From e0c2e8b87ad7d811c4d63e598b429548e598e7dc Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Thu, 9 Sep 2021 09:56:29 +0200 Subject: [PATCH 1/6] Remove xpack.security.enabled config option from Kibana To enable or disable the security plugin, set this option in Elasticsearch instead. --- docs/settings/security-settings.asciidoc | 14 --------- .../resources/base/bin/kibana-docker | 1 - test/functional/config.js | 1 - x-pack/plugins/security/server/config.ts | 1 - .../server/config_deprecations.test.ts | 30 ------------------- .../security/server/config_deprecations.ts | 24 --------------- .../reporting_without_security.config.ts | 2 +- .../reporting_without_security.config.ts | 5 +--- 8 files changed, 2 insertions(+), 76 deletions(-) diff --git a/docs/settings/security-settings.asciidoc b/docs/settings/security-settings.asciidoc index c291b65c3c35b..7737745c7cfa8 100644 --- a/docs/settings/security-settings.asciidoc +++ b/docs/settings/security-settings.asciidoc @@ -12,20 +12,6 @@ You do not need to configure any additional settings to use the [[general-security-settings]] ==== General security settings -[cols="2*<"] -|=== -| `xpack.security.enabled` - | deprecated:[7.16.0,"In 8.0 and later, this setting will no longer be supported."] - By default, {kib} automatically detects whether to enable the - {security-features} based on the license and whether {es} {security-features} - are enabled. + - + - Do not set this to `false`; it disables the login form, user and role management - screens, and authorization using <>. To disable - {security-features} entirely, see - {ref}/security-settings.html[{es} security settings]. -|=== - [float] [[authentication-security-settings]] ==== Authentication security settings diff --git a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker index 235a5fbe1a1a3..3a38789fbcac6 100755 --- a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker +++ b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker @@ -343,7 +343,6 @@ kibana_vars=( xpack.security.authc.saml.realm xpack.security.authc.selector.enabled xpack.security.cookieName - xpack.security.enabled xpack.security.encryptionKey xpack.security.loginAssistanceMessage xpack.security.loginHelp diff --git a/test/functional/config.js b/test/functional/config.js index e0195c4dadc8d..5b0b79e84e8df 100644 --- a/test/functional/config.js +++ b/test/functional/config.js @@ -45,7 +45,6 @@ export default async function ({ readConfigFile }) { '--savedObjects.maxImportPayloadBytes=10485760', // to be re-enabled once kibana/issues/102552 is completed - '--xpack.security.enabled=false', '--xpack.reporting.enabled=false', ], }, diff --git a/x-pack/plugins/security/server/config.ts b/x-pack/plugins/security/server/config.ts index 23a1fd2efa382..a9e22448e1725 100644 --- a/x-pack/plugins/security/server/config.ts +++ b/x-pack/plugins/security/server/config.ts @@ -198,7 +198,6 @@ const providersConfigSchema = schema.object( ); export const ConfigSchema = schema.object({ - enabled: schema.boolean({ defaultValue: true }), loginAssistanceMessage: schema.string({ defaultValue: '' }), showInsecureClusterWarning: schema.boolean({ defaultValue: true }), loginHelp: schema.maybe(schema.string()), diff --git a/x-pack/plugins/security/server/config_deprecations.test.ts b/x-pack/plugins/security/server/config_deprecations.test.ts index a629b6d73a682..3c674de97ad8e 100644 --- a/x-pack/plugins/security/server/config_deprecations.test.ts +++ b/x-pack/plugins/security/server/config_deprecations.test.ts @@ -357,34 +357,4 @@ describe('Config Deprecations', () => { ] `); }); - - it('warns when the security plugin is disabled', () => { - const config = { - xpack: { - security: { - enabled: false, - }, - }, - }; - const { messages, migrated } = applyConfigDeprecations(cloneDeep(config)); - expect(migrated).toEqual(config); - expect(messages).toMatchInlineSnapshot(` - Array [ - "Disabling the security plugin \\"xpack.security.enabled\\" will only be supported by disable security in Elasticsearch.", - ] - `); - }); - - it('does not warn when the security plugin is enabled', () => { - const config = { - xpack: { - security: { - enabled: true, - }, - }, - }; - const { messages, migrated } = applyConfigDeprecations(cloneDeep(config)); - expect(migrated).toEqual(config); - expect(messages).toHaveLength(0); - }); }); diff --git a/x-pack/plugins/security/server/config_deprecations.ts b/x-pack/plugins/security/server/config_deprecations.ts index 0c76840819b3d..055818a159a79 100644 --- a/x-pack/plugins/security/server/config_deprecations.ts +++ b/x-pack/plugins/security/server/config_deprecations.ts @@ -157,28 +157,4 @@ export const securityConfigDeprecationProvider: ConfigDeprecationProvider = ({ }); } }, - (settings, fromPath, addDeprecation) => { - if (settings?.xpack?.security?.enabled === false) { - addDeprecation({ - configPath: 'xpack.security.enabled', - title: i18n.translate('xpack.security.deprecations.enabledTitle', { - defaultMessage: 'Disabling the security plugin "xpack.security.enabled" is deprecated', - }), - message: i18n.translate('xpack.security.deprecations.enabledMessage', { - defaultMessage: - 'Disabling the security plugin "xpack.security.enabled" will only be supported by disable security in Elasticsearch.', - }), - correctiveActions: { - manualSteps: [ - i18n.translate('xpack.security.deprecations.enabled.manualStepOneMessage', { - defaultMessage: `Remove "xpack.security.enabled" from your Kibana configuration.`, - }), - i18n.translate('xpack.security.deprecations.enabled.manualStepTwoMessage', { - defaultMessage: `To turn off security features, disable them in Elasticsearch instead.`, - }), - ], - }, - }); - } - }, ]; diff --git a/x-pack/test/reporting_api_integration/reporting_without_security.config.ts b/x-pack/test/reporting_api_integration/reporting_without_security.config.ts index dfd79916b5ce0..0779b3b871e36 100644 --- a/x-pack/test/reporting_api_integration/reporting_without_security.config.ts +++ b/x-pack/test/reporting_api_integration/reporting_without_security.config.ts @@ -24,7 +24,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { }, kbnTestServer: { ...apiConfig.get('kbnTestServer'), - serverArgs: [...apiConfig.get('kbnTestServer.serverArgs'), `--xpack.security.enabled=false`], + serverArgs: [...apiConfig.get('kbnTestServer.serverArgs')], }, }; } diff --git a/x-pack/test/reporting_functional/reporting_without_security.config.ts b/x-pack/test/reporting_functional/reporting_without_security.config.ts index 0269f57bf08cb..7ca7f89a0b709 100644 --- a/x-pack/test/reporting_functional/reporting_without_security.config.ts +++ b/x-pack/test/reporting_functional/reporting_without_security.config.ts @@ -17,10 +17,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { testFiles: [resolve(__dirname, './reporting_without_security')], kbnTestServer: { ...reportingConfig.get('kbnTestServer'), - serverArgs: [ - ...reportingConfig.get('kbnTestServer.serverArgs'), - `--xpack.security.enabled=false`, - ], + serverArgs: [...reportingConfig.get('kbnTestServer.serverArgs')], }, esTestCluster: { ...reportingConfig.get('esTestCluster'), From ac485f772c176225c0750b5899b44a3d8a0a228b Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Thu, 9 Sep 