[7.6] [Docs] - Deprecate kibana_user role (elastic#54606) (elastic#56545

)

* rename kibana_user => kibana_admin

* add migration note

* [DOCS] Fixes link for use in multiple books

* i18n fixes after merge from master

* fix i18n

* Apply suggestions from code review

Co-Authored-By: gchaps <33642766+gchaps@users.noreply.github.com>

* Apply suggestions from code review

Co-Authored-By: Brandon Kobel <brandon.kobel@gmail.com>

Co-authored-by: Lisa Cawley <lcawley@elastic.co>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Co-authored-by: Brandon Kobel <brandon.kobel@gmail.com>

Co-authored-by: Lisa Cawley <lcawley@elastic.co>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Co-authored-by: Brandon Kobel <brandon.kobel@gmail.com>

docs/management/watcher-ui/index.asciidoc

@@ -34,7 +34,7 @@ If the {es} {security-features} are enabled, you must have the
 {ref}/security-privileges.html[`manage_watcher` or `monitor_watcher`]
 cluster privileges to use Watcher in {kib}.
 
-Alternately, you can have the built-in `kibana_user` role
+Alternately, you can have the built-in `kibana_admin` role
 and either of these watcher roles:
 
 * `watcher_admin`. You can perform all Watcher actions, including create and edit watches.

docs/uptime-guide/security.asciidoc

@@ -42,15 +42,15 @@ PUT /_security/role/uptime
 === Assign the role to a user
 
 Next, you'll need to create a user with both the `uptime` role, and another role with sufficient {kibana-ref}/kibana-privileges.html[Kibana privileges],
-such as the `kibana_user` role.
+such as the `kibana_admin` role.
 You can do this with the following request:
 
 ["source","sh",subs="attributes,callouts"]
 ---------------------------------------------------------------
 PUT /_security/user/jacknich
 {
   "password" : "j@rV1s",
-  "roles" : [ "uptime", "kibana_user" ],
+  "roles" : [ "uptime", "kibana_admin" ],
   "full_name" : "Jack Nicholson",
   "email" : "jacknich@example.com",
   "metadata" : {

docs/user/monitoring/viewing-metrics.asciidoc

@@ -63,7 +63,7 @@ remote monitoring cluster, you must use credentials that are valid on both the
 
 --
 
-.. Create users that have the `monitoring_user` and `kibana_user` 
+.. Create users that have the `monitoring_user` and `kibana_admin` 
 {ref}/built-in-roles.html[built-in roles].
 
 . Open {kib} in your web browser. 

docs/user/security/authorization/index.asciidoc

@@ -2,12 +2,11 @@
 [[xpack-security-authorization]]
 
 === Granting access to {kib}
-The Elastic Stack comes with the `kibana_user` {ref}/built-in-roles.html[built-in role], which you can use to grant access to all Kibana features in all spaces. To grant users access to a subset of spaces or features, you can create a custom role that grants the desired Kibana privileges. 
+The Elastic Stack comes with the `kibana_admin` {ref}/built-in-roles.html[built-in role], which you can use to grant access to all Kibana features in all spaces. To grant users access to a subset of spaces or features, you can create a custom role that grants the desired Kibana privileges. 
 
-When you assign a user multiple roles, the user receives a union of the roles’ privileges. Therefore, assigning the `kibana_user` role in addition to a custom role that grants Kibana privileges is ineffective because `kibana_user` has access to all the features in all spaces.
+When you assign a user multiple roles, the user receives a union of the roles’ privileges. Therefore, assigning the `kibana_admin` role in addition to a custom role that grants Kibana privileges is ineffective because `kibana_admin` has access to all the features in all spaces.
 
-NOTE: When running multiple tenants of Kibana by changing the `kibana.index` in your `kibana.yml`, 
-you cannot use `kibana_user` or `kibana_dashboard_only_user` to grant access. You must create custom roles that authorize the user for that specific tenant. Although multi-tenant installations are supported, the recommended approach to securing access to Kibana segments is to grant users access to specific spaces.
+NOTE: When running multiple tenants of Kibana by changing the `kibana.index` in your `kibana.yml`, you cannot use `kibana_admin` to grant access. You must create custom roles that authorize the user for that specific tenant. Although multi-tenant installations are supported, the recommended approach to securing access to Kibana segments is to grant users access to specific spaces.
 
