Skip to content

[scout] extend login functionality with Kibana built-in roles#271992

Draft
dmlemeshko wants to merge 3 commits into
elastic:mainfrom
dmlemeshko:scout/extend-login-with-built-in-role
Draft

[scout] extend login functionality with Kibana built-in roles#271992
dmlemeshko wants to merge 3 commits into
elastic:mainfrom
dmlemeshko:scout/extend-login-with-built-in-role

Conversation

@dmlemeshko
Copy link
Copy Markdown
Contributor

@dmlemeshko dmlemeshko commented May 29, 2026

Summary

Many FTR tests rely on Kibana build-in roles and it makes sense to add its support to Scout. It should simplify FTR -> Scout migration:

UI tests auth flow:

browserAuth.loginWithBuiltinRole('kibana_admin')
  │
  └─ samlAuth.setBuiltinRole('kibana_admin')   ← new helper on SamlAuth (PR)
       │
       ├─ esClient.security.getRole({ name: 'kibana_admin' })
       │    └─ response:
       │       {
       │         kibana_admin: {
       │           cluster: [],
       │           indices: [],
       │           applications: [{ application: 'kibana-.kibana', privileges: ['all'], resources: ['*'] }],
       │           run_as: [],
       │           metadata: { _reserved: true },         ← strip
       │           transient_metadata: { enabled: true }  ← strip
       │         }
       │       }
       │
       ├─ extract ElasticsearchRoleDescriptor:
       │    { cluster, indices, applications, run_as }
       │
       └─ setCustomRole(descriptor)   ← no changes
            ├─ hash check (share session/key across tests in same worker)
            ├─ createElasticsearchCustomRole(esClient, 'custom_role_worker_1', descriptor)
            │    └─ PUT /_security/role/custom_role_worker_1  { ...kibana_admin descriptor }
            └─ customRoleHash = hash(descriptor)

  └─ loginAs(samlAuth.customRoleName)   ← no changes
       └─ [local or cloud, exact same path as loginWithCustomRole]

API tests auth flow:

requestAuth.getApiKeyForBuiltinRole('kibana_admin')
  │
  └─ samlAuth.setBuiltinRole('kibana_admin')        ← SamlAuth (PR)
       │
       ├─ esClient.security.getRole({ name: 'kibana_admin' })
       │    └─ response:
       │       {
       │         kibana_admin: {
       │           cluster: [],
       │           indices: [],
       │           applications: [{ application: 'kibana-.kibana', privileges: ['all'], resources: ['*'] }],
       │           run_as: [],
       │           metadata: { _reserved: true },         ← strip
       │           transient_metadata: { enabled: true }  ← strip
       │         }
       │       }
       │
       └─ setCustomRole(descriptor)                  ←  unchanged
            ├─ hash-dedup check (reuses cached role within same worker)
            ├─ PUT /_security/role/custom_role_worker_1 { ...descriptor }
            └─ returns descriptor to caller            ← new: returned for reuse
  │
  └─ createApiKeyWithAdminCredentials(
         roleName  = 'custom_role_worker_1',
         descriptors = { custom_role_worker_1: descriptor }   ← no second ES fetch
     )
       │
       ├─ samlAuth.session.getApiCredentialsForRole('admin')  ← admin cookie header
       │
       └─ POST /internal/security/api_key
              body: {
                name: 'myTestApiKey-0-custom_role_worker_1-worker-1',
                role_descriptors: {
                  custom_role_worker_1: {
                    cluster: [],
                    indices: [],
                    applications: [{ application: 'kibana-.kibana', privileges: ['all'], resources: ['*'] }],
                    run_as: []
                  }
                }
              }
              └─ { id, name, api_key, encoded }
                   └─ { apiKey, apiKeyHeader: { Authorization: 'ApiKey <encoded>' } }

@infra-vault-gh-plugin-prod
Copy link
Copy Markdown

infra-vault-gh-plugin-prod Bot commented May 29, 2026
edited
Loading

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

  • Click to trigger kibana-pull-request for this PR!
  • Click to trigger kibana-deploy-project-from-pr for this PR!
  • Click to trigger kibana-deploy-cloud-from-pr for this PR!
  • Click to trigger kibana-entity-store-performance-from-pr for this PR!
  • Click to trigger kibana-storybooks-from-pr for this PR!