2021 12:58:29 +0200 Subject: [PATCH 2/6] Update snapshots to not include the enabled config option --- x-pack/plugins/security/server/config.test.ts | 3 --- 1 file changed, 3 deletions(-) diff --git a/x-pack/plugins/security/server/config.test.ts b/x-pack/plugins/security/server/config.test.ts index 4034a7a79e6dd..ababf435af3c9 100644 --- a/x-pack/plugins/security/server/config.test.ts +++ b/x-pack/plugins/security/server/config.test.ts @@ -56,7 +56,6 @@ describe('config schema', () => { "selector": Object {}, }, "cookieName": "sid", - "enabled": true, "encryptionKey": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "loginAssistanceMessage": "", "public": Object {}, @@ -110,7 +109,6 @@ describe('config schema', () => { "selector": Object {}, }, "cookieName": "sid", - "enabled": true, "encryptionKey": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "loginAssistanceMessage": "", "public": Object {}, @@ -164,7 +162,6 @@ describe('config schema', () => { "selector": Object {}, }, "cookieName": "sid", - "enabled": true, "loginAssistanceMessage": "", "public": Object {}, "secureCookies": false, From cb739c7232572de7db6a58b24f2b284286176266 Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Thu, 9 Sep 2021 13:15:46 +0200 Subject: [PATCH 3/6] Don't accidentally try to set xpack.security.enabled in Kibana config --- x-pack/test/alerting_api_integration/common/config.ts | 4 +++- x-pack/test/case_api_integration/common/config.ts | 4 +++- x-pack/test/lists_api_integration/common/config.ts | 4 +++- x-pack/test/rule_registry/common/config.ts | 4 +++- x-pack/test/saved_object_api_integration/common/config.ts | 4 +++- x-pack/test/spaces_api_integration/common/config.ts | 4 +++- x-pack/test/timeline/common/config.ts | 4 +++- x-pack/test/ui_capabilities/common/config.ts | 4 +++- 8 files changed, 24 insertions(+), 8 deletions(-) diff --git a/x-pack/test/alerting_api_integration/common/config.ts b/x-pack/test/alerting_api_integration/common/config.ts index 3fe5ecb6076e2..7bcec7b11c10e 100644 --- a/x-pack/test/alerting_api_integration/common/config.ts +++ b/x-pack/test/alerting_api_integration/common/config.ts @@ -242,7 +242,9 @@ export function createTestConfig(name: string, options: CreateTestConfigOptions) }, }, })}`, - ...disabledPlugins.map((key) => `--xpack.${key}.enabled=false`), + ...disabledPlugins + .filter((k) => k !== 'security') + .map((key) => `--xpack.${key}.enabled=false`), ...plugins.map( (pluginDir) => `--plugin-path=${path.resolve(__dirname, 'fixtures', 'plugins', pluginDir)}` diff --git a/x-pack/test/case_api_integration/common/config.ts b/x-pack/test/case_api_integration/common/config.ts index 2658472a7b84d..284b4360dacf8 100644 --- a/x-pack/test/case_api_integration/common/config.ts +++ b/x-pack/test/case_api_integration/common/config.ts @@ -118,7 +118,9 @@ export function createTestConfig(name: string, options: CreateTestConfigOptions) `--xpack.actions.allowedHosts=${JSON.stringify(['localhost', 'some.non.existent.com'])}`, `--xpack.actions.enabledActionTypes=${JSON.stringify(enabledActionTypes)}`, '--xpack.eventLog.logEntries=true', - ...disabledPlugins.map((key) => `--xpack.${key}.enabled=false`), + ...disabledPlugins + .filter((k) => k !== 'security') + .map((key) => `--xpack.${key}.enabled=false`), // Actions simulators plugin. Needed for testing push to external services. ...alertingPlugins.map( (pluginDir) => diff --git a/x-pack/test/lists_api_integration/common/config.ts b/x-pack/test/lists_api_integration/common/config.ts index 4983f00cce044..214f03b632658 100644 --- a/x-pack/test/lists_api_integration/common/config.ts +++ b/x-pack/test/lists_api_integration/common/config.ts @@ -51,7 +51,9 @@ export function createTestConfig(name: string, options: CreateTestConfigOptions) ...xPackApiIntegrationTestsConfig.get('kbnTestServer'), serverArgs: [ ...xPackApiIntegrationTestsConfig.get('kbnTestServer.serverArgs'), - ...disabledPlugins.map((key) => `--xpack.