How to enable kibana_system user for kibana application

Hi Team,

We have one EFK stack running on 7.4.X version with X-pack security enabled and we defined elastic user for kibana application and everything works so far. Now we are trying to use 7.9 version of EFK with same configuration in one of the POC env and noticed few warning messages in kibana pod. It says to use kibana_system user instead of elastic user for kibana application. My question is, do I have to explicitly define the kibana_system user in kibana.yaml file? If yes, how would I set the password for kibana_system user password. Earlier, I created secret for elastic user and defined password for him. Do I have to follow the same steps for kibana_system user for setting new password.

kubectl --kubeconfig /root/k8s_iac/kubeconfig  create secret generic elastic-credentials  --from-literal=password=XXXXXX --from-literal=username=elastic 

Here are the error messages found in kibana pod.

{"type":"log","@timestamp":"2021-02-08T13:17:11Z","tags":["warning","config","deprecation"],"pid":6,"message":"Setting [elasticsearch.username] to \"elastic\" is deprecated. You should use the \"kibana_system\" user instead."}
{"type":"log","@timestamp":"2021-02-08T13:17:11Z","tags":["warning","config","deprecation"],"pid":6,"message":"Config key [monitoring.cluster_alerts.email_notifications.email_address] will be required for email notifications to work in 8.0.\""}
{"type":"log","@timestamp":"2021-02-08T13:17:11Z","tags":["warning","config","deprecation"],"pid":6,"message":"Setting [monitoring.username] to \"elastic\" is deprecated. You should use the \"kibana_system\" user instead."}
{"type":"log","@timestamp":"2021-02-08T13:17:12Z","tags":["warning","plugins","reporting","config"],"pid":6,"message":"Generating a random key for xpack.reporting.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.reporting.encryptionKey in kibana.yml"}
{"type":"log","@timestamp":"2021-02-08T13:17:12Z","tags":["warning","plugins","encryptedSavedObjects","config"],"pid":6,"message":"Generating a random key for xpack.encryptedSavedObjects.encryptionKey. To be able to decrypt encrypted saved objects attributes after restart, please set xpack.encryptedSavedObjects.encryptionKey in kibana.yml"}
{"type":"log","@timestamp":"2021-02-08T13:17:12Z","tags":["warning","plugins","ingestManager"],"pid":6,"message":"Fleet APIs are disabled due to the Encrypted Saved Objects plugin using an ephemeral encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in kibana.yml."}
{"type":"log","@timestamp":"2021-02-08T13:17:12Z","tags":["warning","plugins","actions","actions"],"pid":6,"message":"APIs are disabled due to the Encrypted Saved Objects plugin using an ephemeral encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in kibana.yml."}
{"type":"log","@timestamp":"2021-02-08T13:17:12Z","tags":["warning","plugins","alerts","plugins","alerting"],"pid":6,"message":"APIs are disabled due to the Encrypted Saved Objects plugin using an ephemeral encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in kibana.yml."}
{"type":"log","@timestamp":"2021-02-08T13:17:12Z","tags":["info","plugins","monitoring","monitoring"],"pid":6,"message":"config sourced from: production cluster"}
{"type":"log","@timestamp":"2021-02-08T13:17:13Z","tags":["info","savedobjects-service"],"pid":6,"message":"Waiting until all Elasticsearch nodes are compatible with Kibana before starting saved objects migrations..."}
{"type":"log","@timestamp":"2021-02-08T13:17:13Z","tags":["warning","plugins","reporting","config"],"pid":6,"message":"Chromium sandbox provides an additional layer of protection, but is not supported for Linux Centos 7.8.2003 OS. Automatically setting 'xpack.reporting.capture.browser.chromium.disableSandbox: true'."}
{"type":"log","@timestamp":"2021-02-08T13:17:13Z","tags":["info","savedobjects-service"],"pid":6,"message":"Starting saved objects migrations"}

Pls help me out how to setup kibana to use kibana_system user.

Hi @kasim123,

please follow this guide: Add the built-in user to Kibana | Elasticsearch Reference [7.11] | Elastic

@dosant thanks for the reply. When I use elasticsearch-setup-passwords command to set password for kibana_system, it changes the password for elastic user somethink like shown as below. Can I set password for only kibana_system user instead of all users.

bash-4.4$ ./elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user apm_system
PASSWORD apm_system = KMPYqXNUsOT4vldW528T

Changed password for user kibana_system
PASSWORD kibana_system = FpOa6OdF1xfyVvywPlA3

Changed password for user kibana
PASSWORD kibana = FpOa6OdF1xfyVvywPlA3

Changed password for user logstash_system
PASSWORD logstash_system = I30jrjmlg93xmoFXKBbD

Changed password for user beats_system
PASSWORD beats_system = zVK99Atv1O6YTK11FFGU

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = Z5Y3M1oMpacRSBYIpx0N

Changed password for user elastic
PASSWORD elastic = lNEy28mCbXg2P4eHwJ1M

That’s not possible. The tool always configure passwords for all users. Can I ask why you don’t want other users’ password being set?

I can go with another user, since the log messages of kibana pod saysto use kibana_system instead of elastic user. How would I create new user?

You can create your own user and give it the kibana_system role. But it's recommended to use the builtin user.