Merge branch 'master' into ingest/fix/ds-no-pkg

elastic · May 14, 2020 · 23f4de7 · 23f4de7
2 parents b253a73 + 5333a04
commit 23f4de7
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 53 deletions.
diff --git a/docs/user/security/api-keys/index.asciidoc b/docs/user/security/api-keys/index.asciidoc
@@ -3,18 +3,18 @@
 === API Keys
 
 
-API keys enable you to create secondary credentials so that you can send 
-requests on behalf of the user. Secondary credentials have 
-the same or lower access rights. 
+API keys enable you to create secondary credentials so that you can send
+requests on behalf of the user. Secondary credentials have
+the same or lower access rights.
 
 For example, if you extract data from an {es} cluster on a daily
-basis, you might create an API key tied to your credentials, 
-configure it with minimum access, 
+basis, you might create an API key tied to your credentials,
+configure it with minimum access,
 and then put the API credentials into a cron job.
-Or, you might create API keys to automate ingestion of new data from 
-remote sources, without a live user interaction. 
+Or, you might create API keys to automate ingestion of new data from
+remote sources, without a live user interaction.
 
-You can create API keys from the {kib} Console. To view and invalidate 
+You can create API keys from the {kib} Console. To view and invalidate
 API keys, use *Management > Security > API Keys*.
 
 [role="screenshot"]
@@ -24,63 +24,80 @@ image:user/security/api-keys/images/api-keys.png["API Keys UI"]
 [[api-keys-service]]
 === {es} API key service
 
-The {es} API key service is automatically enabled when you configure 
-{ref}/configuring-tls.html#tls-http[TLS on the HTTP interface]. 
+The {es} API key service is automatically enabled when you configure
+{ref}/configuring-tls.html#tls-http[TLS on the HTTP interface].
 This ensures that clients are unable to send API keys in clear-text.
 
-When HTTPS connections are not enabled between {kib} and {es}, 
+When HTTPS connections are not enabled between {kib} and {es},
 you cannot create or manage API keys, and you get an error message.
-For more information, see the 
-{ref}/security-api-create-api-key.html[{es} API key documentation], 
+For more information, see the
+{ref}/security-api-create-api-key.html[{es} API key documentation],
 or contact your system administrator.
 
 [float]
 [[api-keys-security-privileges]]
 === Security privileges
 
-You must have the `manage_security`, `manage_api_key`, or the `manage_own_api_key` 
-cluster privileges to use API keys in {kib}. You can manage roles in 
-*Management > Security > Roles*, or use the <<role-management-api, {kib} Role Management API>>. 
+You must have the `manage_security`, `manage_api_key`, or the `manage_own_api_key`
+cluster privileges to use API keys in {kib}. You can manage roles in
+*Management > Security > Roles*, or use the <<role-management-api, {kib} Role Management API>>.
 
 
 [float]
 [[create-api-key]]
 === Create an API key
-You can {ref}/security-api-create-api-key.html[create an API key] from 
-the Kibana Console. For example:
+You can {ref}/security-api-create-api-key.html[create an API key] from
+the {kib} Console. This example shows how to create an API key
+to authenticate to a <<api, Kibana API>>.
 
 [source,js]
 POST /_security/api_key
 {
- "name": "my_api_key",
- "expiration": "1d"
+ "name": "kibana_api_key",
 }
 
-This creates an API key with the name `my_api_key` that 
-expires after one day. API key names must be globally unique. 
-An expiration date is optional and follows {ref}/common-options.html#time-units[{es} time unit format]. 
+This creates an API key with the
+name `kibana_api_key`. API key
+names must be globally unique.
+An expiration date is optional and follows
+{ref}/common-options.html#time-units[{es} time unit format].
 When an expiration is not provided, the API key does not expire.
 
+The response should look something like this:
+
+[source,js]
+{
+ "id" : "XFcbCnIBnbwqt2o79G4q",
+ "name" : "kibana_api_key",
+ "api_key" : "FD6P5UA4QCWlZZQhYF3YGw"
+}
+
+Now, you can use the API key to request {kib} roles. You will need
+to base64-encode the `id` and `api_key` provided in the response
+and add it to your request as an authorization header. For example:
+
+[source,js]
+curl --location --request GET 'http://localhost:5601/api/security/role' \
+--header 'Content-Type: application/json;charset=UTF-8' \
+--header 'kbn-xsrf: true' \
+--header 'Authorization: ApiKey aVZlLUMzSUJuYndxdDJvN0k1bU46aGxlYUpNS2lTa2FKeVZua1FnY1VEdw==' \
+
 [float]
 [[view-api-keys]]
 === View and invalidate API keys
-The *API Keys* UI lists your API keys, including the name, date created, 
+The *API Keys* feature in Kibana lists your API keys, including the name, date created,
 and expiration date. If an API key expires, its status changes from `Active` to `Expired`.
 