${key}.enabled=false`), + ...disabledPlugins + .filter((k) => k !== 'security') + .map((key) => `--xpack.${key}.enabled=false`), `--plugin-path=${path.join(__dirname, 'fixtures', 'plugins', 'alerts')}`, `--plugin-path=${path.join(__dirname, 'fixtures', 'plugins', 'actions')}`, `--plugin-path=${path.join(__dirname, 'fixtures', 'plugins', 'task_manager')}`, diff --git a/x-pack/test/rule_registry/common/config.ts b/x-pack/test/rule_registry/common/config.ts index 9cce58c30f6e9..6b920a6f5dbf2 100644 --- a/x-pack/test/rule_registry/common/config.ts +++ b/x-pack/test/rule_registry/common/config.ts @@ -79,7 +79,9 @@ export function createTestConfig(name: string, options: CreateTestConfigOptions) `--xpack.actions.allowedHosts=${JSON.stringify(['localhost', 'some.non.existent.com'])}`, `--xpack.actions.enabledActionTypes=${JSON.stringify(enabledActionTypes)}`, '--xpack.eventLog.logEntries=true', - ...disabledPlugins.map((key) => `--xpack.${key}.enabled=false`), + ...disabledPlugins + .filter((k) => k !== 'security') + .map((key) => `--xpack.${key}.enabled=false`), // TO DO: Remove feature flags once we're good to go '--xpack.securitySolution.enableExperimental=["ruleRegistryEnabled"]', '--xpack.ruleRegistry.write.enabled=true', diff --git a/x-pack/test/saved_object_api_integration/common/config.ts b/x-pack/test/saved_object_api_integration/common/config.ts index 9b9e46efa6d5d..8ca74c7fcea49 100644 --- a/x-pack/test/saved_object_api_integration/common/config.ts +++ b/x-pack/test/saved_object_api_integration/common/config.ts @@ -54,7 +54,9 @@ export function createTestConfig(name: string, options: CreateTestConfigOptions) ...config.xpack.api.get('kbnTestServer.serverArgs'), '--server.xsrf.disableProtection=true', `--plugin-path=${path.join(__dirname, 'fixtures', 'saved_object_test_plugin')}`, - ...disabledPlugins.map((key) => `--xpack.${key}.enabled=false`), + ...disabledPlugins + .filter((k) => k !== 'security') + .map((key) => `--xpack.${key}.enabled=false`), ], }, }; diff --git a/x-pack/test/spaces_api_integration/common/config.ts b/x-pack/test/spaces_api_integration/common/config.ts index 7cceb945790d5..5d135cd05605c 100644 --- a/x-pack/test/spaces_api_integration/common/config.ts +++ b/x-pack/test/spaces_api_integration/common/config.ts @@ -61,7 +61,9 @@ export function createTestConfig(name: string, options: CreateTestConfigOptions) '--status.allowAnonymous=false', '--server.xsrf.disableProtection=true', `--plugin-path=${path.join(__dirname, 'fixtures', 'spaces_test_plugin')}`, - ...disabledPlugins.map((key) => `--xpack.${key}.enabled=false`), + ...disabledPlugins + .filter((k) => k !== 'security') + .map((key) => `--xpack.${key}.enabled=false`), ], }, }; diff --git a/x-pack/test/timeline/common/config.ts b/x-pack/test/timeline/common/config.ts index fa8ddb2ad10a7..211f380b133a5 100644 --- a/x-pack/test/timeline/common/config.ts +++ b/x-pack/test/timeline/common/config.ts @@ -79,7 +79,9 @@ export function createTestConfig(name: string, options: CreateTestConfigOptions) `--xpack.actions.allowedHosts=${JSON.stringify(['localhost', 'some.non.existent.com'])}`, `--xpack.actions.enabledActionTypes=${JSON.stringify(enabledActionTypes)}`, '--xpack.eventLog.logEntries=true', - ...disabledPlugins.map((key) => `--xpack.${key}.enabled=false`), + ...disabledPlugins + .filter((k) => k !