@dmlemeshko dmlemeshko added release_note:skip Skip the PR/issue when compiling release notes backport:all-open Backport to all branches that could still receive a release labels May 29, 2026
@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented May 29, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #59 / integrations When in the Fleet application and on the Endpoint Integration details page should display the endpoint custom content
  • [job] [logs] Scout Lane #48 - serverless-observability_complete / default / local-serverless-observability_complete - SAML Auth fixture - getApiKeyForBuiltinRole should create an API key scoped to a built-in ES role
  • [job] [logs] Scout Lane #48 - serverless-observability_complete / default / local-serverless-observability_complete - SAML Auth fixture - getApiKeyForBuiltinRole should create an API key scoped to a built-in ES role
  • [job] [logs] Scout Lane #48 - serverless-observability_complete / default / local-serverless-observability_complete - SAML Auth fixture - setBuiltinRole should provision the custom role slot and return the descriptor
  • [job] [logs] Scout Lane #48 - serverless-observability_complete / default / local-serverless-observability_complete - SAML Auth fixture - setBuiltinRole should provision the custom role slot and return the descriptor
  • [job] [logs] Scout Lane #53 - serverless-observability_logs_essentials / default / local-serverless-observability_logs_essentials - SAML Auth fixture - getApiKeyForBuiltinRole should create an API key scoped to a built-in ES role
  • [job] [logs] Scout Lane #53 - serverless-observability_logs_essentials / default / local-serverless-observability_logs_essentials - SAML Auth fixture - getApiKeyForBuiltinRole should create an API key scoped to a built-in ES role
  • [job] [logs] Scout Lane #53 - serverless-observability_logs_essentials / default / local-serverless-observability_logs_essentials - SAML Auth fixture - setBuiltinRole should provision the custom role slot and return the descriptor
  • [job] [logs] Scout Lane #53 - serverless-observability_logs_essentials / default / local-serverless-observability_logs_essentials - SAML Auth fixture - setBuiltinRole should provision the custom role slot and return the descriptor
  • [job] [logs] Scout Lane #34 - serverless-search / default / local-serverless-search - SAML Auth fixture - getApiKeyForBuiltinRole should create an API key scoped to a built-in ES role
  • [job] [logs] Scout Lane #34 - serverless-search / default / local-serverless-search - SAML Auth fixture - getApiKeyForBuiltinRole should create an API key scoped to a built-in ES role
  • [job] [logs] Scout Lane #34 - serverless-search / default / local-serverless-search - SAML Auth fixture - setBuiltinRole should provision the custom role slot and return the descriptor
  • [job] [logs] Scout Lane #34 - serverless-search / default / local-serverless-search - SAML Auth fixture - setBuiltinRole should provision the custom role slot and return the descriptor
  • [job] [logs] Scout Lane #59 - serverless-security_complete / default / local-serverless-security_complete - SAML Auth fixture - getApiKeyForBuiltinRole should create an API key scoped to a built-in ES role
  • [job] [logs] Scout Lane #59 - serverless-security_complete / default / local-serverless-security_complete - SAML Auth fixture - getApiKeyForBuiltinRole should create an API key scoped to a built-in ES role
  • [job] [logs] Scout Lane #59 - serverless-security_complete / default / local-serverless-security_complete - SAML Auth fixture - setBuiltinRole should provision the custom role slot and return the descriptor
  • [job] [logs] Scout Lane #59 - serverless-security_complete / default / local-serverless-security_complete - SAML Auth fixture - setBuiltinRole should provision the custom role slot and return the descriptor
  • [job] [logs] FTR Configs #16 / Package policies Package Policy - conditions fans out integration-level condition to inputs in the full agent policy
  • [job] [logs] FTR Configs #202 / serverless observability UI - onboarding Onboarding Onboarding Firehose Quickstart Flow shows the existing data callout and detected AWS services when data was ingested previously

Metrics [docs]

✅ unchanged

History

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backport:all-open Backport to all branches that could still receive a release release_note:skip Skip the PR/issue when compiling release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dmlemeshko @kibanamachine