github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 01:13:23 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/config/serverless.yml
Elena Stoeva d603f410df
[8.x] [Advanced Settings] Move security settings validation config (#216440) (#217086) 
# Backport

This will backport the following commits from `main` to `8.x`:
- [[Advanced Settings] Move security settings validation config
(#216440)](https://github.com/elastic/kibana/pull/216440)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Elena
Stoeva","email":"59341489+ElenaStoeva@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-03-31T14:59:07Z","message":"[Advanced
Settings] Move security settings validation config (#216440)\n\n##
Summary\n\nIn https://github.com/elastic/kibana/pull/170234, we added
validation on\nthe security solution settings in serverless that is
enabled through
the\n`xpack.securitySolution.enableUiSettingsValidations` config
setting. In\nthis PR, we move this setting to
`config/serverless.security.yml` so\nthat it follows the sustainable
architecture
principles.","sha":"b1b8b190bda17b4d51e2db97814161d67cb44730","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Kibana
Management","Team:Kibana Management","release_note:skip","backport
missing","backport:prev-minor","v9.1.0","v8.19.0"],"title":"[Advanced
Settings] Move security settings validation
config","number":216440,"url":"https://github.com/elastic/kibana/pull/216440","mergeCommit":{"message":"[Advanced
Settings] Move security settings validation config (#216440)\n\n##
Summary\n\nIn https://github.com/elastic/kibana/pull/170234, we added
validation on\nthe security solution settings in serverless that is
enabled through
the\n`xpack.securitySolution.enableUiSettingsValidations` config
setting. In\nthis PR, we move this setting to
`config/serverless.security.yml` so\nthat it follows the sustainable
architecture
principles.","sha":"b1b8b190bda17b4d51e2db97814161d67cb44730"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/216440","number":216440,"mergeCommit":{"message":"[Advanced
Settings] Move security settings validation config (#216440)\n\n##
Summary\n\nIn https://github.com/elastic/kibana/pull/170234, we added
validation on\nthe security solution settings in serverless that is
enabled through
the\n`xpack.securitySolution.enableUiSettingsValidations` config
setting. In\nthis PR, we move this setting to
`config/serverless.security.yml` so\nthat it follows the sustainable
architecture
principles.","sha":"b1b8b190bda17b4d51e2db97814161d67cb44730"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
2025-04-14 17:00:36 +02:00

240 lines
9.1 KiB
YAML
Raw Permalink Blame History

interactiveSetup.enabled: false
newsfeed.enabled: false
xpack.serverless.plugin.enabled: true
# Fleet settings
xpack.fleet.internal.fleetServerStandalone: true
xpack.fleet.internal.disableILMPolicies: true
xpack.fleet.internal.activeAgentsSoftLimit: 25000
xpack.fleet.internal.onlyAllowAgentUpgradeToKnownVersions: true
xpack.fleet.internal.retrySetupOnBoot: true
xpack.fleet.internal.useMeteringApi: true
xpack.searchSynonyms.enabled: false
xpack.searchQueryRules.enabled: false
## Fine-tune the feature privileges.
xpack.features.overrides:
dashboard:
privileges:
### Dashboard's `All` feature privilege should implicitly grant `All` access to Maps and Visualize features.
all.composedOf:
- feature: "maps"
privileges: [ "all" ]
- feature: "visualize"
privileges: [ "all" ]
