance

[jportner]

LGTM

[legrego]

@elasticmachine merge upstream

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: a180339

History

• 💔 Build #45464 failed 4055603
• 💚 Build #45033 succeeded 2957424
• 💛 Build #44782 was flaky dd5c950
• 💔 Build #44777 failed 33a7f52
• 💔 Build #44742 failed d424da4

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream