Enroll Kibana API uses Service Accounts

client/rest-high-level/qa/ssl-enabled/src/javaRestTest/java/org/elasticsearch/client/EnrollmentIT.java

@@ -76,7 +76,6 @@ public void testEnrollKibana() throws Exception {
         assertThat(kibanaResponse, notNullValue());
         assertThat(kibanaResponse.getHttpCa()
             , endsWith("brcNC5xq6YE7C4/06nH7F6le4kE4Uo6c9fpkl4ehOxQxndNLn462tFF+8VBA8IftJ1PPWzqGxLsCTzM6p6w8sa+XhgNYglLfkRjirc="));
-        assertNotNull(kibanaResponse.getPassword());
-        assertThat(kibanaResponse.getPassword().toString().length(), equalTo(14));
+        assertNotNull(kibanaResponse.getToken());
     }
 }

client/rest-high-level/src/main/java/org/elasticsearch/client/security/KibanaEnrollmentResponse.java

@@ -18,21 +18,21 @@
 
 public final class KibanaEnrollmentResponse {
 
-    private SecureString password;
+    private SecureString token;
     private String httpCa;
 
-    public KibanaEnrollmentResponse(SecureString password, String httpCa) {
-        this.password = password;
+    public KibanaEnrollmentResponse(SecureString token, String httpCa) {
+        this.token = token;
         this.httpCa = httpCa;
     }
 
-    public SecureString getPassword() { return password; }
+    public SecureString getToken() { return token; }
 
     public String getHttpCa() {
         return httpCa;
     }
 
-    private static final ParseField PASSWORD = new ParseField("password");
+    private static final ParseField TOKEN = new ParseField("token");
     private static final ParseField HTTP_CA = new ParseField("http_ca");
 
     @SuppressWarnings("unchecked")
@@ -42,7 +42,7 @@ public String getHttpCa() {
             a -> new KibanaEnrollmentResponse(new SecureString(((String) a[0]).toCharArray()), (String) a[1]));
 
     static {
-        PARSER.declareString(ConstructingObjectParser.constructorArg(), PASSWORD);
+        PARSER.declareString(ConstructingObjectParser.constructorArg(), TOKEN);
         PARSER.declareString(ConstructingObjectParser.constructorArg(), HTTP_CA);
     }
 
@@ -54,10 +54,10 @@ public static KibanaEnrollmentResponse fromXContent(XContentParser parser) throw
         if (this == o) return true;
         if (o == null || getClass() != o.getClass()) return false;
         KibanaEnrollmentResponse that = (KibanaEnrollmentResponse) o;
-        return password.equals(that.password) && httpCa.equals(that.httpCa);
+        return token.equals(that.token) && httpCa.equals(that.httpCa);
     }
 
     @Override public int hashCode() {
-        return Objects.hash(password, httpCa);
+        return Objects.hash(token, httpCa);
     }
 }

client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java

@@ -2875,7 +2875,7 @@ public void onFailure(Exception e) {
         }
     }
 
-    @AwaitsFix(bugUrl = "Determine behavior for keystores with multiple keys")
+    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/75097")
     public void testNodeEnrollment() throws Exception {
         RestHighLevelClient client = highLevelClient();
 
@@ -2918,7 +2918,7 @@ public void onFailure(Exception e) {
         }
     }
 
-    @AwaitsFix(bugUrl = "Determine behavior for keystores with multiple keys")
+    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/75097")
     public void testKibanaEnrollment() throws Exception {
         RestHighLevelClient client = highLevelClient();
 
@@ -2928,10 +2928,10 @@ public void testKibanaEnrollment() throws Exception {
             // end::kibana-enrollment-execute
 
             // tag::kibana-enrollment-response
-            SecureString password = response.getPassword(); // <1>
+            SecureString token = response.getToken(); // <1>
             String httoCa = response.getHttpCa(); // <2>
             // end::kibana-enrollment-response
-            assertThat(password.length(), equalTo(14));
+            assertNotNull(token);
         }
 
         {

client/rest-high-level/src/test/java/org/elasticsearch/client/security/KibanaErnollmentResponseTests.java

@@ -24,42 +24,42 @@
 public class KibanaErnollmentResponseTests extends ESTestCase {
 
     public void testFromXContent() throws IOException {
-        final String password = randomAlphaOfLength(14);
+        final String token = randomAlphaOfLengthBetween(30, 40);
         final String httpCa = randomAlphaOfLength(50);
         final List<String> nodesAddresses = randomList(2, 10, () -> buildNewFakeTransportAddress().toString());
 
         final XContentType xContentType = randomFrom(XContentType.values());
         final XContentBuilder builder = XContentFactory.contentBuilder(xContentType);
-        builder.startObject().field("password", password).field("http_ca", httpCa).field("nodes_addresses", nodesAddresses).endObject();
+        builder.startObject().field("token", token).field("http_ca", httpCa).field("nodes_addresses", nodesAddresses).endObject();
         BytesReference xContent = BytesReference.bytes(builder);
 
         final KibanaEnrollmentResponse response = KibanaEnrollmentResponse.fromXContent(createParser(xContentType.xContent(), xContent));
-        assertThat(response.getPassword(), equalTo(password));
+        assertThat(response.getToken(), equalTo(token));
         assertThat(response.getHttpCa(), equalTo(httpCa));
     }
 
     public void testEqualsHashCode() {
-        final SecureString password = new SecureString(randomAlphaOfLength(14).toCharArray());
+        final SecureString password = new SecureString(randomAlphaOfLengthBetween(30, 40).toCharArray());
         final String httpCa = randomAlphaOfLength(50);
         KibanaEnrollmentResponse kibanaEnrollmentResponse = new KibanaEnrollmentResponse(password, httpCa);
 
