User Profile - remove feature flag (#87383)

The feature flag is no longer necessary in the 8.4 release cycle. The
feature itself is still in beta.

docs/reference/settings/security-settings.asciidoc

@@ -207,7 +207,6 @@ The hashing algorithm that is used for the
 in-memory cached API key credentials. For possible values, see <<cache-hash-algo>>.
 Defaults to `ssha256`.
 
-ifeval::["{release-state}"!="released"]
 [discrete]
 [[security-domain-settings]]
 ==== Security domain settings
@@ -229,7 +228,6 @@ xpack:
 <1> Specifies the name of the security domain
 <2> Specifies the realms that belong to the domain
 // end::security-domain-settings-description-tag[]
-endif::[]
 
 [discrete]
 [[realm-settings]]

rest-api-spec/src/main/resources/rest-api-spec/api/security.activate_user_profile.json

@@ -5,8 +5,7 @@
       "description":"Creates or updates the user profile on behalf of another user."
     },
     "stability":"experimental",
-    "visibility":"feature_flag",
-    "feature_flag": "es.user_profile_feature_flag_enabled",
+    "visibility":"private",
     "headers":{
       "accept": [ "application/json"],
       "content_type": ["application/json"]

rest-api-spec/src/main/resources/rest-api-spec/api/security.disable_user_profile.json

@@ -5,8 +5,7 @@
       "description":"Disables a user profile so it's not visible in user profile searches."
     },
     "stability":"experimental",
-    "visibility":"feature_flag",
-    "feature_flag": "es.user_profile_feature_flag_enabled",
+    "visibility":"private",
     "headers":{
       "accept": [ "application/json"]
     },

rest-api-spec/src/main/resources/rest-api-spec/api/security.enable_user_profile.json

@@ -5,8 +5,7 @@
       "description":"Enables a user profile so it's visible in user profile searches."
     },
     "stability":"experimental",
-    "visibility":"feature_flag",
-    "feature_flag": "es.user_profile_feature_flag_enabled",
+    "visibility":"private",
     "headers":{
       "accept": [ "application/json"]
     },

rest-api-spec/src/main/resources/rest-api-spec/api/security.get_user_profile.json

@@ -5,8 +5,7 @@
       "description":"Retrieves user profile for the given unique ID."
     },
     "stability":"experimental",
-    "visibility":"feature_flag",
-    "feature_flag": "es.user_profile_feature_flag_enabled",
+    "visibility":"private",
     "headers":{
       "accept": [ "application/json"]
     },

rest-api-spec/src/main/resources/rest-api-spec/api/security.has_privileges_user_profile.json

@@ -5,8 +5,7 @@
       "description":"Determines whether the users associated with the specified profile IDs have all the requested privileges."
     },
     "stability":"experimental",
-    "visibility":"feature_flag",
-    "feature_flag": "es.user_profile_feature_flag_enabled",
+    "visibility":"private",
     "headers":{
       "accept": [ "application/json"],
       "content_type": ["application/json"]

rest-api-spec/src/main/resources/rest-api-spec/api/security.suggest_user_profiles.json

@@ -5,8 +5,7 @@
       "description":"Get suggestions for user profiles that match specified search criteria."
     },
     "stability":"experimental",
-    "visibility":"feature_flag",
-    "feature_flag": "es.user_profile_feature_flag_enabled",
+    "visibility":"private",
     "headers":{
       "accept": [ "application/json"],
       "content_type": ["application/json"]

rest-api-spec/src/main/resources/rest-api-spec/api/security.update_user_profile_data.json

@@ -5,8 +5,7 @@
       "description":"Update application specific data for the user profile of the given unique ID."
     },
     "stability":"experimental",
-    "visibility":"feature_flag",
-    "feature_flag": "es.user_profile_feature_flag_enabled",
+    "visibility":"private",
     "headers":{
       "accept": [ "application/json"],
       "content_type": ["application/json"]

x-pack/docs/build.gradle

@@ -64,8 +64,6 @@ testClusters.matching { it.name == "yamlRestTest" }.configureEach {
   setting 'xpack.security.authc.realms.saml.saml1.attributes.principal', 'uid'
   setting 'xpack.security.authc.realms.saml.saml1.attributes.name', 'urn:oid:2.5.4.3'
 
-  requiresFeature 'es.user_profile_feature_flag_enabled', Version.fromString("8.1.0")
-
   user username: 'test_admin'
 }
 

x-pack/docs/en/rest-api/security.asciidoc

@@ -132,7 +132,6 @@ communicate with a secured {es} cluster.
 * <<security-api-node-enrollment, Enroll a new node>>
 * <<security-api-kibana-enrollment, Enroll a new {kib} instance>>
 