 [role="xpack"]
 [[kibana-role-management]]

docs/user/security/reporting.asciidoc

@@ -85,14 +85,14 @@ elasticsearch.username: 'custom_kibana_system'
 [[reporting-roles-user-api]]
 ==== With the user API
 This example uses the {ref}/security-api-put-user.html[user API] to create a user who has the
-`reporting_user` role and the `kibana_user` role:
+`reporting_user` role and the `kibana_admin` role:
 
 [source, sh]
 ---------------------------------------------------------------
 POST /_security/user/reporter
 {
   "password" : "x-pack-test-password",
-  "roles" : ["kibana_user", "reporting_user"],
+  "roles" : ["kibana_admin", "reporting_user"],
   "full_name" : "Reporting User"
 }
 ---------------------------------------------------------------
@@ -106,11 +106,11 @@ roles on a per user basis, or assign roles to groups of users. By default, role
 mappings are configured in
 {ref}/mapping-roles.html[`config/shield/role_mapping.yml`].
 For example, the following snippet assigns the user named Bill Murray the
-`kibana_user` and `reporting_user` roles:
+`kibana_admin` and `reporting_user` roles:
 
 [source,yaml]
 --------------------------------------------------------------------------------
-kibana_user:
+kibana_admin:
   - "cn=Bill Murray,dc=example,dc=com"
 reporting_user:
   - "cn=Bill Murray,dc=example,dc=com"

docs/user/security/securing-kibana.asciidoc

@@ -104,15 +104,15 @@ You can manage privileges on the *Management / Security / Roles* page in {kib}.
 If you're using the native realm with Basic Authentication, you can assign roles
 using the *Management / Security / Users* page in {kib} or the
 {ref}/security-api.html#security-user-apis[user management APIs]. For example, 
-the following creates a user named `jacknich` and assigns it the `kibana_user` 
+the following creates a user named `jacknich` and assigns it the `kibana_admin` 
 role:
 
 [source,js]
 --------------------------------------------------------------------------------
 POST /_security/user/jacknich
 {
   "password" : "t0pS3cr3t",
-  "roles" : [ "kibana_user" ]
+  "roles" : [ "kibana_admin" ]
 }
 --------------------------------------------------------------------------------
 // CONSOLE

x-pack/legacy/plugins/monitoring/public/views/access_denied/index.html

@@ -15,9 +15,9 @@
         class="kuiInfoPanelBody__message"
         i18n-id="xpack.monitoring.accessDenied.notAuthorizedDescription"
         i18n-default-message="You are not authorized to access Monitoring. To use Monitoring, you
-        need the privileges granted by both the `{kibanaUser}` and
+        need the privileges granted by both the `{kibanaAdmin}` and
         `{monitoringUser}` roles."
-        i18n-values="{ kibanaUser: 'kibana_user', monitoringUser: 'monitoring_user' }"
+        i18n-values="{ kibanaAdmin: 'kibana_admin', monitoringUser: 'monitoring_user' }"
       ></div>
 
       <div

x-pack/legacy/plugins/security/public/views/management/edit_role/components/privileges/kibana/space_aware_privilege_section/space_aware_privilege_section.tsx

@@ -96,13 +96,13 @@ class SpaceAwarePrivilegeSectionUI extends Component<Props, State> {
             <FormattedMessage
               id="xpack.security.management.editRole.spaceAwarePrivilegeForm.ensureAccountHasAllPrivilegesGrantedDescription"
               defaultMessage="Please ensure your account has all privileges granted by the
-              {kibanaUser} role, and try again."
+              {kibanaAdmin} role, and try again."
               values={{
-                kibanaUser: (
+                kibanaAdmin: (
                   <strong>
                     <FormattedMessage
-                      id="xpack.security.management.editRole.spaceAwarePrivilegeForm.kibanaUserTitle"
-                      defaultMessage="kibana_user"
+                      id="xpack.security.management.editRole.spaceAwarePrivilegeForm.kibanaAdminTitle"
+                      defaultMessage="kibana_admin"
                     />
                   </strong>
                 ),

x-pack/legacy/plugins/siem/server/utils/beat_schema/8.0.0/filebeat.ts

@@ -3132,7 +3132,7 @@ export const filebeatSchema: Schema = [
               {
                 name: 'user.roles',
                 description: 'Roles to which the principal belongs',
-                example: ['kibana_user', 'beats_admin'],
+                example: ['kibana_admin', 'beats_admin'],
                 type: 'keyword',
               },
               {