         EqualsHashCodeTestUtils.checkEqualsAndHashCode(kibanaEnrollmentResponse,
-            (original) -> new KibanaEnrollmentResponse(original.getPassword(), original.getHttpCa()));
+            (original) -> new KibanaEnrollmentResponse(original.getToken(), original.getHttpCa()));
 
         EqualsHashCodeTestUtils.checkEqualsAndHashCode(kibanaEnrollmentResponse,
-            (original) -> new KibanaEnrollmentResponse(original.getPassword(), original.getHttpCa()),
+            (original) -> new KibanaEnrollmentResponse(original.getToken(), original.getHttpCa()),
             KibanaErnollmentResponseTests::mutateTestItem);
     }
 
     private static KibanaEnrollmentResponse mutateTestItem(KibanaEnrollmentResponse original) {
         switch (randomIntBetween(0, 1)) {
             case 0:
-                return new KibanaEnrollmentResponse(new SecureString(randomAlphaOfLength(14).toCharArray()),
+                return new KibanaEnrollmentResponse(new SecureString(randomAlphaOfLengthBetween(30, 40).toCharArray()),
                     original.getHttpCa());
             case 1:
-                return new KibanaEnrollmentResponse(original.getPassword(), randomAlphaOfLength(51));
+                return new KibanaEnrollmentResponse(original.getToken(), randomAlphaOfLength(51));
             default:
-                return new KibanaEnrollmentResponse(original.getPassword(),
+                return new KibanaEnrollmentResponse(original.getToken(),
                     original.getHttpCa());
         }
     }

docs/java-rest/high-level/security/enroll_kibana.asciidoc

@@ -21,7 +21,7 @@ executed operation as follows:
 --------------------------------------------------
 include-tagged::{doc-tests-file}[{api-kibana-response]
 --------------------------------------------------
-<1> The password for the `kibana_system` user
+<1> A token that can be used as a bearer token for the `kibana-system` service account.
 <2> The CA certificate that has signed the certificate that the cluster uses for TLS on the HTTP layer,
 as a Base64 encoded string of the ASN.1 DER encoding of the certificate.
 

x-pack/docs/en/rest-api/security/enroll-kibana.asciidoc

@@ -35,10 +35,10 @@ The API returns the following response:
 [source,console_result]
 ----
 {
-  "password" : "longsecurepassword", <1>
+  "token" : "AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ", <1>
   "http_ca" : "MIIJlAIBAzCCCVoGCSqGSIb3....vsDfsA3UZBAjEPfhubpQysAICCAA=", <2>
 }
 ----
-<1> The password for the `kibana_system` user.
+<1> A token that can be used as a bearer token for the `kibana-system` service account.
 <2> The CA certificate used to sign the node certificates that {es} uses for TLS on the HTTP layer.
 The certificate is returned as a Base64 encoded string of the ASN.1 DER encoding of the certificate.

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/enrollment/KibanaEnrollmentResponse.java

@@ -22,7 +22,7 @@
 
 public final class KibanaEnrollmentResponse extends ActionResponse implements ToXContentObject {
 
-    private static final ParseField PASSWORD = new ParseField("password");
+    private static final ParseField TOKEN = new ParseField("token");
     private static final ParseField HTTP_CA = new ParseField("http_ca");
 
     @SuppressWarnings("unchecked")
@@ -32,39 +32,39 @@ public final class KibanaEnrollmentResponse extends ActionResponse implements To
             a -> new KibanaEnrollmentResponse(new SecureString(((String) a[0]).toCharArray()), (String) a[1]));
 
     static {
-        PARSER.declareString(ConstructingObjectParser.constructorArg(), PASSWORD);
+        PARSER.declareString(ConstructingObjectParser.constructorArg(), TOKEN);
         PARSER.declareString(ConstructingObjectParser.constructorArg(), HTTP_CA);
     }
 
-    private final SecureString password;
+    private final SecureString token;
     private final String httpCa;
 
     public KibanaEnrollmentResponse(StreamInput in) throws IOException {
         super(in);
-        password = in.readSecureString();
+        token = in.readSecureString();
         httpCa = in.readString();
     }
 
-    public KibanaEnrollmentResponse(SecureString password, String httpCa) {
-        this.password = password;
+    public KibanaEnrollmentResponse(SecureString token, String httpCa) {
+        this.token = token;
         this.httpCa = httpCa;
     }
 
-    public SecureString getPassword() { return password; }
+    public SecureString getToken() { return token; }
     public String getHttpCa() {
         return httpCa;
     }
 
     @Override public XContentBuilder toXContent(
         XContentBuilder builder, Params params) throws IOException {
         builder.startObject();
-        builder.field(PASSWORD.getPreferredName(), password.toString());
+        builder.field(TOKEN.getPreferredName(), token.toString());
         builder.field(HTTP_CA.getPreferredName(), httpCa);
         return builder.endObject();
     }
 
     @Override public void writeTo(StreamOutput out) throws IOException {
-        out.writeSecureString(password);
+        out.writeSecureString(token);
         out.writeString(httpCa);
     }
 
@@ -76,10 +76,10 @@ public static KibanaEnrollmentResponse fromXContent(XContentParser parser) {
         if (this == o) return true;
         if (o == null || getClass() != o.getClass()) return false;
         KibanaEnrollmentResponse response = (KibanaEnrollmentResponse) o;
-        return password.equals(response.password) && httpCa.equals(response.httpCa);
+        return token.equals(response.token) && httpCa.equals(response.httpCa);
     }
 
     @Override public int hashCode() {
-        return Objects.hash(password, httpCa);
+        return Objects.hash(token, httpCa);
     }
 }