Remove Enterprise Search Service Account (#124655)

* remove Enterprise Search service account + tests

* [CI] Auto commit changes from spotless

* remove all tests referencing ent-search

* [CI] Auto commit changes from spotless

* ensure yaml tests have correct length

* set proper length expected

* use index for slow log test that works

* skip account REST tests with invalid length

* skip Test service account tokens test too

* remove added space

* add changelog for PR

* update

---------

Co-authored-by: elasticsearchmachine <[email protected]>

Author: markjhoy

x-pack/plugin/build.gradle

@@ -116,6 +116,8 @@ tasks.named("yamlRestCompatTestTransform").configure({ task ->
   task.skipTest("esql/40_tsdb/from index pattern unsupported counter", "TODO: support for subset of metric fields")
   task.skipTest("esql/40_unsupported_types/unsupported", "TODO: support for subset of metric fields")
   task.skipTest("esql/40_unsupported_types/unsupported with sort", "TODO: support for subset of metric fields")
+  task.skipTest("service_accounts/10_basic/Test get service accounts", "Enterprise Search service account removed, invalidating the current tests")
+  task.skipTest("service_accounts/10_basic/Test service account tokens", "Enterprise Search service account removed, invalidating the current tests")
   task.skipTest("ml/3rd_party_deployment/Test clear deployment cache", "Deprecated route removed")
   task.skipTest("ml/3rd_party_deployment/Test start and stop deployment with cache", "Deprecated route removed")
   task.skipTest("ml/3rd_party_deployment/Test start and stop multiple deployments", "Deprecated route removed")

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/xcontent/XContentUtilsTests.java

@@ -63,7 +63,7 @@ public void testAddAuthorizationInfoWithApiKey() throws IOException {
     }
 
     public void testAddAuthorizationInfoWithServiceAccount() throws IOException {
-        String account = "elastic/" + randomFrom("kibana", "fleet-server", "enterprise-search-server");
+        String account = "elastic/" + randomFrom("kibana", "fleet-server");
         User user = new User(account);
         AuthenticationTestBuilder builder = AuthenticationTestHelper.builder().serviceAccount(user);
         Authentication authentication = builder.build();

x-pack/plugin/security/qa/security-basic/src/javaRestTest/java/org/elasticsearch/xpack/security/SecuritySlowLogIT.java

@@ -224,7 +224,7 @@ public void testSlowLogWithServiceAccount() throws Exception {
 
         Map<String, Object> expectedUser = Map.of(
             "user.name",
-            "elastic/enterprise-search-server",
+            "elastic/fleet-server",
             "user.realm",
             "_service_account",
             "auth.type",
@@ -311,7 +311,7 @@ private static List<TestIndexData> randomTestIndexData() throws IOException {
         List<TestIndexData> testData = new ArrayList<>();
         for (int i = 0; i < randomIntBetween(1, 10); i++) {
             TestIndexData randomTestData = new TestIndexData(
-                "search-" + randomAlphaOfLengthBetween(5, 10).toLowerCase() + "-" + i,
+                "agentless-" + randomAlphaOfLengthBetween(5, 10).toLowerCase() + "-" + i,
                 randomBoolean(),
                 randomBoolean(),
                 randomBoolean(),
@@ -380,10 +380,7 @@ private static Map<String, Object> createApiKey(String name, String authHeader)
     }
 
     private static Map<String, Object> createServiceAccountToken() throws IOException {
-        final Request createServiceTokenRequest = new Request(
-            "POST",
-            "/_security/service/elastic/enterprise-search-server/credential/token"
-        );
+        final Request createServiceTokenRequest = new Request("POST", "/_security/service/elastic/fleet-server/credential/token");
         final Response createServiceTokenResponse = adminClient().performRequest(createServiceTokenRequest);
         assertOK(createServiceTokenResponse);
 

x-pack/plugin/security/qa/service-account/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountIT.java

@@ -490,19 +490,6 @@ public void testGetServiceAccount() throws IOException {
             )
         );
 
-        final Request getServiceAccountRequestEnterpriseSearchService = new Request(
-            "GET",
-            "_security/service/elastic/enterprise-search-server"
-        );
-        final Response getServiceAccountResponseEnterpriseSearchService = client().performRequest(
-            getServiceAccountRequestEnterpriseSearchService
-        );
-        assertServiceAccountRoleDescriptor(
-            getServiceAccountResponseEnterpriseSearchService,
-            "elastic/enterprise-search-server",
-            ELASTIC_ENTERPRISE_SEARCH_SERVER_ROLE_DESCRIPTOR
-        );
-
         final String requestPath = "_security/service/" + randomFrom("foo", "elastic/foo", "foo/bar");
         final Request getServiceAccountRequest4 = new Request("GET", requestPath);
         final Response getServiceAccountResponse4 = client().performRequest(getServiceAccountRequest4);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java

