[Security Solution] adds users + roles for security serverless projec…

…ts to kibana (#168420) ## Summary * Allows local testing of serverless security roles * Fixes roles set in roles.yml file used in yarn es serverless. * Adds users + roles for security serverless projects to be used directly --------- Co-authored-by: Kibana Machine <[email protected]> (cherry picked from commit 1fb81fb)
elastic · Oct 25, 2023 · 77a8f08 · 77a8f08
1 parent 4612938
commit 77a8f08
Show file tree

Hide file tree

Showing 5 changed files with 213 additions and 387 deletions.
diff --git a/packages/kbn-es/src/serverless_resources/README.md b/packages/kbn-es/src/serverless_resources/README.md
@@ -1,4 +1,5 @@
 # Elasticsearch Serverless Resources
+
 The resources in this directory are used for seeding Elasticsearch Serverless images with users, roles and tokens for SSL and authentication. Serverless requires file realm authentication, so we will bind mount them into the containers at `/usr/share/elasticsearch/config/`.
 
 ## Users
@@ -14,22 +15,23 @@ password: changeme
 
 ### Adding users
 
-1. Add the `user:encrypted_password` to `users` file. The encrypted password for `elastic_serverless` is `changeme` if you want to reuse the value.
-1. Set the new user's roles in `users_roles` file.
+1. Add the user:encrypted_password to `users` file. The encrypted password for `elastic_serverless` is `changeme` if you want to reuse the value.
+1. Set the new user's roles in `users_roles` file in the format of `role:username`
 1. Add the username to `operator_users.yml` in the array for file realm users.
 
-
 ## Service Account and Tokens
 
 This section for Service Accounts was originally from the [ES Serverless repository](https://github.com/elastic/elasticsearch-serverless/blob/main/serverless-build-tools/src/main/resources/README.service_tokens.md).
 
 The "service_tokens" file contains this line:
+
 ```
 elastic/kibana/kibana-dev:$2a$10$mY2RuGROhk56vLNh.Mgwue98BnkdQPlTR.yGh38ao5jhPJobvuBCq
 elastic/fleet-server/fleet-server-dev:$2a$10$tgMX7U09G/EVTP8F/O4zHewhA3DXdv7iM5F2vny9TC6zw77RrutyG
 ```
 
 That line defines a single service token
+
 - For the `elastic/kibana` service account
 - The token is named `kibana-dev`
 - The token's secret is hashed using bcrypt (`$2a$`) using `10` rounds
@@ -43,19 +45,18 @@ That produces an encoded token of: `AAEAAWVsYXN0aWMva2liYW5hL2tpYmFuYS1kZXY6VVVV
 Yes, the secret was specially chosen to produce an encoded value that can be more easily recognised in development.
 
 If a node is configured to use this `service_tokens` file, then you can authenticate to it with
+
 ```
 curl -H "Authorization: Bearer AAEAAWVsYXN0aWMva2liYW5hL2tpYmFuYS1kZXY6VVVVVVVVTEstKiBaNA" http://localhost:9200/_security/_authenticate
 ```
 
 The name of the token (`kibana-dev`) is important because the `operator_users.yml` file designates that token as an operator and allows us to seed a serverless cluster with this token.
 
-
 ## Overriding resources
 
 The files found in this directory can be overwritten with customized versions by using the `--resources` option of the `yarn es serverless` command.
 Assuming a customized `users` and `users_roles` are located in `/tmp/my_es/` directory and executing the below command from the root of Kibana, here is an example:
 
 ```shell
-yarn es serverless --resources=/tmp/my_es/users --resources=/tmp/my_es/users_roles 
+yarn es serverless --resources=/tmp/my_es/users --resources=/tmp/my_es/users_roles
 ```
-
diff --git a/packages/kbn-es/src/serverless_resources/operator_users.yml b/packages/kbn-es/src/serverless_resources/operator_users.yml
@@ -1,14 +1,28 @@
 operator:
-  - usernames: ["elastic_serverless", "system_indices_superuser", "soc_manager"]
-    realm_type: "file"
-    auth_type: "realm"
-  - usernames: [ "elastic/kibana" ]
-    realm_type: "_service_account"
-    auth_type: "token"
-    token_source: "file"
-    token_names: [ "kibana-dev" ]
-  - usernames: [ "elastic/fleet-server" ]
-    realm_type: "_service_account"
-    auth_type: "token"
-    token_source: "file"
-    token_names: [ "fleet-server-dev" ]
+  - usernames:
+      [
+        'elastic_serverless',
+        'system_indices_superuser',
+        't1_analyst',
+        't2_analyst',
+        't3_analyst',
+        'threat_intelligence_analyst',
+        'rule_author',
+        'soc_manager',
+        'detections_admin',
+        'platform_engineer',
+        'endpoint_operations_analyst',
+        'endpoint_policy_manager',
+      ]
+    realm_type: 'file'
+    auth_type: 'realm'
+  - usernames: ['elastic/kibana']
+    realm_type: '_service_account'
+    auth_type: 'token'
+    token_source: 'file'
+    token_names: ['kibana-dev']
+  - usernames: ['elastic/fleet-server']
+    realm_type: '_service_account'
+    auth_type: 'token'
+    token_source: 'file'
+    token_names: ['fleet-server-dev']