### Dashboard's `Read` feature privilege should implicitly grant `Read` access to Maps and Visualize features.
### Additionally, it should implicitly grant privilege to create short URLs in Visualize app.
read.composedOf:
- feature: "maps"
privileges: [ "read" ]
- feature: "visualize"
privileges: [ "read" ]
### All Dashboard sub-feature privileges should be hidden: reporting capabilities will be granted via dedicated
### Reporting feature and short URL sub-feature privilege should be granted for both `All` and `Read`.
subFeatures.privileges:
download_csv_report.disabled: true
generate_report.disabled: true
store_search_session.disabled: true
url_create:
disabled: true
includeIn: "read"
discover:
### All Discover sub-feature privileges should be hidden: reporting capabilities will be granted via dedicated
### Reporting feature and short URL sub-feature privilege should be granted for both `All` and `Read`.
subFeatures.privileges:
generate_report.disabled: true
store_search_session.disabled: true
url_create:
disabled: true
includeIn: "read"
### Shared images feature is hidden in Role management since it's not needed.
filesSharedImage.hidden: true
### Maps feature is hidden in Role management since it's automatically granted by Dashboard feature.
maps.hidden: true
### Reporting feature is supposed to give access to reporting capabilities across different features.
reporting:
privileges:
all.composedOf:
- feature: "dashboard"
privileges: [ "download_csv_report" ]
- feature: "discover"
privileges: [ "generate_report" ]
### Visualize feature is hidden in Role management since it's automatically granted by Dashboard feature.
visualize:
hidden: true
### The short URL sub-feature privilege should be always granted.
subFeatures.privileges.url_create.includeIn: "read"
# Cloud links
xpack.cloud.base_url: 'https://cloud.elastic.co'
# Disable preboot phase for serverless
core.lifecycle.disablePreboot: true
# Enable ZDT migration algorithm
migrations.algorithm: zdt
# Enable elasticsearch response size circuit breaker
elasticsearch.maxResponseSize: "100mb"
# Limit batch size to reduce possibility of failures.
# A longer migration time is acceptable due to the ZDT algorithm.
migrations.batchSize: 250
migrations.zdt:
metaPickupSyncDelaySec: 5
# Ess plugins
xpack.securitySolutionEss.enabled: false
# Management team plugins
xpack.upgrade_assistant.enabled: false
xpack.rollup.enabled: false
xpack.watcher.enabled: false
xpack.ccr.enabled: false
xpack.ilm.enabled: false
xpack.remote_clusters.enabled: false
xpack.snapshot_restore.enabled: false
xpack.license_management.enabled: false
# Management team UI configurations
# Disable index actions from the Index Management UI
xpack.index_management.enableIndexActions: false
# Disable legacy index templates from Index Management UI
xpack.index_management.enableLegacyTemplates: false
# Disable index stats information from Index Management UI
xpack.index_management.enableIndexStats: false
# Enable size and doc count information via metering API from Index Management UI
xpack.index_management.enableSizeAndDocCount: true
# Disable data stream stats information from Index Management UI
xpack.index_management.enableDataStreamStats: false
# Only limited index settings can be edited
xpack.index_management.editableIndexSettings: limited
# Disable _source field in the Mappings editor's advanced options form from Index Management UI
xpack.index_management.enableMappingsSourceFieldSection: false
# Disable toggle for enabling data retention in DSL form from Index Management UI
xpack.index_management.enableTogglingDataRetention: false
# Disable project level rentention checks in DSL form from Index Management UI
xpack.index_management.enableProjectLevelRetentionChecks: false
# Disable Manage Processors UI in Ingest Pipelines
xpack.ingest_pipelines.enableManageProcessors: false
# Keep deeplinks visible so that they are shown in the sidenav
dev_tools.deeplinks.navLinkStatus: visible
management.deeplinks.navLinkStatus: visible
# Onboarding team UI configurations
xpack.cloud_integrations.data_migration.enabled: false
guided_onboarding.enabled: false
