* Update certs for PKI tests and re-enable tests (#97766)
The certs for the PKI tests expired and the test was muted.
This commit follows the instructions in the read to update the certs and unmutes the test.
The certs will now expire 20 years from now.
fixes: #97756
* precommit
File based service tokens were added to support orchestration
requirements in environments such as ECE and ECK. Outside of these
environments we recommend that API based tokens are used instead.
Resolves: #83491
* [DOCS] clarify v7 file realm configuration
* Update x-pack/docs/en/security/authentication/configuring-file-realm.asciidoc
Co-authored-by: Yang Wang <ywangd@gmail.com>
---------
Co-authored-by: Yang Wang <ywangd@gmail.com>
The built-in `editor` role allows "all" access to all Kibana
features, but only read access to data indices. This doesn't
work well for functionality that spans Kibana and Elasticsearch
and allows the user to choose their own results index, like
ML data frame analytics.
This change adjusts the notes on the `editor` role to make clear
that in this case an additional role must be granted to give the
necessary access on the data index that the results will be
written to.
Logstash Central Management allows key/value map for pipeline
settings, but the Elasticsearch API does not perform validation
of the provided settings. Here, we remove from our examples
settings that have no semantic meaning to Logstash, and replace
them with a meaningful key/value pair
Add a note to help avoid the confusion stemming from the fact that the watcher attributes
still have names which seem to match the PagerDuty Events API v1 despite the fact that we are
actually now using v2 of that API.
Delete outdated screenshots
Co-authored-by: Iraklis Psaroudakis <kingherc@gmail.com>
Co-authored-by: Tom Sparrow <793763+sparrowt@users.noreply.github.com>
Our docs currently recommend PBKDF2 as a cache hasher in FIPS mode.
However, the performance overhead of PBKDF2 is prohibitive; ssha256
is a more appropriate choice for in-memory credential hashing. This PR
updates the docs to reflect this. See #86740 for more context.
This commit changes audit logging of `connection_denied`
and `connection_granted` events in order to include a port number.
Closeselastic/elasticsearch#86694
(cherry picked from commit 954d288f45)
# Conflicts:
# x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrail.java
# x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
Updates the intro to the "Encrypt HTTP client communications for Kibana" so it aligns with the order of the following subsections.
Co-authored-by: James Rodewig <40268737+jrodewig@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
In the SAML configuration for Elasticsearch the settings for `attributes.principal` and `.groups` are listed in the detail as `attribute.`, missing `s`
since #74210 ES is emitting trace.id into its logs, but it did not emit it into audit logs.
This commit adds trace.id into audit logging.
backport #82849
In the index permission block of a role descriptor, the "field_security"
field is an object with this format: "field_security": {
"grant" : [ "field-1", "field-2", "more-fields-*" ], "except" : [
"more-field-secret-*" ] } The docs incorrectly stated that
"field_security" was a list, and if you provided a list the parser would
fail with a message that incorrectly stated that START_ARRAY was an
acceptable token. These have both been fixed. While reviewing the test
cases for RoleDescriptor, I also introduced more randomisation to
increase the overall coverage of features and scenarios.
Backport of: #81283
If you dynamically add an `_index` value, the `index` parameter is not required for the Watcher index action.
Co-authored-by: James Rodewig <40268737+jrodewig@users.noreply.github.com>
# Conflicts:
# x-pack/docs/en/watcher/actions/index.asciidoc
Co-authored-by: Daisuke Harada <1519063+dharada@users.noreply.github.com>
This PR adds the proper permissions for fleet server to create and write
documents to the .logs-endpoint.action.responses-* index. The Security
Endpoint, run by the Agent, streams action responses to this index which is
used by the Security app to determine if actions are complete, etc.
This was initially missed during testing because of using locally running fleet
servers that were given superuser permissions, hence bypassing the fleet server
user.
This PR adds the index to fleet server so that the Endpoint gets the key that
it needs to write to the index properly.
For more information, see this ticket: elastic/kibana#116715
Co-authored-by: Kevin Logan <56395104+kevinlog@users.noreply.github.com>
Changes:
* Removes several `[testenv="gold+"]` attributes from the docs. `gold+` is not a valid [subscription level](https://www.elastic.co/subscriptions) or testenv value.
* Moves two `[testenv="basic"]` attributes to the file header. This makes the `testenv` placement consistent and fixes the yml file generated from `docs/reference/snapshot-restore/register-repository.asciidoc`.
Co-authored-by: James Rodewig <40268737+jrodewig@users.noreply.github.com>
Co-authored-by: edh-oss <42759970+edh-oss@users.noreply.github.com>
This PR deprecates all monitoring settings as well as adds deprecation info entries for each setting.
Collecting and shipping monitoring data using the Monitoring plugin will be deprecated in 7.16 and will be removed at some point in the 8.x line after sufficient wait time. The recommended approach for collecting and shipping monitoring data going forward is to use Metricbeat. The recommended approach for alerting is Kibana alerting.
Backport of #79499
To avoid confusion I have added `(Optional)` to the item `Configure bind user` which is optional with Active Directory.
Co-authored-by: Edu González de la Herrán <25320357+eedugon@users.noreply.github.com>
This PR changes uses of transient cluster settings to
persistent cluster settings.
The PR also deprecates the transient settings usage.
Relates to #49540
Orchestrated environments should not allow users to override
`cluster.routing.allocation.disk.threshold_enabled`, so making this
operator only.
Closes#77846
Co-authored-by: David Turner <david.turner@elastic.co>
* Update SSL Certs
The [example below](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-ssl.html#security-api-ssl-example) shows `has_private_key` can also be `false` (as expected for a bool field data type).
* Update wording
Co-authored-by: Adam Locke <adam.locke@elastic.co>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Adam Locke <adam.locke@elastic.co>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
In https://github.com/elastic/kibana/pull/113783, we renamed Kibana's **Ingest Pipelines** feature to **Ingest Pipelines**. This updates screenshots and references for the feature. It also replaces a few remaining `ingest node pipeline` references.
# Conflicts:
# docs/reference/index-modules.asciidoc