== 'security') + .map((key) => `--xpack.${key}.enabled=false`), // TO DO: Remove feature flags once we're good to go '--xpack.securitySolution.enableExperimental=["ruleRegistryEnabled"]', '--xpack.ruleRegistry.write.enabled=true', diff --git a/x-pack/test/ui_capabilities/common/config.ts b/x-pack/test/ui_capabilities/common/config.ts index 1f695e562da05..f676a5eeccee1 100644 --- a/x-pack/test/ui_capabilities/common/config.ts +++ b/x-pack/test/ui_capabilities/common/config.ts @@ -42,7 +42,9 @@ export function createTestConfig(name: string, options: CreateTestConfigOptions) ...xPackFunctionalTestsConfig.get('kbnTestServer'), serverArgs: [ ...xPackFunctionalTestsConfig.get('kbnTestServer.serverArgs'), - ...disabledPlugins.map((key) => `--xpack.${key}.enabled=false`), + ...disabledPlugins + .filter((k) => k !== 'security') + .map((key) => `--xpack.${key}.enabled=false`), `--plugin-path=${path.join(__dirname, 'fixtures', 'plugins', 'foo_plugin')}`, ], }, From 4c4d474c76017c20b7932d3a213358cabcefbcef Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Wed, 20 Oct 2021 15:33:12 +0200 Subject: [PATCH 4/6] Inherit xpack.security.enabled from Elasticsearch in tests --- test/common/services/security/test_user.ts | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/test/common/services/security/test_user.ts b/test/common/services/security/test_user.ts index 695294f08b02d..1161e7b493f41 100644 --- a/test/common/services/security/test_user.ts +++ b/test/common/services/security/test_user.ts @@ -71,13 +71,12 @@ export class TestUser extends FtrService { export async function createTestUserService(ctx: FtrProviderContext, role: Role, user: User) { const log = ctx.getService('log'); const config = ctx.getService('config'); - const kibanaServer = ctx.getService('kibanaServer'); - const enabledPlugins = config.get('security.disableTestUser') - ? [] - : await kibanaServer.plugins.getEnabledIds(); - - const enabled = enabledPlugins.includes('security') && !config.get('security.disableTestUser'); + const enabled = + !config + .get('esTestCluster.serverArgs') + .some((arg: string) => arg === 'xpack.security.enabled=false') && + !config.get('security.disableTestUser'); if (enabled) { log.debug('===============creating roles and users==============='); From 8c3f9e27cf7323ea11e242eeaf3cb1390b9eff9b Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Thu, 21 Oct 2021 16:26:40 +0200 Subject: [PATCH 5/6] Fix ui_capabilities test error --- .../spaces_only/tests/catalogue.ts | 15 +++++++++++++-- .../spaces_only/tests/nav_links.ts | 15 +++++++++++++-- 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/x-pack/test/ui_capabilities/spaces_only/tests/catalogue.ts b/x-pack/test/ui_capabilities/spaces_only/tests/catalogue.ts index b50f11553747c..e694b5be6e024 100644 --- a/x-pack/test/ui_capabilities/spaces_only/tests/catalogue.ts +++ b/x-pack/test/ui_capabilities/spaces_only/tests/catalogue.ts @@ -24,6 +24,13 @@ export default function catalogueTests({ getService }: FtrProviderContext) { 'watcher', ]; + const uiCapabilitiesExceptions = [ + // enterprise_search plugin is loaded but disabled because security isn't enabled in ES. That means the following 3 capabilities are disabled + 'enterpriseSearch', + 'appSearch', + 'workplaceSearch', + ]; + describe('catalogue', () => { SpaceScenarios.forEach((scenario) => { it(`${scenario.name}`, async () => { @@ -33,7 +40,10 @@ export default function catalogueTests({ getService }: FtrProviderContext) { expect(uiCapabilities.success).to.be(true); expect(uiCapabilities.value).to.have.property('catalogue'); // everything is enabled - const expected = mapValues(uiCapabilities.value!.catalogue, () => true); + const expected = mapValues( + uiCapabilities.value!.catalogue, + (enabled, catalogueId) => !uiCapabilitiesExceptions.includes(catalogueId) + ); expect(uiCapabilities.value!.catalogue).to.eql(expected); break; } @@ -55,7 +65,8 @@ export default function catalogueTests({ getService }: FtrProviderContext) { // only foo is disabled const expected = mapValues( uiCapabilities.value!.catalogue, - (value, catalogueId) => catalogueId !