👋🏼 howdy, team! When Kibana can't connect to Elasticsearch (past finding master /
network issue, just unhealthy cluster ballpark), its code logic cascades
into first tripping warn/error log `license is not available`.
This is a red-herring in that the license can not be determined and user
should investigate the network connection / Elasticsearch health rather
than investigating for lapsed licenses.
Adding this into the "Kibana not ready" docs since it raises at this
point in the flow to hopefully allow users to search-find it in our
official docs rather than e.g. top-goggle-results: [Elastic
Discuss](https://discuss.elastic.co/t/license-not-available/265931),
[external Github](https://github.com/spujadas/elk-docker/issues/349).
Closes#154252
## Summary
This PR implements a default [permissions policy
header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy)
for Kibana. It takes into consideration only the directives that are
_not_ still in development/pre-release. These directives are:
- camera
- display-capture
- fullscreen
- geolocation
- microphone
- web-share
All directives above are set to an empty or "none" allow list, with the
exception of `fullscreen`. The default permissions policy for Kibana
will be: `camera=(), display-capture=(), fullscreen=(self),
geolocation=(), microphone=(), web-share=()`.
The `display-capture` directive only affects access to the [Screen
capture
API](https://developer.mozilla.org/en-US/docs/Web/API/Screen_Capture_API),
whereas our reporting utilities rely on a headless Chrome feature.
FullyStory also does not appear to rely on capturing the screen, but
rather on [capturing the DOM and
CSS](3600206230-Does-FullStory-work-with-my-complex-site-)
to reproduce the screen and user stories. We have confirmed with
FullStory support that they do not use the Screen capture API
(`getDisplayMedia()`).
The `fullscreen` directive affects access to the
[element.requestFullscreen
API](https://developer.mozilla.org/en-US/docs/Web/API/Element/requestFullscreen).
Our fullscreen view for Dashboards and visualizations appear to be
scoped to the Kibana application and not the browser or system, but
there is one use of `requestFullscreen` in the synthetics plugin's
`grid_group_item`, hence the default setting of 'self' here.
## Testing
Due to screen capture reports (PNG & PDF) and fullscreen modes working
with the configuration defined above, I wanted to double-check the
header was working, so I tested both camera and microphone access. I did
this by adding some code into our team's user management screen that
would attempt to access both the camera and microphone. I could confirm
that with the permissions policy header (as defined), no access prompts
would appear for either resource. When I removed the directives for the
camera and microphone from the permissions policy header, prompts
appeared in the browser (Chrome) to approve access to the camera and
microphone.
### Manual Test:
1. Start Elasticsearch and Kibana from this PR
2. Sign into Kibana and open your browser's dev tools
3. In the network tab, inspect one of the requests for localhost
4. In the Headers tab, verify the permissions-policy header is present
with the new default value defined above, `camera=(),
display-capture=(), fullscreen=(self), geolocation=(), microphone=(),
web-share=()`
5. Edit the kibana.yml file, add
`server.securityResponseHeaders.permissionsPolicy: camera=(self)`
6. Refresh Kibana in the browser, verify the permissions-policy header
is present with the value set in kibana.yml in step 5
7. Edit the kibana.yml file, add
`server.securityResponseHeaders.permissionsPolicy: null`
8. Refresh Kibana in the browser, verify the permissions-policy header
is no longer present
## Release Notes:
Security
Adds default Permissions-Policy header including all non-experimental
directives [#158514](https://github.com/elastic/kibana/pull/158514)
---------
Co-authored-by: James Rodewig <james.rodewig@elastic.co>
Not sure if the original text was intentional.
If APM needs to be more prominent here, you could say *Elastic
Observability and APM* , but it's misleading to say that you can use
Elastic APM for all of the use cases listed here.
Note that I didn't search the Kibana Guide for other instances of this
problem; I just noticed this while doing something else and wanted to
make sure it's fixed.
### Checklist
Delete any items that are not applicable to this PR.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
## Summary
Updates `Troubleshoot Kibana UI error` with the following fixes:
- {kib} in error code should Kibana
- code shouldn’t have “`” tick marks wrapping commands
- the bullet list under Step#5 didn’t format
This adds steps to the [Install Kibana with
Docker](https://www.elastic.co/guide/en/kibana/current/docker.html) page
for verifying the downloaded Docker images. I split apart the original
version which had all the commands in one block. Having them separate
allows us to add in the optional "verify images" step with a link to the
Elasticsearch docs for additional info.
Rel: https://github.com/elastic/dev/issues/2002
**Preview**
---
---
---------
Co-authored-by: Tiago Costa <tiago.costa@elastic.co>
## Summary
Relates to: #113217
- Add extra documentation to highlight behaviour of the kibana keystore
(for #113217)
- Fix/Tidy-up commands (`create`, `list`) where the extra unused
arguments were preventing the `options` from being passed to the
functions. Also remove unnecessary `async` keyword from the `remove`
command.
