[Meta] FTR configurable test users for xpack

[rashmivkulkarni]

fixes: #26937
Reference for OSS tests: #52431
Objective :
We should run all CI tests with security enabled and with a user who has the minimal documented privileges to allow them to be successful.

Describe a specific use case for the feature:
The x-pack tests already do run with security enabled but the test_user has the superuser role.

This issue tries to eliminate the usage of superuser role in the tests and instead use the right set of roles and privileges required to run the tests.

Here I have listed the xpack apps which currently run as superuser. Each of the tests in these apps need to be run as a test_user with the right set of roles and privileges.
These tests exclude feature controls tests

As an example xpack tests under api_keys, and dashboard_view_mode.js have been modified to run as a test_user with the right set of roles and privileges.

Please Note: This requires contribution from all teams.

---

---

• advanced settings ( feature controls)
  • Feature Controls #31652
• api_keys configurable test users for xpack -homepage tests. #60808
• apm
  • Feature Controls #31652
• canvas using test_user with minimum privileges for canvas functional ui tests #75917
• cross-cluster-replication Cross cluster search functional test with minimun privileges assigned to the test_user #70007
• dashboard
  • [wip ] Drilldown functional ui test - using test user with custom privileges #76055 dashboard drilldown- WIP)
  • test for dashboard drilldown #78377 (dashboad_to_dashboard_drilldown)
  • FTR configurable test users #52431 ( dashboard- OSS)
• data_views
  • security
    • Feature Controls #31652
• dev_tools
  • search profiler Search profiler functional test -- using "test_user" with limited role. #69841
• discover
  • async_scripted_field using test_user with minimum privileges for discover_async_scripted_fields test #71988
• graph
  • Feature Controls #31652
• grok_debugger
  • Rewrite Grok Debugger Tests to use Standard Functional Test Runner  #108301
• home
  • The home tests in x-pack are configured for test_user.
    • Improve home screen for limited-access users #77665
• index-lifecycle-management
  • Migrated ILM Tests to Use test_user #121262
• index management
  • Migrate Index Management Functional Tests To Use Test User #113078
• infra
  • Feature Controls #31652
• ingest pipelines
  • Migrated Ingest Node Pipeline Functional Tests to use test_user #102409
• lens
  • using test_user with minimum privileges for lens functional ui tests #76673
• license_management
  • [Search Sessions] Enable Search Sessions #91097
• logstash
  • [functional/security/test-user] use options object #126652
• maps
  • Adding test user to maps functional tests - PR 1 #70649
  • Test user assignment to maps tests - 2 #75890
  • Adding test user to auto fit to bounds test  #75914
  • Adding test user to maps es_pew_pew_source #75920
  • Test user assignment to embeddable maps tests  #84383
• ml
  • Feature Controls #31652
• monitoring
  • Feature Controls #31652
• remote_clusters
  • Remote cluster - Functional UI test to change the superuser to a test_user with limited role #77212
• reporting_management
  • [Reporting/Tests] Use reporting default settings in test server config #111626
• rollup_job
  • Use test_user with minimum privileges for functional ui tests under rollup_job folder #84970 (sub-meta)
    • rollup_job.js - Changed rollup tests to use test user rather than elastic super user. #79567
• saved object management
  • Feature Controls #31652
• security
• snapshot_restore ( regular tests)
  • Migrated Snapshot and Restore tests to use test user #126011
• spaces ( feature controls+ regular tests)
  • Feature Controls Spaces - Hiding management link #38472
• status_page ( regular tests)
  • Has no login specific functionality
• transform ( feature controls+ regular tests)
• upgrade_assistant ( feature controls+ regular tests)
  • changes for upgrade assistant functional test to incorporate test user #70071
• uptime ( feature controls only)
  • Feature Controls #31652
• visualize ( FTR configurable test users for functional tests under Visualize app #79354 ( sub-meta)
• watcher
  • Watcher -functional xpack test using test_user with specific permissions.  #89068

---

cc @elastic/kibana-qa

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[elasticmachine]

Pinging @elastic/kibana-qa (Team:QA)

[legrego]

Thanks for this @Rasroh! #52431 was a great step forward in making sure we're running with the minimal set of documented Elasticsearch Privileges, but we should also keep Kibana Privileges in mind when designing these tests going forward.

#52431 specifies a set of roles with specific cluster/index privileges, but from what I can tell, each test still runs with the kibana_admin/kibana_user role applied. This means that all tests will be run with full read/write access to Kibana, which goes against the stated objective above of

We should run all CI tests with security enabled and with a user who has the minimal documented privileges to allow them to be successful.

For example, to test that the dashboard application works correctly for read/write access, you would want a user with a role similar to the following:

{
  "name": "test_dashboard_user_role",
  "elasticsearch": {
    "cluster": []
    "indices": [{
      "names": ["kibana-sample-data-*"],
      "privileges" ["read", "view_index_metadata"]
    }],
    "run_as": []
  },
  "kibana": [{
    "spaces": ["*"],
    "feature": {
      "dashboard": ["all"]
    }
  }]
}

[rashmivkulkarni]

Good suggestion, Larry- As we do new tests, we shall make it more granular like the example shared above. For the older tests, it needs to be dealt as a separate PR.

[cuff-links]

All of the existing items have been completed. If there's any follow-up work, please open a new meta issue.