x-pack/legacy/plugins/transform/common/constants.ts

@@ -39,11 +39,11 @@ export const API_BASE_PATH = '/api/transform/';
 // - dest index: index, create_index (can be applied to a pattern e.g. df-*)
 //
 // In the UI additional privileges are required:
-// - kibana_user (builtin)
+// - kibana_admin (builtin)
 // - dest index: monitor (applied to df-*)
 // - cluster: monitor
 //
-// Note that users with kibana_user can see all Kibana index patterns and saved searches
+// Note that users with kibana_admin can see all Kibana index patterns and saved searches
 // in the source selection modal when creating a transform, but the wizard will trigger
 // error callouts when there are no sufficient privileges to read the actual source indices.
 

x-pack/plugins/translations/translations/ja-JP.json

@@ -10215,7 +10215,7 @@
     "xpack.ml.validateJob.validateJobButtonLabel": "ジョブを検証",
     "xpack.monitoring.accessDenied.backToKibanaButtonLabel": "Kibana に戻る",
     "xpack.monitoring.accessDenied.clusterNotConfiguredDescription": "専用の監視クラスターへのアクセスを試みている場合、監視クラスターで構成されていないユーザーとしてログインしていることが原因である可能性があります。",
-    "xpack.monitoring.accessDenied.notAuthorizedDescription": "監視アクセスが許可されていません。監視を利用するには、「{kibanaUser}」と「{monitoringUser}」の両方のロールからの権限が必要です。",
+    "xpack.monitoring.accessDenied.notAuthorizedDescription": "監視アクセスが許可されていません。監視を利用するには、「{kibanaAdmin}」と「{monitoringUser}」の両方のロールからの権限が必要です。",
     "xpack.monitoring.accessDeniedTitle": "アクセス拒否",
     "xpack.monitoring.ajaxErrorHandler.httpErrorMessage": "HTTP {errStatus}",
     "xpack.monitoring.ajaxErrorHandler.requestErrorNotificationTitle": "監視リクエストエラー",
@@ -12013,11 +12013,11 @@
     "xpack.security.management.editRole.spaceAwarePrivilegeDisplay.spaceBasePrivilegeSource": "スペースベース権限",
     "xpack.security.management.editRole.spaceAwarePrivilegeDisplay.spaceFeaturePrivilegeSource": "スペース機能権限",
     "xpack.security.management.editRole.spaceAwarePrivilegeDisplay.unknownPrivilegeSource": "**不明**",
-    "xpack.security.management.editRole.spaceAwarePrivilegeForm.ensureAccountHasAllPrivilegesGrantedDescription": "{kibanaUser} ロールによりアカウントにすべての権限が提供されていることを確認し、再試行してください。",
+    "xpack.security.management.editRole.spaceAwarePrivilegeForm.ensureAccountHasAllPrivilegesGrantedDescription": "{kibanaAdmin} ロールによりアカウントにすべての権限が提供されていることを確認し、再試行してください。",
     "xpack.security.management.editRole.spaceAwarePrivilegeForm.globalSpacesName": "* グローバル (すべてのスペース)",
     "xpack.security.management.editRole.spaceAwarePrivilegeForm.howToViewAllAvailableSpacesDescription": "利用可能なすべてのスペースを表示する権限がありません。",
     "xpack.security.management.editRole.spaceAwarePrivilegeForm.insufficientPrivilegesDescription": "権限が不十分です",
-    "xpack.security.management.editRole.spaceAwarePrivilegeForm.kibanaUserTitle": "kibana_user",
+    "xpack.security.management.editRole.spaceAwarePrivilegeForm.kibanaAdminTitle": "kibana_admin",
     "xpack.security.management.editRole.spacePrivilegeForm.allPrivilegeDetails": "選択されたスペースの全機能への完全アクセスを許可します。",
     "xpack.security.management.editRole.spacePrivilegeForm.allPrivilegeDisplay": "すべて",
     "xpack.security.management.editRole.spacePrivilegeForm.allPrivilegeDropdownDisplay": "すべて",