-If you have `manage_security` or `manage_api_key` permissions, 
-you can view the API keys of all users, and see which API key was 
+If you have `manage_security` or `manage_api_key` permissions,
+you can view the API keys of all users, and see which API key was
 created by which user in which realm.
 If you have only the `manage_own_api_key` permission, you see only a list of your own keys.
 
-You can invalidate API keys individually or in bulk. 
+You can invalidate API keys individually or in bulk.
 Invalidated keys are deleted in batch after seven days.
 
 [role="screenshot"]
 image:user/security/api-keys/images/api-key-invalidate.png["API Keys invalidate"]
 
-You cannot modify an API key. If you need additional privileges, 
+You cannot modify an API key. If you need additional privileges,
 you must create a new key with the desired configuration and invalidate the old key.
-
-
-
-
diff --git a/packages/kbn-es/src/utils/native_realm.js b/packages/kbn-es/src/utils/native_realm.js
@@ -76,10 +76,6 @@ exports.NativeRealm = class NativeRealm {
  }
 
  const reservedUsers = await this.getReservedUsers();
- if (!reservedUsers || reservedUsers.length < 1) {
- throw new Error('no reserved users found, unable to set native realm passwords');
- }
-
  await Promise.all(
  reservedUsers.map(async user => {
  await this.setPassword(user, options[`password.${user}`]);
@@ -88,16 +84,18 @@ exports.NativeRealm = class NativeRealm {
  }
 
  async getReservedUsers() {
- const users = await this._autoRetry(async () => {
- return await this._client.security.getUser();
- });
+ return await this._autoRetry(async () => {
+ const resp = await this._client.security.getUser();
+ const usernames = Object.keys(resp.body).filter(
+ user => resp.body[user].metadata._reserved === true
+ );
 
- return Object.keys(users.body).reduce((acc, user) => {
- if (users.body[user].metadata._reserved === true) {
- acc.push(user);
+ if (!usernames?.length) {
+ throw new Error('no reserved users found, unable to set native realm passwords');
  }
- return acc;
- }, []);
+
+ return usernames;
+ });
  }
 
  async isSecurityEnabled() {
@@ -125,10 +123,9 @@ exports.NativeRealm = class NativeRealm {
  throw error;
  }
 
- this._log.warning(
- 'assuming [elastic] user not available yet, waiting 1.5 seconds and trying again'
- );
- await new Promise(resolve => setTimeout(resolve, 1500));
+ const sec = 1.5 * attempt;
+ this._log.warning(`assuming ES isn't initialized completely, trying again in ${sec} seconds`);
+ await new Promise(resolve => setTimeout(resolve, sec * 1000));
  return await this._autoRetry(fn, attempt + 1);
  }
  }

diff --git a/test/functional/apps/visualize/_tsvb_chart.ts b/test/functional/apps/visualize/_tsvb_chart.ts
@@ -28,7 +28,8 @@ export default function({ getService, getPageObjects }: FtrProviderContext) {
  const security = getService('security');
  const PageObjects = getPageObjects(['visualize', 'visualBuilder', 'timePicker', 'visChart']);
 
- describe('visual builder', function describeIndexTests() {
+ // FLAKY: https://github.com/elastic/kibana/issues/43150
+ describe.skip('visual builder', function describeIndexTests() {
  this.tags('includeFirefox');
  beforeEach(async () => {
  await security.testUser.setRoles(['kibana_admin', 'test_logstash_reader']);

diff --git a/x-pack/test/functional/apps/dashboard/_async_dashboard.ts b/x-pack/test/functional/apps/dashboard/_async_dashboard.ts
@@ -26,8 +26,7 @@ export default function({ getService, getPageObjects }: FtrProviderContext) {
  'timePicker',
  ]);
 
- // FLAKY: https://github.com/elastic/kibana/issues/65949
- describe.skip('sample data dashboard', function describeIndexTests() {
+ describe('sample data dashboard', function describeIndexTests() {
  before(async () => {
  await PageObjects.common.sleep(5000);
  await PageObjects.common.navigateToUrl('home', '/tutorial_directory/sampleData', {

diff --git a/x-pack/test/functional_endpoint/apps/endpoint/policy_list.ts b/x-pack/test/functional_endpoint/apps/endpoint/policy_list.ts
@@ -12,7 +12,8 @@ export default function({ getPageObjects, getService }: FtrProviderContext) {
  const testSubjects = getService('testSubjects');
  const policyTestResources = getService('policyTestResources');
 
- describe('When on the Endpoint Policy List', function() {
+ // FLAKY: https://github.com/elastic/kibana/issues/66579
+ describe.skip('When on the Endpoint Policy List', function() {
  this.tags(['ciGroup7']);
  before(async () => {
  await pageObjects.common.navigateToUrlWithBrowserHistory('endpoint', '/policy');
@@ -46,7 +47,7 @@ export default function({ getPageObjects, getService }: FtrProviderContext) {
  expect(noItemsFoundMessage).to.equal('No items found');
  });
 
- describe('and policies exists', () => {
+ xdescribe('and policies exists', () => {
  let policyInfo: PolicyTestResourceInfo;
 
  before(async () => {