[Self-Managed]: Security is not enabled by default on setting up self-managed 8.2 Snapshot.

[amolnater-qasource]

Kibana version: 8.2 Snapshot Kibana self-managed environment

Host OS and Browser version: Windows, All

Build details:

VERSION: 8.2.0 self-managed
BUILD: 51770
COMMIT: 9bec00d6c37b8b258d10e6f1dea3299f67db7540
Artifact Link: https://snapshots.elastic.co/8.2.0-fdfc79e3/downloads/elasticsearch/elasticsearch-8.2.0-SNAPSHOT-windows-x86_64.zip

Preconditions:

1. 8.2 kibana self-managed environment should be available.

Steps to reproduce:

1. Run elasticsearch.bat.
2. Copy the self-generated configuration from command prompt.
3. Run kibana.bat and setup kibana using kibana enrollment token.
4. Navigate to Fleet tab.
5. Observe Fleet tab is no accessible and asks for below xpack to be added:

xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true

Expected Result:
Security should be enabled by default on setting up self-managed 8.2 Snapshot.

Screenshot:
kibana.bat error:

Fleet tab:

Note:
Even on adding the below xpack we are unable to access fleet tab:

xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true

We added this xpack and restarted elasticsearch, kibana.
However we are still not able to access Fleet tab.

Elasticsearch.yml:
elasticsearch.zip

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[amolnater-qasource]

@manishgupta-qasource Please review.

[manishgupta-qasource]

Reviewed & assigned to @jkakavas

[joshdover]

Let's investigate this from the Fleet side first and see if there's an issue with our security check screen.

[juliaElastic]

@amolnater-qasource is this happening in only Windows or other platforms too like Mac?

This is an existing testcase that was working on earlier versions, right?

EDIT: can't reproduce this on Mac BC1 build.

[jkakavas]

The elasticsearch part of the configuration looks fine and this is further reinforced by the fact that kibana can enroll successfully.

@manishgupta-qasource for future reference, please tag @elastic/es-security instead of me in these kind of issues when input from Elasticsearch security is needed !

[nchaulet]

Looks like we introduced a regression when merging #129131 we show the requirement page if no encryption key is set.
This should be fixed by #129593

In the mean time testing can be unlocked by setting xpack.encryptedSavedObjects.encryptionKey in kibana config file

[juliaElastic]

This error message was misleading because it was caused by a completely different "missing requirement" than ES security.
We could improve the logic to only show the ES security callout if "security_required" or "api_keys" requirement is missing.
Related code: https://github.com/elastic/kibana/blob/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/index.tsx#L76
https://github.com/elastic/kibana/blob/main/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_requirements_page/es_requirements_page.tsx

Alternatively the ES security callout might be removed, as security is enabled by default from 8.0 (it may be possible to disable though)

[amolnater-qasource]

Hi Team
We have revalidated this issue on latest 8.2 BC-4 self-managed environment.

• We are now successfully able to setup self-managed environment without adding any additional xpack.
• We are not getting any errors under Fleet tab.

Build details:
BUILD: 52005
COMMIT: 9a5003d
Artifact Link: https://staging.elastic.co/8.2.0-3b2b9b86/summary-8.2.0.html

Screenshot:

Hence marking this as QA:Validated.
Thanks

[amolnater-qasource]

Bug Conversion

• Testcase already exists for this scenario under Fleet test suite at link:
  • C164232

Thanks