x-pack/plugins/translations/translations/zh-CN.json

@@ -10216,7 +10216,7 @@
     "xpack.ml.validateJob.validateJobButtonLabel": "验证作业",
     "xpack.monitoring.accessDenied.backToKibanaButtonLabel": "返回 Kibana",
     "xpack.monitoring.accessDenied.clusterNotConfiguredDescription": "如果您尝试访问专用监测集群，则这可能是因为该监测集群上未配置您登录时所用的用户帐户。",
-    "xpack.monitoring.accessDenied.notAuthorizedDescription": "您无权访问 Monitoring。要使用 Monitoring，您同时需要 `{kibanaUser}` 和 `{monitoringUser}` 角色授予的权限。",
+    "xpack.monitoring.accessDenied.notAuthorizedDescription": "您无权访问 Monitoring。要使用 Monitoring，您同时需要 `{kibanaAdmin}` 和 `{monitoringUser}` 角色授予的权限。",
     "xpack.monitoring.accessDeniedTitle": "访问被拒绝",
     "xpack.monitoring.ajaxErrorHandler.httpErrorMessage": "HTTP {errStatus}",
     "xpack.monitoring.ajaxErrorHandler.requestErrorNotificationTitle": "Monitoring 请求错误",
@@ -12014,11 +12014,11 @@
     "xpack.security.management.editRole.spaceAwarePrivilegeDisplay.spaceBasePrivilegeSource": "工作区基本权限",
     "xpack.security.management.editRole.spaceAwarePrivilegeDisplay.spaceFeaturePrivilegeSource": "全局功能权限",
     "xpack.security.management.editRole.spaceAwarePrivilegeDisplay.unknownPrivilegeSource": "**未知**",
-    "xpack.security.management.editRole.spaceAwarePrivilegeForm.ensureAccountHasAllPrivilegesGrantedDescription": "请确保您的帐户具有 {kibanaUser} 角色授予的所有权限，然后重试。",
+    "xpack.security.management.editRole.spaceAwarePrivilegeForm.ensureAccountHasAllPrivilegesGrantedDescription": "请确保您的帐户具有 {kibanaAdmin} 角色授予的所有权限，然后重试。",
     "xpack.security.management.editRole.spaceAwarePrivilegeForm.globalSpacesName": "* 全局（所有工作区）",
     "xpack.security.management.editRole.spaceAwarePrivilegeForm.howToViewAllAvailableSpacesDescription": "您无权查看所有可用工作区。",
     "xpack.security.management.editRole.spaceAwarePrivilegeForm.insufficientPrivilegesDescription": "权限不足",
-    "xpack.security.management.editRole.spaceAwarePrivilegeForm.kibanaUserTitle": "kibana_user",
+    "xpack.security.management.editRole.spaceAwarePrivilegeForm.kibanaAdminTitle": "kibana_admin",
     "xpack.security.management.editRole.spacePrivilegeForm.allPrivilegeDetails": "授予对选定工作区所有功能的完全访问权限。",
     "xpack.security.management.editRole.spacePrivilegeForm.allPrivilegeDisplay": "全部",
     "xpack.security.management.editRole.spacePrivilegeForm.allPrivilegeDropdownDisplay": "全部",

x-pack/test/api_integration/apis/console/feature_controls.ts

@@ -43,6 +43,29 @@ export default function securityTests({ getService }: FtrProviderContext) {
       }
     });
 
+    it('can be accessed by kibana_admin role', async () => {
+      const username = 'kibana_admin';
+      const roleName = 'kibana_admin';
+      try {
+        const password = `${username}-password`;
+
+        await security.user.create(username, {
+          password,
+          roles: [roleName],
+          full_name: 'a kibana admin',
+        });
+
+        await supertest
+          .post(`/api/console/proxy?method=GET&path=${encodeURIComponent('/_cat')}`)
+          .auth(username, password)
+          .set('kbn-xsrf', 'xxx')
+          .send()
+          .expect(200);
+      } finally {
+        await security.user.delete(username);
+      }
+    });
+
     it('can be accessed by global all role', async () => {
       const username = 'global_all';
       const roleName = 'global_all';

x-pack/test/api_integration/apis/monitoring/setup/collection/security.js

@@ -44,7 +44,7 @@ export default function({ getService }) {
       await security.user.create(username, {
         password: password,
         full_name: 'Limited User',
-        roles: ['kibana_user', 'monitoring_user'],
+        roles: ['kibana_admin', 'monitoring_user'],
       });
 