-ifeval::["{release-state}"!="released"]
 [discrete]
 [[security-user-profile-apis]]
 === User Profile
@@ -146,7 +145,6 @@ Use the following APIs to retrieve and manage user profiles.
 * <<security-api-disable-user-profile, Disable user profile>>
 * <<security-api-suggest-user-profile, Suggest user profile>>
 * <<security-api-has-privileges-user-profile, Has Privileges user profile>>
-endif::[]
 
 include::security/authenticate.asciidoc[]
 include::security/change-password.asciidoc[]
@@ -197,7 +195,6 @@ include::security/saml-invalidate-api.asciidoc[]
 include::security/saml-complete-logout-api.asciidoc[]
 include::security/saml-sp-metadata.asciidoc[]
 include::security/ssl.asciidoc[]
-ifeval::["{release-state}"!="released"]
 include::security/activate-user-profile.asciidoc[]
 include::security/disable-user-profile.asciidoc[]
 include::security/enable-user-profile.asciidoc[]
@@ -205,4 +202,3 @@ include::security/get-user-profile.asciidoc[]
 include::security/suggest-user-profile.asciidoc[]
 include::security/update-user-profile-data.asciidoc[]
 include::security/has-privileges-user-profile.asciidoc[]
-endif::[]

x-pack/docs/en/security/authentication/overview.asciidoc

@@ -36,14 +36,10 @@ include::built-in-users.asciidoc[][]
 include::service-accounts.asciidoc[]
 include::internal-users.asciidoc[]
 include::token-authentication-services.asciidoc[]
-ifeval::["{release-state}"!="released"]
 include::user-profile.asciidoc[]
-endif::[]
 include::realms.asciidoc[]
 include::realm-chains.asciidoc[]
-ifeval::["{release-state}"!="released"]
 include::security-domain.asciidoc[]
-endif::[]
 include::active-directory-realm.asciidoc[]
 include::file-realm.asciidoc[]
 include::ldap-realm.asciidoc[]

x-pack/plugin/build.gradle

@@ -186,7 +186,6 @@ testClusters.configureEach {
   extraConfigFile serviceTokens.name, serviceTokens
 
   requiresFeature 'es.index_mode_feature_flag_registered', Version.fromString("8.0.0")
-  requiresFeature 'es.user_profile_feature_flag_enabled', Version.fromString("8.1.0")
 }
 
 tasks.register('enforceApiSpecsConvention').configure {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java

@@ -8,7 +8,6 @@
 package org.elasticsearch.xpack.core;
 
 import org.apache.logging.log4j.LogManager;
-import org.elasticsearch.Build;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
@@ -39,9 +38,6 @@ import static org.elasticsearch.xpack.core.security.authc.RealmSettings.DOMAIN_U
  */
 public class XPackSettings {
 
-    public static final boolean USER_PROFILE_FEATURE_FLAG_ENABLED = Build.CURRENT.isSnapshot()
-        || "true".equals(System.getProperty("es.user_profile_feature_flag_enabled"));
-
     private static final boolean IS_DARWIN_AARCH64;
     static {
         final String name = System.getProperty("os.name");
@@ -269,11 +265,9 @@ public class XPackSettings {
         settings.add(PASSWORD_HASHING_ALGORITHM);
         settings.add(ENROLLMENT_ENABLED);
         settings.add(SECURITY_AUTOCONFIGURATION_ENABLED);
-        if (USER_PROFILE_FEATURE_FLAG_ENABLED) {
-            settings.add(DOMAIN_TO_REALM_ASSOC_SETTING);
-            settings.add(DOMAIN_UID_LITERAL_USERNAME_SETTING);
-            settings.add(DOMAIN_UID_SUFFIX_SETTING);
-        }
+        settings.add(DOMAIN_TO_REALM_ASSOC_SETTING);
+        settings.add(DOMAIN_UID_LITERAL_USERNAME_SETTING);
+        settings.add(DOMAIN_UID_SUFFIX_SETTING);
         return Collections.unmodifiableList(settings);
     }
 

x-pack/plugin/security/build.gradle

@@ -427,7 +427,6 @@ tasks.named("internalClusterTest").configure {
    * to keep direct memory usage under control.
    */
   systemProperty 'es.transport.buffer.size', '256k'
-  systemProperty 'es.user_profile_feature_flag_enabled', 'true'
 }
 
 addQaCheckDependencies()

x-pack/plugin/security/qa/operator-privileges-tests/build.gradle

@@ -38,7 +38,6 @@ testClusters.configureEach {
   setting 'xpack.security.operator_privileges.enabled', "true"
   setting 'path.repo', repoDir.absolutePath
 
