Interactive setup mode server-side functionality

[azasypkin]

Summary

In the scope of this issue we're going to implement server-side functionality that's absolutely necessary for the initial phase of the interactive setup mode provided by the userSetup plugin:

• ✔️ @azasypkin Add userSetup plugin skeleton. (Add userSetup plugin skeleton. #101610)
• ✔️ @thomheymann / @azasypkin - Functionality to detect if "interactive setup mode" should be enabled [2W] (Introduce Enroll API endpoint. #108835)
• ✔️ @azasypkin - Functionality to interact with Elasticsearch Enrollment APIs (Introduce Enroll API endpoint. #108835)
• ✔️ @thomheymann / @azasypkin - Functionality to write elasticsearch.* configuration to the disk [1W] (Introduce Enroll API endpoint. #108835)
• ✔️ @azasypkin Functionality to validate server certificate fingerprint (Cumulative set of the preboot stage adjustments #108514)
• ✔️ @thomheymann - Validate and parse enrollment token (Interactive setup mode #106881)
• ✔️ @thomheymann - Secure interactive setup mode with verification code (Add verification code protection #110856)
• ✔️ @thomheymann - Redirect user to default Kibana location once it's up and running(Add verification code protection #110856)
• ✔️ @azasypkin Make sure interactive setup mode is properly triggered when Kibana is run in Docker (Make interactive setup work properly in Docker container. #110629, see this)
• ➡️ @azasypkin Functional and API integration tests (will be handled in the scope of Add functional and API integration tests for the Interactive Setup mode #111336)
• ✔️ @azasypkin Make sure we don't activate interactive setup in k8s/ECK
  By default ECK sets up TLS for both Elasticsearch and Kibana. TLS can be disabled, but Security is assumed to be enabled all the time. However, ECK Kibana can be configured to connect to external Elasticsearch , and if the ES happens to be http://localhost:9200 that Kibana cannot connect to we'll activate interactive setup.
• ✔️ @azasypkin Make sure Kibana installed with OS-specific packages (DEB/RPM) can write to configuration file. The kibana group has permissions to write to kibana.yml:
  

  kibana/src/dev/build/tasks/os_packages/package_scripts/post_install.sh

  Lines 11 to 29 in 4a54188

  	set_chmod() {
  	chmod -f 660 ${KBN_PATH_CONF}/kibana.yml || true
  	chmod -f 2750 <%= dataDir %> || true
  	chmod -f 2750 ${KBN_PATH_CONF} || true
  	chmod -f 2750 <%= logDir %> || true
  	}
  	set_chown() {
  	chown <%= user %>:<%= group %> <%= logDir %>
  	chown <%= user %>:<%= group %> <%= pidDir %>
  	chown -R <%= user %>:<%= group %> <%= dataDir %>
  	chown -R root:<%= group %> ${KBN_PATH_CONF}
  	}
  	setup() {
  	[ ! -d "<%= logDir %>" ] && mkdir "<%= logDir %>"
  	set_chmod
  	set_chown
  	}

  )
  

  kibana/src/dev/build/tasks/os_packages/docker_generator/templates/ironbank/Dockerfile

  Lines 58 to 73 in 4a54188

  	COPY --chown=1000:0 config/kibana.yml /usr/share/kibana/config/kibana.yml
  	# Add the launcher/wrapper script. It knows how to interpret environment
  	# variables and translate them to Kibana CLI options.
  	COPY --chown=1000:0 scripts/kibana-docker /usr/local/bin/
  	# Remove the suid bit everywhere to mitigate "Stack Clash"
  	RUN find / -xdev -perm -4000 -exec chmod u-s {} +
  	# Provide a non-root user to run the process.
  	RUN groupadd --gid 1000 kibana && \
  	useradd --uid 1000 --gid 1000 -G 0 \
  	--home-dir /usr/share/kibana --no-create-home \
  	kibana
  	USER kibana

  
  

  kibana/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile

  Lines 95 to 113 in 4a54188

  	# Set some Kibana configuration defaults.
  	COPY --chown=1000:0 config/kibana.yml /usr/share/kibana/config/kibana.yml
  	# Add the launcher/wrapper script. It knows how to interpret environment
  	# variables and translate them to Kibana CLI options.
  	COPY --chown=1000:0 bin/kibana-docker /usr/local/bin/
  	# Ensure gid 0 write permissions for OpenShift.
  	RUN chmod g+ws /usr/share/kibana && \
  	find /usr/share/kibana -gid 0 -and -not -perm /g+w -exec chmod g+w {} \;
  	# Remove the suid bit everywhere to mitigate "Stack Clash"
  	RUN find / -xdev -perm -4000 -exec chmod u-s {} +
  	# Provide a non-root user to run the process.
  	RUN groupadd --gid 1000 kibana && \
  	useradd --uid 1000 --gid 1000 -G 0 \
  	--home-dir /usr/share/kibana --no-create-home \
  	kibana

• ➡️ Telemetry to record user behavior and common sources of errors (will be handled in the scope of Add telemetry for the interactive setup #111341)
• ➡️ Find a way to expose ES config schema to preboot plugins (will be handled in the scope of Interactive setup should validate configuration entries using original schema objects #111340)
• ➡️ Support keystore for credentials? (will be handled in the scope of Store kibana system user credentials in the keystore #111337)

Related: #89287, #102538

Blocked by: #103636, https://github.com/elastic/clients-team/issues/423, #102121

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[azasypkin]

Closing this issue as the major tasks are complete now, the remaining tasks will be handled separately: https://github.com/elastic/kibana/issues?q=is%3Aopen+is%3Aissue+label%3A%22Feature%3ASecurity%2FInteractive+Setup%22