Allow elastic/fleet-server to call appropriate Fleet APIs

[joshdover]

Summary

Fixes #112647

First commit is ready for review from @elastic/kibana-security

Allows the elastic/fleet-server user to call the required Fleet APIs to trigger the full setup process. This will be removed as part of #111858.

Fleet reviewers: you may skip the first commit if you'd like. It's a required change in the security plugin that has already been approved.

How to test this

The appropriate support for this available across all components now and this is the last piece. You can now test this end-to-end by:

1. Starting the latest Elasticsearch 8.0 snapshot
2. Start Kibana (with this branch or with a snapshot once merged)
3. Creating a service account token for elastic/fleet-server

   POST http://localhost:9200/_security/service/elastic/fleet-server/credential/token
   Authorization: Basic elastic:changeme

4. Start Fleet Server using the service account token value:

   docker run \
   	-e KIBANA_HOST=http://<YOUR PRIVATE IP>:5601 \
   	-e KIBANA_FLEET_SERVICE_TOKEN=<service token value from step 3> \
   	-e ELASTICSEARCH_HOST=http://<YOUR PRIVATE IP>:9200 \
   	-e KIBANA_FLEET_SETUP=1 \
   	-e FLEET_SERVER_ENABLE=1 \
   	-e FLEET_SERVER_INSECURE_HTTP=1 \
   	-p 8220:8220 \
   	docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT

Checklist

Delete any items that are not applicable to this PR.

• Unit or functional tests were updated or added to match the most common scenarios

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[joshdover]

@elasticmachine merge upstream

[kibanamachine]

merge conflict between base and head

[joshdover]

@elastic/kibana-security Would you mind reviewing the first commit? I'm still working on the rest but the first commit shall remain unchanged. Previously discussed here: #112647 (comment)

[jportner]

@elastic/kibana-security Would you mind reviewing the first commit? I'm still working on the rest but the first commit shall remain unchanged. Previously discussed here: #112647 (comment)

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[kpollich]

Ran through the testing instructions and all looks good with the code for me. 🚀

[kibanamachine]

💛 Build succeeded, but was flaky

• continuous-integration/kibana-ci/pull-request
• Commit: d810ae2
• Storybooks Preview
• Documentation Changes
• Flaky suites:
  • xpack-kibana-ciGroup6

---

Test Failures

Kibana Pipeline / general / X-Pack API Integration Tests.x-pack/test/api_integration/apis/ml/jobs/categorization_field_examples·ts.apis Machine Learning jobs Categorization example endpoint - invalid, too many tokens.