@@ -42,42 +42,6 @@ final class ElasticServiceAccounts {
         )
     );
 
-    private static final ServiceAccount ENTERPRISE_SEARCH_ACCOUNT = new ElasticServiceAccount(
-        "enterprise-search-server",
-        new RoleDescriptor(
-            NAMESPACE + "/enterprise-search-server",
-            new String[] { "manage", "manage_security", "read_connector_secrets", "write_connector_secrets" },
-            new RoleDescriptor.IndicesPrivileges[] {
-                RoleDescriptor.IndicesPrivileges.builder()
-                    .indices(
-                        "search-*",
-                        ".search-acl-filter-*",
-                        ".elastic-analytics-collections",
-                        ".ent-search-*",
-                        ".monitoring-ent-search-*",
-                        "metricbeat-ent-search-*",
-                        "enterprise-search-*",
-                        "logs-app_search.analytics-default",
-                        "logs-elastic_analytics.events-*",
-                        "logs-enterprise_search.api-default",
-                        "logs-enterprise_search.audit-default",
-                        "logs-app_search.search_relevance_suggestions-default",
-                        "logs-crawler-default",
-                        "logs-elastic_crawler-default",
-                        "logs-workplace_search.analytics-default",
-                        "logs-workplace_search.content_events-default",
-                        ".elastic-connectors*"
-                    )
-                    .privileges("manage", "read", "write")
-                    .build() },
-            null,
-            null,
-            null,
-            null,
-            null
-        )
-    );
-
     private static final ServiceAccount FLEET_ACCOUNT = new ElasticServiceAccount(
         "fleet-server",
         new RoleDescriptor(
@@ -210,7 +174,6 @@ final class ElasticServiceAccounts {
 
     static final Map<String, ServiceAccount> ACCOUNTS = Stream.of(
         AUTO_OPS_ACCOUNT,
-        ENTERPRISE_SEARCH_ACCOUNT,
         FLEET_ACCOUNT,
         FLEET_REMOTE_ACCOUNT,
         KIBANA_SYSTEM_ACCOUNT

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/service/TransportGetServiceAccountActionTests.java

@@ -46,16 +46,10 @@ public void testDoExecute() {
         final PlainActionFuture<GetServiceAccountResponse> future1 = new PlainActionFuture<>();
         transportGetServiceAccountAction.doExecute(mock(Task.class), request1, future1);
         final GetServiceAccountResponse getServiceAccountResponse1 = future1.actionGet();
-        assertThat(getServiceAccountResponse1.getServiceAccountInfos().length, equalTo(5));
+        assertThat(getServiceAccountResponse1.getServiceAccountInfos().length, equalTo(4));
         assertThat(
             Arrays.stream(getServiceAccountResponse1.getServiceAccountInfos()).map(ServiceAccountInfo::getPrincipal).toList(),
-            containsInAnyOrder(
-                "elastic/auto-ops",
-                "elastic/enterprise-search-server",
-                "elastic/fleet-server",
-                "elastic/fleet-server-remote",
-                "elastic/kibana"
-            )
+            containsInAnyOrder("elastic/auto-ops", "elastic/fleet-server", "elastic/fleet-server-remote", "elastic/kibana")
         );
 
         final GetServiceAccountRequest request2 = new GetServiceAccountRequest("elastic", "fleet-server");

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java

@@ -45,15 +45,12 @@
 import org.elasticsearch.transport.TransportRequest;
 import org.elasticsearch.xpack.core.ilm.action.GetLifecycleAction;
 import org.elasticsearch.xpack.core.ilm.action.ILMActions;
-import org.elasticsearch.xpack.core.monitoring.action.MonitoringBulkAction;
 import org.elasticsearch.xpack.core.security.action.apikey.CreateApiKeyAction;
 import org.elasticsearch.xpack.core.security.action.apikey.CreateApiKeyRequest;
 import org.elasticsearch.xpack.core.security.action.apikey.GetApiKeyAction;
 import org.elasticsearch.xpack.core.security.action.apikey.GetApiKeyRequest;
 import org.elasticsearch.xpack.core.security.action.apikey.InvalidateApiKeyAction;
 import org.elasticsearch.xpack.core.security.action.apikey.InvalidateApiKeyRequest;
-import org.elasticsearch.xpack.core.security.action.role.PutRoleAction;
-import org.elasticsearch.xpack.core.security.action.user.PutUserAction;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationTestHelper;
 import org.elasticsearch.xpack.core.security.authc.service.ServiceAccount;
@@ -394,93 +391,6 @@ public void testElasticServiceAccount() {
         );
     }
 