# Other disabled plugins
xpack.canvas.enabled: false
data.search.sessions.enabled: false
advanced_settings.globalSettingsEnabled: false
# Disable the browser-side functionality that depends on SecurityCheckupGetStateRoutes
xpack.security.showInsecureClusterWarning: false
# Disable UI of security management plugins
xpack.security.ui.userManagementEnabled: false
xpack.security.ui.roleMappingManagementEnabled: false
# Enforce restring access to internal APIs see https://github.com/elastic/kibana/issues/151940
server.restrictInternalApis: true
# Telemetry enabled by default and not disableable via UI
telemetry.optIn: true
telemetry.allowChangingOptInStatus: false
# Harden security response headers, see https://github.com/elastic/kibana/issues/150884
# The browser should remember that a site, including subdomains, is only to be accessed using HTTPS for 1 year
# Can override this setting in kibana.dev.yml, e.g. server.securityResponseHeaders.strictTransportSecurity: null
server.securityResponseHeaders.strictTransportSecurity: max-age=31536000; includeSubDomains
# Disable embedding for serverless MVP
server.securityResponseHeaders.disableEmbedding: true
# default to newest routes
server.versioned.versionResolution: newest
# do not enforce client version check
server.versioned.strictClientVersionCheck: false
# Enforce single "default" space and disable feature visibility controls
xpack.spaces.maxSpaces: 1
xpack.spaces.allowFeatureVisibility: false
xpack.spaces.allowSolutionVisibility: false
# Only display console autocomplete suggestions for ES endpoints that are available in serverless
console.autocompleteDefinitions.endpointsAvailability: serverless
# Do not check the ES version when running on Serverless
elasticsearch.ignoreVersionMismatch: true
# Limit maxSockets to 800 as we do in ESS, which improves reliability under high loads.
elasticsearch.maxSockets: 800
# Visualizations editors readonly settings
vis_type_gauge.readOnly: true
vis_type_heatmap.readOnly: true
vis_type_metric.readOnly: true
vis_type_pie.readOnly: true
vis_type_table.readOnly: true
vis_type_tagcloud.readOnly: true
vis_type_timelion.readOnly: true
vis_type_timeseries.readOnly: true
vis_type_vislib.readOnly: true
vis_type_xy.readOnly: true
input_control_vis.readOnly: true
xpack.graph.enabled: false
# Disable cases in stack management
xpack.cases.stack.enabled: false
# Alerting and action circuit breakers
xpack.alerting.rules.run.actions.max: 3000
xpack.alerting.rules.run.timeout: 1m
xpack.alerting.rules.run.ruleTypeOverrides:
- id: siem.indicatorRule
timeout: 10m
- id: siem.eqlRule
timeout: 5m
xpack.alerting.rules.minimumScheduleInterval.enforce: true
xpack.alerting.rules.maxScheduledPerMinute: 400
xpack.actions.run.maxAttempts: 10
xpack.actions.queued.max: 10000
uiSettings:
overrides:
# Disables ESQL in advanced settings (hides it from the UI)
enableESQL: true
bfetch:disable: true
# Disables `Defer loading panels below "the fold"`
labs:dashboard:deferBelowFold: false
# Task Manager
xpack.task_manager.allow_reading_invalid_state: false
xpack.task_manager.request_timeouts.update_by_query: 60000
xpack.task_manager.metrics_reset_interval: 120000
# Reporting feature
xpack.screenshotting.enabled: false
xpack.reporting.queue.pollInterval: 3m
xpack.reporting.roles.enabled: false
xpack.reporting.statefulSettings.enabled: false
xpack.reporting.csv.maxConcurrentShardRequests: 0
# Disabled Observability plugins
xpack.ux.enabled: false
xpack.legacy_uptime.enabled: false
monitoring.enabled: false
monitoring.ui.enabled: false
## Enable uiSettings validations
data.enableUiSettingsValidations: true
discover.enableUiSettingsValidations: true
## Data Usage in stack management
xpack.dataUsage.enabled: true
# This feature is disabled in Serverless until fully tested within a Serverless environment
xpack.dataUsage.enableExperimental: ['dataUsageDisabled']
# This feature is disabled in Serverless until Inference Endpoint become enabled within a Serverless environment
xpack.stack_connectors.enableExperimental: ['inferenceConnectorOff']
Reference in a new issue View git blame Copy permalink