Skip to content

[Security] Moved reset_creds call to reset_internal_creds#176410

Merged
dkirchan merged 8 commits intomainfrom
reset-creds-update
Feb 13, 2024
Merged

[Security] Moved reset_creds call to reset_internal_creds#176410
dkirchan merged 8 commits intomainfrom
reset-creds-update

Conversation

@dkirchan
Copy link
Contributor

@dkirchan dkirchan commented Feb 7, 2024
edited
Loading

Summary

Actions needed following the email that was sent about the breaking change :

API: rather than returning credentials for a privileged "elastic" user, we'll return credentials for a much-less privileged "admin" user. Note this is the user that can be manipulated by customers. This new user won't be an "operator" user anymore: any test that relies on this user being able to do things such as retrieving the cluster health, role mappings, node stats, etc. would therefore break.

A second set of credentials can be retrieved for a privileged "testing-internal" user through a dedicated API endpoint.
To retrieve credentials for that user, please update your automation with a small change:

  1. rather than calling the _reset-credentials endpoint, please call the[_reset-internal-credentials
  2. remove any hard-coded reference of the "elastic" user: the new username is returned in the API response

@ghost
Copy link

ghost commented Feb 7, 2024

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
  • /oblt-deploy-serverless : Deploy a serverless Kibana instance using the Observability test environments.
  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@dkirchan dkirchan marked this pull request as ready for review February 9, 2024 14:51
@dkirchan dkirchan self-assigned this Feb 9, 2024
@dkirchan dkirchan added release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Feb 9, 2024
@elasticmachine
Copy link
Contributor

elasticmachine commented Feb 9, 2024

Pinging @elastic/security-solution (Team: SecuritySolution)

@dkirchan dkirchan requested a review from a team as a code owner February 9, 2024 14:55
MadameSheema
MadameSheema approved these changes Feb 9, 2024
View reviewed changes
Copy link
Contributor

@MadameSheema MadameSheema left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!!! Thanks!! :)

maximpn
maximpn approved these changes Feb 10, 2024
View reviewed changes
Copy link
Contributor

@maximpn maximpn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dkirchan thank you for updating the user related logic promptly 👍

@kibana-ci
Copy link

kibana-ci commented Feb 13, 2024

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #44 / Screenshots - serverless observability UI response ops docs observability connectors server log connector "before each" hook for "server log connector screenshots"
  • [job] [logs] FTR Configs #61 / X-Pack Accessibility Tests - Group 2 transform Accessibility for user with full Transform access with data loaded "after all" hook for "runs the latest transform and displays management page"

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @dkirchan

@dkirchan dkirchan merged commit 28d46a8 into main Feb 13, 2024
@dkirchan dkirchan deleted the reset-creds-update branch February 13, 2024 15:35
CoenWarmer pushed a commit to CoenWarmer/kibana that referenced this pull request Feb 15, 2024
@dkirchan @MadameSheema @CoenWarmer
[Security] Moved reset_creds call to reset_internal_creds (elastic#17…
41ce478 
…6410)

## Summary

Actions needed following the email that was sent about the breaking
change :

> API: rather than returning credentials for a privileged "elastic"
user, [we'll return](https://elasticco.atlassian.net/browse/CP-5477)
credentials for a much-less privileged "admin" user. Note this is the
user that can be manipulated by customers. This new user won't be an
"operator" user anymore: any test that relies on this user being able to
do things such as retrieving the cluster health, role mappings, node
stats, etc. would therefore break.

> A second set of credentials can be retrieved for a privileged
"testing-internal" user through a dedicated API endpoint.
To retrieve credentials for that user, please update your automation
with a small change:
> 1. rather than calling the _reset-credentials endpoint, please call
the[_reset-internal-credentials
> 2. remove any hard-coded reference of the "elastic" user: the new
username is returned in the API response

---------

Co-authored-by: Gloria Hornero <gloria.hornero@elastic.co>
fkanout pushed a commit to fkanout/kibana that referenced this pull request Mar 4, 2024
@dkirchan @MadameSheema @fkanout
[Security] Moved reset_creds call to reset_internal_creds (elastic#17…
beaa289 
…6410)

## Summary

Actions needed following the email that was sent about the breaking
change :

> API: rather than returning credentials for a privileged "elastic"
user, [we'll return](https://elasticco.atlassian.net/browse/CP-5477)
credentials for a much-less privileged "admin" user. Note this is the
user that can be manipulated by customers. This new user won't be an
"operator" user anymore: any test that relies on this user being able to
do things such as retrieving the cluster health, role mappings, node
stats, etc. would therefore break.

> A second set of credentials can be retrieved for a privileged
"testing-internal" user through a dedicated API endpoint.
To retrieve credentials for that user, please update your automation
with a small change:
> 1. rather than calling the _reset-credentials endpoint, please call
the[_reset-internal-credentials
> 2. remove any hard-coded reference of the "elastic" user: the new
username is returned in the API response

---------

Co-authored-by: Gloria Hornero <gloria.hornero@elastic.co>
@mgiota mgiota mentioned this pull request May 27, 2024
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jbudz jbudz jbudz approved these changes

@maximpn maximpn maximpn approved these changes

@MadameSheema MadameSheema MadameSheema approved these changes

@semd semd semd approved these changes

@patrykkopycinski patrykkopycinski Awaiting requested review from patrykkopycinski

@oatkiller oatkiller Awaiting requested review from oatkiller

@banderror banderror Awaiting requested review from banderror

Assignees

@dkirchan dkirchan

Labels

backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.13.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@dkirchan @elasticmachine @kibana-ci @jbudz @maximpn @MadameSheema @semd @kibanamachine