== 'foo' + (enabled, catalogueId) => + !uiCapabilitiesExceptions.includes(catalogueId) && catalogueId !== 'foo' ); expect(uiCapabilities.value!.catalogue).to.eql(expected); break; diff --git a/x-pack/test/ui_capabilities/spaces_only/tests/nav_links.ts b/x-pack/test/ui_capabilities/spaces_only/tests/nav_links.ts index 17c01888a7024..4ef919ebb46aa 100644 --- a/x-pack/test/ui_capabilities/spaces_only/tests/nav_links.ts +++ b/x-pack/test/ui_capabilities/spaces_only/tests/nav_links.ts @@ -16,6 +16,13 @@ export default function navLinksTests({ getService }: FtrProviderContext) { const uiCapabilitiesService: UICapabilitiesService = getService('uiCapabilities'); const featuresService: FeaturesService = getService('features'); + const uiCapabilitiesExceptions = [ + // enterprise_search plugin is loaded but disabled because security isn't enabled in ES. That means the following 3 capabilities are disabled + 'enterpriseSearch', + 'appSearch', + 'workplaceSearch', + ]; + describe('navLinks', () => { let navLinksBuilder: NavLinksBuilder; before(async () => { @@ -30,7 +37,9 @@ export default function navLinksTests({ getService }: FtrProviderContext) { case 'everything_space': expect(uiCapabilities.success).to.be(true); expect(uiCapabilities.value).to.have.property('navLinks'); - expect(uiCapabilities.value!.navLinks).to.eql(navLinksBuilder.all()); + expect(uiCapabilities.value!.navLinks).to.eql( + navLinksBuilder.except(...uiCapabilitiesExceptions) + ); break; case 'nothing_space': expect(uiCapabilities.success).to.be(true); @@ -40,7 +49,9 @@ export default function navLinksTests({ getService }: FtrProviderContext) { case 'foo_disabled_space': expect(uiCapabilities.success).to.be(true); expect(uiCapabilities.value).to.have.property('navLinks'); - expect(uiCapabilities.value!.navLinks).to.eql(navLinksBuilder.except('foo')); + expect(uiCapabilities.value!.navLinks).to.eql( + navLinksBuilder.except('foo', ...uiCapabilitiesExceptions) + ); break; default: throw new UnreachableError(scenario); From e8ace455e7eff0cc534e5c9d0f381cd317d6bc72 Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Thu, 21 Oct 2021 20:09:32 +0200 Subject: [PATCH 6/6] Bump expected number of integrations in fleet test The 21 new integrations are all enterprise_search integrations which wasn't included before because the security plugin was disabled (a dependency of enterprise_search). --- test/api_integration/apis/custom_integration/integrations.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/api_integration/apis/custom_integration/integrations.ts b/test/api_integration/apis/custom_integration/integrations.ts index e4797b334a866..0784a86e4b546 100644 --- a/test/api_integration/apis/custom_integration/integrations.ts +++ b/test/api_integration/apis/custom_integration/integrations.ts @@ -22,7 +22,7 @@ export default function ({ getService }: FtrProviderContext) { expect(resp.body).to.be.an('array'); - expect(resp.body.length).to.be(12); + expect(resp.body.length).to.be(33); // Test for sample data card expect(resp.body.findIndex((c: { id: string }) => c.id === 'sample_data_all')).to.be.above(