run all CI tests with security enabled and minimal privileged roles

[LeeDr]

Describe the feature: We should run all CI tests with security enabled and with a user who has the minimal documented privileges to allow them to be successful.

Describe a specific use case for the feature: For example, Management Index Pattern tests should be run with a user with the kibana_user role and a role that gives them only read, and view_index_metadata privileges on logstash-*.

The x-pack tests already do run with security enabled but they currently all run as the elastic superuser.

The OSS tests currently run against an OSS Kibana/Elasticsearch server pair. I guess we should keep that but then also run them against a default distribution Kibana/Elasticsearch server pair.

Of course Kibana should be configured to use the kibana_server role user also and not the elastic superuser.

@dmlemeshko had what I think is a great idea for this. Instead of creating multiple users and logging out and back in as a different user between tests, just log in as one dynamic user and change the roles between tests using the Elasticsearch js client. I think the way we navigate with the timestamp in the url, and the refresh, that the changed role would take affect without a new login.

For some features like visualize, this could just be done once in the before method in the index.js.

[elasticmachine]

Pinging @elastic/kibana-qa

[LeeDr]

Notes from meeting with @spalger @dmlemeshko @wayneseymour ;

• Keep using elastic superuser within FTR for everything like esArchiver or kibanaServer calls.

• Each test calls a testUser(<named set of privileges>) service to switch the privileges of the testRole to a named set of privs. For example indexMgmt which has read and view_index_metadata access to logstash-* index. This testUser call should probably before the navigateToApp call.

• Change common_page method(s) to login as testUser which has testRole.

• The initial implementation of this could add testUser('superuser') for every test and then other PRs could reduce the privs on a case-by-case basis.

• Still need to run the OSS tests with security enabled as another task.

[LeeDr]

UPDATE: After spending some time thinking about the cost to implement this across all tests, and weighing that against another option which is to just use one non-superuser for all OSS tests and a different non-superuser for all x-pack tests (each with the union of privileges needed by those tests), it seems much much much easier to just use a "power" user (or "kibana_user") and still gets a significant reduction in risk compared to running all tests as a superuser.

One of the paths to look at is packages\kbn-test\src\functional_tests\lib\auth.js and another place to look is packages\kbn-test\src\kbn\users.js

[wayneseymour]

sounds like the KISS principle to me. Simple is clean.

[LeeDr]

https://github.com/elastic/kibana/pull/52431 addresses much of this issue.

• [x] OSS tests have the mimimal priv roles, but they don't run with security enabled. They are run against Cloud with security enabled on snapshot builds.
• [ ] x-pack tests still need to each be modified to use a user with minimal roles.