-    public void testElasticEnterpriseSearchServerAccount() {
-        final Role role = Role.buildFromRoleDescriptor(
-            ElasticServiceAccounts.ACCOUNTS.get("elastic/enterprise-search-server").roleDescriptor(),
-            new FieldPermissionsCache(Settings.EMPTY),
-            RESTRICTED_INDICES
-        );
-
-        final Authentication authentication = AuthenticationTestHelper.builder().serviceAccount().build();
-        final TransportRequest request = mock(TransportRequest.class);
-
-        // manage
-        assertThat(role.cluster().check(ClusterUpdateSettingsAction.NAME, request, authentication), is(true));
-
-        // manage_security
-        assertThat(
-            role.cluster()
-                .check(CreateApiKeyAction.NAME, new CreateApiKeyRequest(randomAlphaOfLengthBetween(3, 8), null, null), authentication),
-            is(true)
-        );
-        assertThat(
-            role.cluster().check(GetApiKeyAction.NAME, GetApiKeyRequest.builder().ownedByAuthenticatedUser().build(), authentication),
-            is(true)
-        );
-        assertThat(role.cluster().check(InvalidateApiKeyAction.NAME, InvalidateApiKeyRequest.forOwnedApiKeys(), authentication), is(true));
-
-        assertThat(role.cluster().check(PutUserAction.NAME, request, authentication), is(true));
-        assertThat(role.cluster().check(PutRoleAction.NAME, request, authentication), is(true));
-
-        // manage_index_templates
-        assertThat(role.cluster().check(TransportPutIndexTemplateAction.TYPE.name(), request, authentication), is(true));
-        assertThat(role.cluster().check(GetIndexTemplatesAction.NAME, request, authentication), is(true));
-        assertThat(role.cluster().check(TransportDeleteIndexTemplateAction.TYPE.name(), request, authentication), is(true));
-
-        // monitoring
-        assertThat(role.cluster().check(MonitoringBulkAction.NAME, request, authentication), is(true));
-        assertThat(role.cluster().check(TransportClusterHealthAction.NAME, request, authentication), is(true));
-
-        // manage_ilm
-        assertThat(role.cluster().check(GetLifecycleAction.NAME, request, authentication), is(true));
-        assertThat(role.cluster().check(ILMActions.PUT.name(), request, authentication), is(true));
-
-        // Connector secrets. Enterprise Search has read and write access.
-        assertThat(role.cluster().check("cluster:admin/xpack/connector/secret/delete", request, authentication), is(true));
-        assertThat(role.cluster().check("cluster:admin/xpack/connector/secret/get", request, authentication), is(true));
-        assertThat(role.cluster().check("cluster:admin/xpack/connector/secret/post", request, authentication), is(true));
-        assertThat(role.cluster().check("cluster:admin/xpack/connector/secret/put", request, authentication), is(true));
-
-        List.of(
-            "search-" + randomAlphaOfLengthBetween(1, 20),
-            ".search-acl-filter-" + randomAlphaOfLengthBetween(1, 20),
-            ".elastic-analytics-collections",
-            ".ent-search-" + randomAlphaOfLengthBetween(1, 20),
-            ".monitoring-ent-search-" + randomAlphaOfLengthBetween(1, 20),
-            "metricbeat-ent-search-" + randomAlphaOfLengthBetween(1, 20),
-            "enterprise-search-" + randomAlphaOfLengthBetween(1, 20),
-            "logs-app_search.analytics-default",
-            "logs-elastic_analytics.events-" + randomAlphaOfLengthBetween(1, 20),
-            "logs-enterprise_search.api-default",
-            "logs-enterprise_search.audit-default",
-            "logs-app_search.search_relevance_suggestions-default",
-            "logs-crawler-default",
-            "logs-workplace_search.analytics-default",
-            "logs-workplace_search.content_events-default",
-            ".elastic-connectors*",
-            "logs-elastic_crawler-default"
-        ).forEach(index -> {
-            final IndexAbstraction enterpriseSearchIndex = mockIndexAbstraction(index);
-            assertThat(role.indices().allowedIndicesMatcher(AutoCreateAction.NAME).test(enterpriseSearchIndex), is(true));
-            assertThat(role.indices().allowedIndicesMatcher(TransportCreateIndexAction.TYPE.name()).test(enterpriseSearchIndex), is(true));
-            assertThat(role.indices().allowedIndicesMatcher(TransportDeleteAction.NAME).test(enterpriseSearchIndex), is(true));
-            assertThat(role.indices().allowedIndicesMatcher(TransportDeleteIndexAction.TYPE.name()).test(enterpriseSearchIndex), is(true));
-            assertThat(role.indices().allowedIndicesMatcher(TransportIndexAction.NAME).test(enterpriseSearchIndex), is(true));
-            assertThat(role.indices().allowedIndicesMatcher(TransportBulkAction.NAME).test(enterpriseSearchIndex), is(true));
-            assertThat(role.indices().allowedIndicesMatcher(TransportGetAction.TYPE.name()).test(enterpriseSearchIndex), is(true));
-            assertThat(role.indices().allowedIndicesMatcher(TransportMultiGetAction.NAME).test(enterpriseSearchIndex), is(true));
-            assertThat(role.indices().allowedIndicesMatcher(TransportSearchAction.TYPE.name()).test(enterpriseSearchIndex), is(true));
-            assertThat(role.indices().allowedIndicesMatcher(TransportMultiSearchAction.TYPE.name()).test(enterpriseSearchIndex), is(true));
-            assertThat(role.indices().allowedIndicesMatcher(IndicesStatsAction.NAME).test(enterpriseSearchIndex), is(true));
-            assertThat(
-                role.indices().allowedIndicesMatcher(TransportUpdateSettingsAction.TYPE.name()).test(enterpriseSearchIndex),
-                is(true)
-            );
-            assertThat(role.indices().allowedIndicesMatcher(RefreshAction.NAME).test(enterpriseSearchIndex), is(true));
-            assertThat(role.indices().allowedIndicesMatcher("indices:foo").test(enterpriseSearchIndex), is(false));
-        });
-    }
-
     private IndexAbstraction mockIndexAbstraction(String name) {
         IndexAbstraction mock = mock(IndexAbstraction.class);
         when(mock.getName()).thenReturn(name);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ServiceAccountServiceTests.java

@@ -103,13 +103,7 @@ public void stopThreadPool() {
     public void testGetServiceAccountPrincipals() {
         assertThat(
             ServiceAccountService.getServiceAccountPrincipals(),
-            containsInAnyOrder(
-                "elastic/auto-ops",
-                "elastic/enterprise-search-server",
-                "elastic/fleet-server",
-                "elastic/fleet-server-remote",
-                "elastic/kibana"
-            )
+            containsInAnyOrder("elastic/auto-ops", "elastic/fleet-server", "elastic/fleet-server-remote", "elastic/kibana")
         );
     }
 

x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/service_accounts/10_basic.yml

@@ -20,30 +20,21 @@ teardown:
         name: api-token-kibana
         ignore: 404
 
-  - do:
-      security.delete_service_token:
-        namespace: elastic
-        service: enterprise-search-server
-        name: api-token-enterprise-search-server
-        ignore: 404
-
 ---
 "Test get service accounts":
   - do:
       security.get_service_accounts: {}
-  - length: { '': 5 }
+  - length: { '': 4 }
   - is_true: "elastic/auto-ops"
-  - is_true: "elastic/enterprise-search-server"
   - is_true: "elastic/fleet-server"
   - is_true: "elastic/fleet-server-remote"
   - is_true: "elastic/kibana"
 
   - do:
       security.get_service_accounts:
         namespace: elastic
-  - length: { '': 5 }
+  - length: { '': 4 }
   - is_true: "elastic/auto-ops"
-  - is_true: "elastic/enterprise-search-server"
   - is_true: "elastic/fleet-server"
   - is_true: "elastic/fleet-server-remote"
   - is_true: "elastic/kibana"
@@ -79,16 +70,6 @@ teardown:
   - match: { "token.name": "api-token-kibana" }
   - set: { "token.value": service_token_kibana }
 
-  - do:
-      security.create_service_token:
-        namespace: elastic
-        service: enterprise-search-server
-        name: api-token-enterprise-search-server
-
-  - is_true: created
-  - match: { "token.name": "api-token-enterprise-search-server" }
-  - set: { "token.value": service_token_enterprise_search_server }
-
   - do:
       headers:
         Authorization: Bearer ${service_token_fleet}