-  requiresFeature 'es.user_profile_feature_flag_enabled', Version.fromString("8.1.0")
   requiresFeature 'es.index_mode_feature_flag_registered', Version.fromString("8.3.0")
 
   user username: "test_admin", password: 'x-pack-test-password', role: "superuser"

x-pack/plugin/security/qa/profile/build.gradle

@@ -40,8 +40,6 @@ testClusters.matching { it.name == 'javaRestTest' }.configureEach {
   // Ensure new cache setting is recognised
   setting 'xpack.security.authz.store.roles.has_privileges.cache.max_size', '100'
 
-  requiresFeature 'es.user_profile_feature_flag_enabled', Version.fromString("8.1.0")
-
   user username: "test_admin", password: 'x-pack-test-password'
   user username: "rac_user", password: 'x-pack-test-password', role: "rac_user_role"
 }

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/profile/AbstractProfileIntegTestCase.java

@@ -9,7 +9,6 @@ package org.elasticsearch.xpack.security.profile;
 
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.test.SecurityIntegTestCase;
 import org.elasticsearch.xpack.core.security.action.profile.ActivateProfileAction;
 import org.elasticsearch.xpack.core.security.action.profile.ActivateProfileRequest;
@@ -24,10 +23,7 @@ import org.elasticsearch.xpack.core.security.action.token.CreateTokenResponse;
 import org.elasticsearch.xpack.core.security.action.user.PutUserAction;
 import org.elasticsearch.xpack.core.security.action.user.PutUserRequest;
 import org.junit.Before;
-import org.junit.BeforeClass;
 
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.Set;
 
 import static org.elasticsearch.test.SecuritySettingsSource.TEST_PASSWORD_HASHED;
@@ -45,13 +41,6 @@ public abstract class AbstractProfileIntegTestCase extends SecurityIntegTestCase
     protected static final String NATIVE_RAC_ROLE = "native_rac_role";
     protected static final SecureString NATIVE_RAC_USER_PASSWORD = new SecureString("native_rac_user_password".toCharArray());
 
-    // Needed for testing in IDE
-    @SuppressForbidden(reason = "sets the feature flag")
-    @BeforeClass
-    public static void enableFeature() {
-        AccessController.doPrivileged((PrivilegedAction<String>) () -> System.setProperty("es.user_profile_feature_flag_enabled", "true"));
-    }
-
     @Override
     protected Settings nodeSettings(int nodeOrdinal, Settings otherSettings) {
         final Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal, otherSettings));

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -1182,7 +1182,7 @@ public class Security extends Plugin
             return Arrays.asList(usageAction, infoAction);
         }
 
-        final List<ActionHandler<? extends ActionRequest, ? extends ActionResponse>> actionHandlers = Arrays.asList(
+        return Arrays.asList(
             new ActionHandler<>(ClearRealmCacheAction.INSTANCE, TransportClearRealmCacheAction.class),
             new ActionHandler<>(ClearRolesCacheAction.INSTANCE, TransportClearRolesCacheAction.class),
             new ActionHandler<>(ClearPrivilegesCacheAction.INSTANCE, TransportClearPrivilegesCacheAction.class),
@@ -1231,25 +1231,15 @@ public class Security extends Plugin
             new ActionHandler<>(GetServiceAccountAction.INSTANCE, TransportGetServiceAccountAction.class),
             new ActionHandler<>(KibanaEnrollmentAction.INSTANCE, TransportKibanaEnrollmentAction.class),
             new ActionHandler<>(NodeEnrollmentAction.INSTANCE, TransportNodeEnrollmentAction.class),
+            new ActionHandler<>(ProfileHasPrivilegesAction.INSTANCE, TransportProfileHasPrivilegesAction.class),
+            new ActionHandler<>(GetProfileAction.INSTANCE, TransportGetProfileAction.class),
+            new ActionHandler<>(ActivateProfileAction.INSTANCE, TransportActivateProfileAction.class),
+            new ActionHandler<>(UpdateProfileDataAction.INSTANCE, TransportUpdateProfileDataAction.class),
+            new ActionHandler<>(SuggestProfilesAction.INSTANCE, TransportSuggestProfilesAction.class),
+            new ActionHandler<>(SetProfileEnabledAction.INSTANCE, TransportSetProfileEnabledAction.class),
             usageAction,
             infoAction
         );
-
-        if (XPackSettings.USER_PROFILE_FEATURE_FLAG_ENABLED) {
-            return Stream.concat(
-                actionHandlers.stream(),
-                Stream.of(
-                    new ActionHandler<>(ProfileHasPrivilegesAction.INSTANCE, TransportProfileHasPrivilegesAction.class),
-                    new ActionHandler<>(GetProfileAction.INSTANCE, TransportGetProfileAction.class),
-                    new ActionHandler<>(ActivateProfileAction.INSTANCE, TransportActivateProfileAction.class),
-                    new ActionHandler<>(UpdateProfileDataAction.INSTANCE, TransportUpdateProfileDataAction.class),
-                    new ActionHandler<>(SuggestProfilesAction.INSTANCE, TransportSuggestProfilesAction.class),
-                    new ActionHandler<>(SetProfileEnabledAction.INSTANCE, TransportSetProfileEnabledAction.class)
-                )
-            ).toList();
-        } else {
-            return actionHandlers;
-        }
     }
 
     @Override
@@ -1273,7 +1263,7 @@ public class Security extends Plugin
         if (enabled == false) {
             return emptyList();
         }
-        final List<RestHandler> restHandlers = Arrays.asList(
+        return Arrays.asList(
             new RestAuthenticateAction(settings, securityContext.get(), getLicenseState()),
             new RestClearRealmCacheAction(settings, getLicenseState()),
             new RestClearRolesCacheAction(settings, getLicenseState()),
@@ -1320,25 +1310,15 @@ public class Security extends Plugin
             new RestGetServiceAccountCredentialsAction(settings, getLicenseState()),
             new RestGetServiceAccountAction(settings, getLicenseState()),
             new RestKibanaEnrollAction(settings, getLicenseState()),
-            new RestNodeEnrollmentAction(settings, getLicenseState())
+            new RestNodeEnrollmentAction(settings, getLicenseState()),
+            new RestProfileHasPrivilegesAction(settings, securityContext.get(), getLicenseState()),
+            new RestGetProfileAction(settings, getLicenseState()),
+            new RestActivateProfileAction(settings, getLicenseState()),
+            new RestUpdateProfileDataAction(settings, getLicenseState()),
+            new RestSuggestProfilesAction(settings, getLicenseState()),
+            new RestEnableProfileAction(settings, getLicenseState()),
+            new RestDisableProfileAction(settings, getLicenseState())
         );
-
-        if (XPackSettings.USER_PROFILE_FEATURE_FLAG_ENABLED) {
-            return Stream.concat(
-                restHandlers.stream(),
-                Stream.of(
-                    new RestProfileHasPrivilegesAction(settings, securityContext.get(), getLicenseState()),
-                    new RestGetProfileAction(settings, getLicenseState()),
-                    new RestActivateProfileAction(settings, getLicenseState()),
-                    new RestUpdateProfileDataAction(settings, getLicenseState()),
-                    new RestSuggestProfilesAction(settings, getLicenseState()),
-                    new RestEnableProfileAction(settings, getLicenseState()),
-                    new RestDisableProfileAction(settings, getLicenseState())
-                )
-            ).toList();
-        } else {
-            return restHandlers;
-        }
     }
 
     @Override

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecuritySystemIndices.java

@@ -17,7 +17,6 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.indices.ExecutorNames;
 import org.elasticsearch.indices.SystemIndexDescriptor;
 import org.elasticsearch.xcontent.XContentBuilder;
-import org.elasticsearch.xpack.core.XPackSettings;
 
 import java.io.IOException;
 import java.io.UncheckedIOException;
@@ -69,11 +68,7 @@ public class SecuritySystemIndices {
     }
 
     public Collection<SystemIndexDescriptor> getSystemIndexDescriptors() {
-        if (XPackSettings.USER_PROFILE_FEATURE_FLAG_ENABLED) {
-            return List.of(mainDescriptor, tokenDescriptor, profileDescriptor);
-        } else {
-            return List.of(mainDescriptor, tokenDescriptor);
-        }
+        return List.of(mainDescriptor, tokenDescriptor, profileDescriptor);
     }
 
     public void init(Client client, ClusterService clusterService) {

x-pack/qa/rolling-upgrade/build.gradle

@@ -88,8 +88,6 @@ BuildParams.bwcVersions.withWireCompatible { bwcVersion, baseName ->
     keystore 'xpack.watcher.encryption_key', file("${project.projectDir}/src/test/resources/system_key")
     setting 'xpack.watcher.encrypt_sensitive_data', 'true'
 
-    requiresFeature 'es.user_profile_feature_flag_enabled', Version.fromString("8.1.0")
-
     // Old versions of the code contain an invalid assertion that trips
     // during tests.  Versions 5.6.9 and 6.2.4 have been fixed by removing
     // the assertion, but this is impossible for released versions.