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

[00:00:00]     │
[00:00:00]       └-: apis
[00:00:00]         └-> "before all" hook in "apis"
[00:10:36]         └-: Machine Learning
[00:10:36]           └-> "before all" hook in "Machine Learning"
[00:10:36]           └-> "before all" hook in "Machine Learning"
[00:10:36]             │ debg creating role ft_ml_source
[00:10:36]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_source]
[00:10:36]             │ debg creating role ft_ml_source_readonly
[00:10:36]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_source_readonly]
[00:10:36]             │ debg creating role ft_ml_dest
[00:10:36]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_dest]
[00:10:36]             │ debg creating role ft_ml_dest_readonly
[00:10:36]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_dest_readonly]
[00:10:36]             │ debg creating role ft_ml_ui_extras
[00:10:36]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_ui_extras]
[00:10:36]             │ debg creating role ft_default_space_ml_all
[00:10:36]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_all]
[00:10:36]             │ debg creating role ft_default_space1_ml_all
[00:10:36]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space1_ml_all]
[00:10:36]             │ debg creating role ft_all_spaces_ml_all
[00:10:36]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_all_spaces_ml_all]
[00:10:36]             │ debg creating role ft_default_space_ml_read
[00:10:36]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_read]
[00:10:36]             │ debg creating role ft_default_space1_ml_read
[00:10:36]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space1_ml_read]
[00:10:36]             │ debg creating role ft_all_spaces_ml_read
[00:10:36]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_all_spaces_ml_read]
[00:10:36]             │ debg creating role ft_default_space_ml_none
[00:10:36]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_none]
[00:10:36]             │ debg creating user ft_ml_poweruser
[00:10:36]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser]
[00:10:36]             │ debg created user ft_ml_poweruser
[00:10:36]             │ debg creating user ft_ml_poweruser_spaces
[00:10:37]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_spaces]
[00:10:37]             │ debg created user ft_ml_poweruser_spaces
[00:10:37]             │ debg creating user ft_ml_poweruser_space1
[00:10:37]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_space1]
[00:10:37]             │ debg created user ft_ml_poweruser_space1
[00:10:37]             │ debg creating user ft_ml_poweruser_all_spaces
[00:10:37]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_all_spaces]
[00:10:37]             │ debg created user ft_ml_poweruser_all_spaces
[00:10:37]             │ debg creating user ft_ml_viewer
[00:10:37]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer]
[00:10:37]             │ debg created user ft_ml_viewer
[00:10:37]             │ debg creating user ft_ml_viewer_spaces
[00:10:37]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_spaces]
[00:10:37]             │ debg created user ft_ml_viewer_spaces
[00:10:37]             │ debg creating user ft_ml_viewer_space1
[00:10:37]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_space1]
[00:10:37]             │ debg created user ft_ml_viewer_space1
[00:10:37]             │ debg creating user ft_ml_viewer_all_spaces
[00:10:37]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_all_spaces]
[00:10:37]             │ debg created user ft_ml_viewer_all_spaces
[00:10:37]             │ debg creating user ft_ml_unauthorized
[00:10:37]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_unauthorized]
[00:10:37]             │ debg created user ft_ml_unauthorized
[00:10:37]             │ debg creating user ft_ml_unauthorized_spaces
[00:10:37]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_unauthorized_spaces]
[00:10:37]             │ debg created user ft_ml_unauthorized_spaces
[00:14:51]           └-: jobs
[00:14:51]             └-> "before all" hook in "jobs"
[00:14:51]             └-: Categorization example endpoint - 
[00:14:51]               └-> "before all" hook for "valid with good number of tokens"
[00:14:51]               └-> "before all" hook for "valid with good number of tokens"
[00:14:51]                 │ info [x-pack/test/functional/es_archives/ml/categorization] Loading "mappings.json"
[00:14:51]                 │ info [x-pack/test/functional/es_archives/ml/categorization] Loading "data.json.gz"
[00:14:51]                 │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [ft_categorization] creating index, cause [api], templates [], shards [1]/[0]
[00:14:51]                 │ info [x-pack/test/functional/es_archives/ml/categorization] Created index "ft_categorization"
[00:14:51]                 │ debg [x-pack/test/functional/es_archives/ml/categorization] "ft_categorization" settings {"index":{"number_of_replicas":"0","number_of_shards":"1"}}
[00:14:52]                 │ info [x-pack/test/functional/es_archives/ml/categorization] Indexed 1501 docs into "ft_categorization"
[00:14:52]                 │ debg applying update to kibana config: {"dateFormat:tz":"UTC"}
[00:14:52]               └-> valid with good number of tokens
[00:14:52]                 └-> "before each" hook: global before each for "valid with good number of tokens"
[00:14:53]                 └- ✓ pass  (141ms)
[00:14:53]               └-> invalid, too many tokens.
[00:14:53]                 └-> "before each" hook: global before each for "invalid, too many tokens."
[00:14:53]                 │ info [r.suppressed] [node-01] path: /_analyze, params: {}
[00:14:53]                 │      org.elasticsearch.transport.RemoteTransportException: [node-01][127.0.0.1:63191][indices:admin/analyze[s]]
[00:14:53]                 │      Caused by: java.lang.IllegalStateException: The number of tokens produced by calling _analyze has exceeded the allowed maximum of [10000]. This limit can be set by changing the [index.analyze.max_token_count] index level setting.
[00:14:53]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction$TokenCounter.increment(TransportAnalyzeAction.java:397) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:53]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.simpleAnalyze(TransportAnalyzeAction.java:229) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:53]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.analyze(TransportAnalyzeAction.java:204) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:53]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.analyze(TransportAnalyzeAction.java:122) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:53]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.shardOperation(TransportAnalyzeAction.java:110) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:53]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.shardOperation(TransportAnalyzeAction.java:62) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:53]                 │      	at org.elasticsearch.action.support.single.shard.TransportSingleShardAction.lambda$asyncShardOperation$0(TransportSingleShardAction.java:99) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:53]                 │      	at org.elasticsearch.action.ActionRunnable.lambda$supply$0(ActionRunnable.java:47) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:53]                 │      	at org.elasticsearch.action.ActionRunnable$2.doRun(ActionRunnable.java:62) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:53]                 │      	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:737) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:53]                 │      	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:26) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:53]                 │      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
[00:14:53]                 │      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
[00:14:53]                 │      	at java.lang.Thread.run(Thread.java:833) [?:?]
[00:14:53]                 └- ✖ fail: apis Machine Learning jobs Categorization example endpoint -  invalid, too many tokens.
[00:14:53]                 │       Error: expected 'partially_valid' to sort of equal 'invalid'
[00:14:53]                 │       + expected - actual
[00:14:53]                 │ 
[00:14:53]                 │       -partially_valid
[00:14:53]                 │       +invalid
[00:14:53]                 │       
[00:14:53]                 │       at Assertion.assert (/dev/shm/workspace/parallel/19/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:14:53]                 │       at Assertion.eql (/dev/shm/workspace/parallel/19/kibana/node_modules/@kbn/expect/expect.js:244:8)
[00:14:53]                 │       at Context.<anonymous> (test/api_integration/apis/ml/jobs/categorization_field_examples.ts:302:44)
[00:14:53]                 │       at runMicrotasks (<anonymous>)
[00:14:53]                 │       at processTicksAndRejections (node:internal/process/task_queues:96:5)
[00:14:53]                 │       at Object.apply (/dev/shm/workspace/parallel/19/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)
[00:14:53]                 │ 
[00:14:53]                 │ 

Stack Trace

Error: expected 'partially_valid' to sort of equal 'invalid'
    at Assertion.assert (/dev/shm/workspace/parallel/19/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/parallel/19/kibana/node_modules/@kbn/expect/expect.js:244:8)
    at Context.<anonymous> (test/api_integration/apis/ml/jobs/categorization_field_examples.ts:302:44)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at Object.apply (/dev/shm/workspace/parallel/19/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16) {
  actual: 'partially_valid',
  expected: 'invalid',
  showDiff: true
}

---

Metrics [docs]

✅ unchanged

History

• 💔 Build #161977 failed 77a575c
• 💛 Build #161942 was flaky 49e07cb

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[kibanamachine]

💚 Backport successful

Status	Branch	Result
✅	7.x

This backport PR will be merged automatically after passing CI.