Enable bearer scheme by default to support service token authorization

[joshdover]

Summary

Related to #112648, required to allow Fleet Server to use its service account token for authorization against Fleet APIs in Kibana.

• Updates the default for xpack.security.authc.http.schemes to include the bearer scheme
• Adds functional tests for HTTP Bearer authorization (supports API calls, but not login or logout)
• Updated documentation to reflect the changes

I wasn't sure if this change should have a release note or not, @elastic/kibana-security please let me know if I should add one.

Checklist

Delete any items that are not applicable to this PR.

• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[joshdover]

@elastic/kibana-security Any concerns with this change? Also, do you have any recommendations on where to add some functional test coverage for this?

[jportner]

@elastic/kibana-security Any concerns with this change? Also, do you have any recommendations on where to add some functional test coverage for this?

Just to be clear, this is related to the Fleet server changing to use a service account, yes?

We most recently changed how schemes are configured in 7.7 via #58126.

I'm not sure it makes sense for the bearer scheme to be automatically enabled for all providers. It does conflict with our docs on HTTP authentication. But I'm also not sure how else we could best bsupport Fleet functionality out of the box.

@azasypkin I hate to suggest this, but would it make sense to introduce a Kibana-specific scheme to support service accounts? Or maybe there's another option that I'm missing. I'll defer to you.

[azasypkin]

@azasypkin I hate to suggest this, but would it make sense to introduce a Kibana-specific scheme to support service accounts? Or maybe there's another option that I'm missing. I'll defer to you.

If it's to support service accounts then I think it'd fine to include bearer to the default list of supported HTTP schemes so that API requests to both Kibana and ES use the same scheme. It's already implicitly enabled in many cases anyway because of default autoSchemesEnabled: true flag. But as you mentioned, we'll need to a) update our docs, and b) update kibana.yml template in Cloud to include bearer if needed (Cloud overrides default value for xpack.security.authc.http.schemes to include basic)

Also, do you have any recommendations on where to add some functional test coverage for this?

It'd be great if you can add a couple of tests for this to x-pack/test/security_api_integration (e.g. create http_auth.config.ts with default xpack.security.authc config). We have several similar tests here.

[joshdover]

Just to be clear, this is related to the Fleet server changing to use a service account, yes?

Yep this is to support #112648

But as you mentioned, we'll need to a) update our docs, and b) update kibana.yml template in Cloud to include bearer if needed (Cloud overrides default value for xpack.security.authc.http.schemes to include basic)

Makes sense. I'll update this PR with the additional testing and update the relevant docs. I'll also open a PR for updating the Cloud stack pack for 7.x and 8.0.

Thanks for the guidance here, everyone.

[azasypkin]

ACK: will review today

[azasypkin]

Looks good to me, just a couple of nits and one suggestion.

[azasypkin]

LGTM! Please don't forget to update Cloud kibana.yml template.

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 1f55572
• Storybooks Preview
• Documentation Changes

Metrics [docs]

✅ unchanged

History

• 💚 Build #159418 succeeded 127d060
• 💚 Build #157945 succeeded ec6a2e3
• 💔 Build #157938 failed 9d29ef5
• 💚 Build #154527 succeeded 43dbd25b22236a32dc7a7ec0bc86306f693463c9

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @joshdover

[kibanamachine]

💔 Backport failed

Status	Branch	Result
❌	7.x	Commit could not be cherrypicked due to conflicts

To backport manually run:
node scripts/backport --pr 112654

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 112654 or prevent reminders by adding the backport:skip label.

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 112654 or prevent reminders by adding the backport:skip label.

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 112654 or prevent reminders by adding the backport:skip label.

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 112654 or prevent reminders by adding the backport:skip label.

[kibanamachine]

Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync.