elastic · elasticsearch-bot · Jul 13, 2020 · Jul 8, 2020
diff --git a/x-pack/lib/helpers/elasticsearch_options.rb b/x-pack/lib/helpers/elasticsearch_options.rb
@@ -67,9 +67,12 @@ def es_options_from_settings(feature, settings)
         opts['ssl'] = true
       end
 
-      # the username setting has a default value and should not be included when using another authentication
+      # the username setting has a default value and should not be included when using another authentication such as cloud_auth or api_key.
+      # it should also not be included when no password is set.
       # it is safe to silently remove here since all authentication verifications have been validated at this point.
-      if settings.set?("#{prefix}#{feature}.elasticsearch.cloud_auth") || settings.set?("#{prefix}#{feature}.elasticsearch.api_key")
+      if settings.set?("#{prefix}#{feature}.elasticsearch.cloud_auth") ||
+         settings.set?("#{prefix}#{feature}.elasticsearch.api_key") ||
+         (!settings.set?("#{prefix}#{feature}.elasticsearch.password") && !settings.set?("#{prefix}#{feature}.elasticsearch.username"))
         opts.delete('user')
       end
 
@@ -201,15 +204,6 @@ def validate_authentication!(feature, settings, prefix)
       authentication_count += 1 if provided_password
       authentication_count += 1 if provided_api_key
 
-      if authentication_count == 0
-        # when no explicit authentication is set it is relying on default username
-        # but without and explicit password set
-        raise(ArgumentError,
-          "With the default #{prefix}#{feature}.elasticsearch.username, " +
-          "#{prefix}#{feature}.elasticsearch.password must be set"
-        )
-      end
-
       if authentication_count > 1
         raise(ArgumentError, "Multiple authentication options are specified, please only use one of #{prefix}#{feature}.elasticsearch.username/password, #{prefix}#{feature}.elasticsearch.cloud_auth or #{prefix}#{feature}.elasticsearch.api_key")
       end

diff --git a/x-pack/spec/config_management/elasticsearch_source_spec.rb b/x-pack/spec/config_management/elasticsearch_source_spec.rb
@@ -151,8 +151,12 @@
           }
         end
 
-        it "should raise an ArgumentError" do
-          expect { described_class.new(system_settings) }.to raise_error(ArgumentError)
+        it "will rely on username and password settings" do
+          # since cloud_id and cloud_auth are simply containers for host and username/password
+          # both could be set independently and if cloud_auth is not set then authn will be done
+          # using the provided username/password settings, which can be set or not if not auth is
+          # required.
+          expect { described_class.new(system_settings) }.to_not raise_error
         end
       end
     end

diff --git a/x-pack/spec/helpers/elasticsearch_options_spec.rb b/x-pack/spec/helpers/elasticsearch_options_spec.rb
@@ -107,10 +107,11 @@
         }
       end
 
-      it "fails without password" do
-        expect {
-          test_class.es_options_from_settings_or_modules('monitoring', system_settings)
-        }.to raise_error(ArgumentError, /password must be set/)
+      it "ignores the implicit default username when no password is set" do
+        # when no explicit password is set then the default/implicit username should be ignored
+        es_options = test_class.es_options_from_settings_or_modules('monitoring', system_settings)
+        expect(es_options).to_not include("user")
+        expect(es_options).to_not include("password")
       end
 
       context "with cloud_auth" do
@@ -296,13 +297,10 @@
       end
 
       context "when cloud_auth is not set" do
-
-        it "raises for invalid configuration" do
-          # if not other authn is provided it will assume basic auth using the default username
-          # but the password is missing.
-          expect {
-            test_class.es_options_from_settings_or_modules('monitoring', system_settings)
-          }.to raise_error(ArgumentError, /With the default.*?username,.*?password must be set/)
+        it "does not use authentication and ignores the default username" do
+          es_options = test_class.es_options_from_settings_or_modules('monitoring', system_settings)
+          expect(es_options).to include("cloud_id")
+          expect(es_options.keys).to_not include("hosts", "user", "password")
         end
 
         context 'username and password set' do