This commit adds docs for monitor_stats and updates an example snippet to include both remote_indices and remote_cluster.
(cherry picked from commit b7167b73e3)
Documentation for the remote_cluster in the role was added
in #111682 and #108840, but a few places were missed.
This commit fill the gaps in the documentation.
In this PR we remove unused code including relating to the global data retention with APIs implementation:
- The transport action for updating, deleting and retrieving the global retention.
- The `DataStreamGlobalRetention` from the cluster state (this should be bwc safe because we never exposed the APIs to add a data stream lifecycle to the cluster state).
- Make unused privileges monitor and managing global retention a noop.
- Remove cluster state update tasks.
The kept `DataStreamGlobalRetentionResolver` considering it could hold and provide the global retention from the settings when we implement it. We just renamed it to DataStreamGlobalRetentionProvider for now to better match what it does.
The factory retention settings should still work after this change.
Currently, read_slm privilege grants access to get the ILM status,
and manage_slm grants access to start/stop ILM. This access will
be removed in the future, but needs to be deprecated before
removal. Add deprecation warning to the read_slm and manage_slm docs.
This commit introduces the documentation for remote_clusters which is used to help
express the monitor_enrich privilege needed to use the ENRICH keyword across clusters
when using the API key based CCS security model.
This commit also adds "remote_clusters" to the built in privs API to for easier consumption
in Kibana.
This commit adds documentation for the DLS/FLS restriction for RCS 2.0 API keys
where both access and replication are defined and access has DSL/FLS.
This commit also fixes a few misleading variable names.
related: #108600
In this PR we introduce the API that will expose the global retention configuration and will allow users to take advantage of it.
These APIs are protected by the dedicated introduced privileges:
`manage_data_stream_global_retention` or higher, which allows all operations on the global retention configuration
`monitor_data_stream_retention` or higher, which allows the retrieval of the global retention configuration.
This PR is the final PR that makes the global retention available for our users.
Defines new inference_user and inference_admin roles with the
related cluster privileges manage_inference and monitor_inference.
inference_user can list the models and preform inference,
inference_admin can do the same plus create and delete models
This commit updates the documentation for FIPS support.
In addition to the changes for 8.x it also provides more details for how to setup/configure FIPS mode.
This adds support for allowing JWT token sub claims with Lucene patterns and wildcards,
by introducing a new JWT realm setting allowed_subject_patterns that can be used
alongside the exist allowed_subjects realm setting.
Introduces support for JWTs to the grant API Key API.
Callers can now pass-in a JWT in the request, like:
POST /_security/api_key/grant
{
"grant_type": "access_token",
"access_token" : "some.signed.JWT",
"client_authentication": { // optional
"scheme": "SharedSecret",
"value": "ES-Client-Authentication header value after scheme"
}
}
The JWT will be authenticated by a backing JWT realm and
a new API Key will be returned for the authenticated user.
manage_enrich is a cluster privilege, not a built in role.
manage_enrich is already documented as a cluster privilege.
This commit remove manage_enrich from the role documentation.
This commit also makes mention of the monitor_enrich introduced in #99646.
related: #85877
**Problem:**
For historical reasons, source files for the Elasticsearch Guide's security, watcher, and Logstash API docs are housed in the `x-pack/docs` directory. This can confuse new contributors who expect Elasticsearch Guide docs to be located in `docs/reference`.
**Solution:**
- Move the security, watcher, and Logstash API doc source files to the `docs/reference` directory
- Update doc snippet tests to use security
Rel: https://github.com/elastic/platform-docs-team/issues/208
Now that the transport client has been removed, the client transport
profile filter can be removed from security. This filter prevented node
actions from being executed using a transport client.
Following the removal of the `unzip` package from the Elasticsearch
Docker image in #39040, update setup instructions for TLS in Docker.
Also avoid cross-platform ownership+permission issues by not relying
on local bind mounts for storing generated certs and don't require
`curl` locally installed.
Today's `docker-compose` docs are missing the `discovery.seed_nodes` config on
one of the nodes. With today's configuration the cluster can still form the
first time it is started, because `cluster.initial_master_nodes` requires both
nodes to bootstrap the cluster which ensures that each discover the other.
However if `es02` is elected master it will remove `es01` from the voting
configuration and then when restarted it will form a cluster on its own without
needing to do any discovery. Meanwhile `es01` doesn't know how to find `es02`
after a restart so will be unable to join this cluster.
This commit fixes this by adding the missing configuration.
Relates #41394, which fixes a different `docker-compose.yml` in the same way.
Renames the following settings to remove the mention of `zen` in their names:
- `discovery.zen.hosts_provider` -> `discovery.seed_providers`
- `discovery.zen.ping.unicast.concurrent_connects` -> `discovery.seed_resolver.max_concurrent_resolvers`
- `discovery.zen.ping.unicast.hosts.resolve_timeout` -> `discovery.seed_resolver.timeout`
- `discovery.zen.ping.unicast.hosts` -> `discovery.seed_addresses`
This commit removes the fallback for SSL settings. While this may be
seen as a non user friendly change, the intention behind this change
is to simplify the reasoning needed to understand what is actually
being used for a given SSL configuration. Each configuration now needs
to be explicitly specified as there is no global configuration or
fallback to some other configuration.
Closes#29797
This commit overhauls the documentation of discovery and cluster coordination,
removing mention of the Zen Discovery module and replacing it with docs for the
new cluster coordination mechanism introduced in 7.0.
Relates #32006