       const { body } = await supertestWithoutAuth

x-pack/test/api_integration/apis/short_urls/feature_controls.ts

@@ -12,8 +12,8 @@ export default function featureControlsTests({ getService }: FtrProviderContext)
   const security = getService('security');
 
   describe('feature controls', () => {
-    const kibanaUsername = 'kibana_user';
-    const kibanaUserRoleName = 'kibana_user';
+    const kibanaUsername = 'kibana_admin';
+    const kibanaUserRoleName = 'kibana_admin';
 
     const kibanaUserPassword = `${kibanaUsername}-password`;
 

x-pack/test/functional/apps/dashboard_mode/dashboard_view_mode.js

@@ -91,7 +91,7 @@ export default function({ getService, getPageObjects }) {
         await testSubjects.setValue('userFormFullNameInput', 'mixeduser');
         await testSubjects.setValue('userFormEmailInput', 'example@example.com');
         await PageObjects.security.assignRoleToUser('kibana_dashboard_only_user');
-        await PageObjects.security.assignRoleToUser('kibana_user');
+        await PageObjects.security.assignRoleToUser('kibana_admin');
         await PageObjects.security.assignRoleToUser('logstash-data');
 
         await PageObjects.security.clickSaveEditUser();

x-pack/test/functional/apps/security/doc_level_security_roles.js

@@ -58,11 +58,11 @@ export default function({ getService, getPageObjects }) {
         fullname: 'dls EAST',
         email: 'dlstest@elastic.com',
         save: true,
-        roles: ['kibana_user', 'myroleEast'],
+        roles: ['kibana_admin', 'myroleEast'],
       });
       const users = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username');
       log.debug('actualUsers = %j', users);
-      expect(users.userEast.roles).to.eql(['kibana_user', 'myroleEast']);
+      expect(users.userEast.roles).to.eql(['kibana_admin', 'myroleEast']);
       expect(users.userEast.reserved).to.be(false);
     });
 

x-pack/test/functional/apps/security/field_level_security.js

@@ -79,11 +79,11 @@ export default function({ getService, getPageObjects }) {
         fullname: 'customer one',
         email: 'flstest@elastic.com',
         save: true,
-        roles: ['kibana_user', 'a_viewssnrole'],
+        roles: ['kibana_admin', 'a_viewssnrole'],
       });
       const users = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username');
       log.debug('actualUsers = %j', users);
-      expect(users.customer1.roles).to.eql(['kibana_user', 'a_viewssnrole']);
+      expect(users.customer1.roles).to.eql(['kibana_admin', 'a_viewssnrole']);
     });
 
     it('should add new user customer2 ', async function() {
@@ -95,11 +95,11 @@ export default function({ getService, getPageObjects }) {
         fullname: 'customer two',
         email: 'flstest@elastic.com',
         save: true,
-        roles: ['kibana_user', 'a_view_no_ssn_role'],
+        roles: ['kibana_admin', 'a_view_no_ssn_role'],
       });
       const users = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username');
       log.debug('actualUsers = %j', users);
-      expect(users.customer2.roles).to.eql(['kibana_user', 'a_view_no_ssn_role']);
+      expect(users.customer2.roles).to.eql(['kibana_admin', 'a_view_no_ssn_role']);
     });
 
     it('user customer1 should see ssn', async function() {

x-pack/test/functional/apps/security/secure_roles_perm.js

@@ -61,13 +61,13 @@ export default function({ getService, getPageObjects }) {
         fullname: 'RashmiFirst RashmiLast',
         email: 'rashmi@myEmail.com',
         save: true,
-        roles: ['logstash_reader', 'kibana_user'],
+        roles: ['logstash_reader', 'kibana_admin'],
       });
       log.debug('After Add user: , userObj.userName');
       const users = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username');
       log.debug('actualUsers = %j', users);
       log.debug('roles: ', users.Rashmi.roles);
-      expect(users.Rashmi.roles).to.eql(['logstash_reader', 'kibana_user']);
+      expect(users.Rashmi.roles).to.eql(['logstash_reader', 'kibana_admin']);
       expect(users.Rashmi.fullname).to.eql('RashmiFirst RashmiLast');
       expect(users.Rashmi.reserved).to.be(false);
       await PageObjects.security.forceLogout();