- Added new `show` command
```
Usage: bin/kibana-keystore show [options] <key>
Displays the value of a single setting in the keystore. Pass the -o (or --output) parameter to write the setting to a file.
Options:
-s, --silent prevent all logging
-o, --output <file> output value to a file
-h, --help output usage information
```
### Checklist
Delete any items that are not applicable to this PR.
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### For maintainers
- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: Kaarina Tungseth <kaarina.tungseth@elastic.co>
This PR adds the new configuration settings to the docs. The
configurations were added in this PR:
https://github.com/elastic/kibana/pull/154013
---------
Co-authored-by: lcawl <lcawley@elastic.co>
This change ensures that the `unsafe-eval` source expression isn't included in
the Kibana Content Security Policy (CSP) by default.
Users can set `csp.disableUnsafeEval: false` to reintroduce `unsafe-eval`.
However, since this config option is deprecated as of this commit, it's
recommended to instead set `csp.script_src: ['unsafe-eval']`.
Closes#150156
Part of #141780
## Release notes
Include Cross-Origin-Opener-Policy in default response headers
## Testing
Load Kibana; you should see Kibana respond with
`Cross-Origin-Opener-Policy: same-origin` header for page loads and API
requests.
The current example contains invalid characters and does not work. Furthermore does it incorrectly point towards the Elasticsearch API instead of the Kibana API. Both is addressed in this change.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Use brotli compression
* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'
* Add integration test for brotli support
* Use import instead of require()
* Suppress build error on importing brok
* [CI] Auto-commit changed files from 'node scripts/precommit_hook.js --ref HEAD~1..HEAD --fix'
* add brok as explicit package dep
* add `server.compression.brotli` config settings
* update documentation
* fix test utils
* fix more test configs
* add tests for endpoints too
* remove against endpoint for now
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: pgayvallet <pierre.gayvallet@elastic.co>
This removes indication that the `server.publicBaseUrl` setting is supported on Elasticsearch Service. While the setting is technically available in ESS it's not configurable and it's best not documented.
Adds a new experimental Kibana setting called `csp.disableUnsafeEval` which will default to `false`. When set to `true`, it will remove `unsafe-eval` from our CSP.
Also introduces a new module called `@kbn/handlebars` which is a replacement for the official `handlebars` module used in the frontend. This new module is necessary in order to avoid calling `eval`/`new Function` from within `handlebars` which is not allowed once `unsafe-eval` is removed from our CSP.
The `@kbn/handlebars` module is simply an extension of the main `handlebars` module which adds a new compile function called `compileAST` (as an alternative to the regular `compile` function). This new function will not use code-generation from strings to compile the template but will instead generate an AST and return a render function with the same API as the function returned by the regular `compile` function.
This is a little bit slower method, but since this is only meant to be used client-side, the slowdown should not be an issue.
The following limitations exists when using `@kbn/handlebars`:
The Inline partials handlebars template feature is not supported.
Only the following compile options will be supported:
- `knownHelpers`
- `knownHelpersOnly`
- `strict`
- `assumeObjects`
- `noEscape`
- `data`
Only the following runtime options will be supported:
- `helpers`
- `blockParams`
- `data`
Closes#36311
* Descriptive logs with docLinks for cluster shard limit exceeded
* Integration test for isClusterShardLimitExceeded
* Fix jest test snapshots
* Apply suggestions from code review
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* PR feedback
* PR feedback
* Unit tests for isClusterShardLimitExceeded
* Use constast for repeated strings
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* Add reproducing test case
* Fix and add integration test
* Transient settings should take preference
* Rename unsupported_cluster_routing_allocation error to incompatible_cluster_routing_allocation
* Retry INIT when action fails with [incompatible_cluster_routing_allocation]
* Apply suggestions from code review
Co-authored-by: Christiane (Tina) Heiligers <christiane.heiligers@elastic.co>
* Fix archive with trial licence and re-enable skipped test
* Integration test for incompatible cluster routing allocation
* Fix types after renaming UnsupportedClusterRoutingAllocation
* Attempt to fix open handle tests
Co-authored-by: Christiane (Tina) Heiligers <christiane.heiligers@elastic.co>
The `server.uuid` setting MUST be a valid UUIDv4.
Also, the setting was added in the middle of other SSL settings and it was misleading (due to a banner related to SSL settings).
* reapply docs and doclink changes
* Updates wait_for_index_yellow_status response type on response timeout, updates create_index action and model to account for the changes
* Refactors clone_index action to account for new return type of waitForIndexYellow, updates model
* Updates README
* Updates snapshot
* Updates docs
* Fix import violations
* imports
* Extends the retry log message with an actionable item linking to the docs on every retryable migration action
* Refactor retry_state and model to allow linking to specific subsections in the docs
* Updates resolving saved objects migration failures docs
* Calls waitForIndexStatusYellow directly in actions integration tests
* Deletes comment
* Update src/core/server/saved_objects/migrations/model/retry_state.test.ts
Co-authored-by: Rudolf Meijering <skaapgif@gmail.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Rudolf Meijering <skaapgif@gmail.com>
