root
/
elasticsearch
mirror of https://github.com/elastic/elasticsearch.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity
elasticsearch/docs/reference/migration/migrate_8_0/security.asciidoc

285 lines
10 KiB
Plaintext
Raw Normal View History

[DOCS] Swap `[float]` for `[discrete]` (#60124) Changes instances of `[float]` in our docs for `[discrete]`. Asciidoctor prefers the `[discrete]` tag for floating headings: https://asciidoctor.org/docs/asciidoc-asciidoctor-diffs/#blocks
2020-07-23 23:48:22 +08:00
[discrete]
Remove obsolete security settings (#40496) Removes the deprecated accept_default_password setting. This setting become redundant when default passwords were removed from 6.0, but the setting was kept for BWC. Removes native role store cache settings. These have been unused since 5.2 but were kept for BWC.
2019-03-29 15:04:49 +08:00
[[breaking_80_security_changes]]
=== Security changes
[DOCS] Add notable-breaking-changes tags (#40990)
2019-04-09 09:20:59 +08:00
//NOTE: The notable-breaking-changes tagged regions are re-used in the
//Installation and Upgrade Guide
//tag::notable-breaking-changes[]
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
.The realm `order` setting is now required.
[%collapsible]
====
*Details* +
Make order setting required for Realm config (#51195) The order config must be explicitly specified for each realm. It must also be unique for each realm. This is a breaking change and will begin to take effect in 8.0 Resolves: #37614
2020-01-28 14:59:54 +08:00
The `xpack.security.authc.realms.{type}.{name}.order` setting is now required and must be
specified for each explicitly configured realm. Each value must be unique.
[DOCS] Add impact sections to security 8.0 breaking changes (#56439) Co-authored-by: Tim Vernum <tim@adjective.org>
2020-05-26 21:20:06 +08:00
*Impact* +
Make order setting required for Realm config (#51195) The order config must be explicitly specified for each realm. It must also be unique for each realm. This is a breaking change and will begin to take effect in 8.0 Resolves: #37614
2020-01-28 14:59:54 +08:00
The cluster will fail to start if the requirements are not met.
For example, the following configuration is invalid:
[source,yaml]
--------------------------------------------------
xpack.security.authc.realms.kerberos.kerb1:
keytab.path: es.keytab
remove_realm_name: false
--------------------------------------------------
And must be configured as:
[source,yaml]
--------------------------------------------------
xpack.security.authc.realms.kerberos.kerb1:
order: 0
keytab.path: es.keytab
remove_realm_name: false
--------------------------------------------------
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
====
Compress audit logs (#64472) audit logs should be compressed when rolling over due to size based triggering policy breaching 1GB. Files are not being deleted. closes #63843
2020-12-03 00:36:31 +08:00
[[audit-logs-are-rolled-over-and-archived-by-size]]
.Audit logs are rolled-over and archived by size.
[%collapsible]
====
*Details* +
In addition to the existing daily rollover, the security audit logs are
now rolled-over by disk size limit as well. Moreover, the rolled-over logs
are also gzip compressed.
*Impact* +
The names of rolled over audit logfiles (but not the name of the current log)
have changed.
If you've setup automated tools to consume these files, you must configure them
to use the new names and to possibly account for gzip archives instead of plaintext.
The Docker build of Elasticsearch is not affected since it logs on stdout where
rollover is not performed.
====
[DOCS] Add notable-breaking-changes tags (#40990)
2019-04-09 09:20:59 +08:00
// end::notable-breaking-changes[]
[DOCS] Add anchors for Asciidoctor migration (#41648)
2019-04-30 22:19:09 +08:00
[[accept-default-password-removed]]
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
.The `accept_default_password` setting has been removed.
[%collapsible]
====
*Details* +
Remove obsolete security settings (#40496) Removes the deprecated accept_default_password setting. This setting become redundant when default passwords were removed from 6.0, but the setting was kept for BWC. Removes native role store cache settings. These have been unused since 5.2 but were kept for BWC.
2019-03-29 15:04:49 +08:00
The `xpack.security.authc.accept_default_password` setting has not had any affect
since the 6.0 release of {es}. It has been removed and cannot be used.
[DOCS] Add impact sections to security 8.0 breaking changes (#56439) Co-authored-by: Tim Vernum <tim@adjective.org>
2020-05-26 21:20:06 +08:00
*Impact* +
Discontinue use of the `xpack.security.authc.accept_default_password` setting.
Specifying this setting in `elasticsearch.yml` will result in an error on
startup.
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
====
Remove obsolete security settings (#40496) Removes the deprecated accept_default_password setting. This setting become redundant when default passwords were removed from 6.0, but the setting was kept for BWC. Removes native role store cache settings. These have been unused since 5.2 but were kept for BWC.
2019-03-29 15:04:49 +08:00
[DOCS] Add anchors for Asciidoctor migration (#41648)
2019-04-30 22:19:09 +08:00
[[roles-index-cache-removed]]
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
.The `roles.index.cache.*` settings have been removed.
[%collapsible]
====
*Details* +
Remove obsolete security settings (#40496) Removes the deprecated accept_default_password setting. This setting become redundant when default passwords were removed from 6.0, but the setting was kept for BWC. Removes native role store cache settings. These have been unused since 5.2 but were kept for BWC.
2019-03-29 15:04:49 +08:00
The `xpack.security.authz.store.roles.index.cache.max_size` and
`xpack.security.authz.store.roles.index.cache.ttl` settings have
been removed. These settings have been redundant and deprecated
since the 5.2 release of {es}.
[DOCS] Add impact sections to security 8.0 breaking changes (#56439) Co-authored-by: Tim Vernum <tim@adjective.org>
2020-05-26 21:20:06 +08:00
*Impact* +
Discontinue use of the `xpack.security.authz.store.roles.index.cache.max_size`
and `xpack.security.authz.store.roles.index.cache.ttl` settings. Specifying
these settings in `elasticsearch.yml` will result in an error on startup.
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
====
Remove obsolete security settings (#40496) Removes the deprecated accept_default_password setting. This setting become redundant when default passwords were removed from 6.0, but the setting was kept for BWC. Removes native role store cache settings. These have been unused since 5.2 but were kept for BWC.
2019-03-29 15:04:49 +08:00
Remove the migrate tool (#42174) This commit removes the deprecated migrate tool which was used to migrate users from the file realm to native realm when the native realm was first created.
2019-05-18 02:49:05 +08:00
[[migrate-tool-removed]]
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
.The `elasticsearch-migrate` tool has been removed.
[%collapsible]
====
*Details* +
Remove the migrate tool (#42174) This commit removes the deprecated migrate tool which was used to migrate users from the file realm to native realm when the native realm was first created.
2019-05-18 02:49:05 +08:00
The `elasticsearch-migrate` tool provided a way to convert file
realm users and roles into the native realm. It has been deprecated
since 7.2.0. Users and roles should now be created in the native
realm directly.
[DOCS] Add impact sections to security 8.0 breaking changes (#56439) Co-authored-by: Tim Vernum <tim@adjective.org>
2020-05-26 21:20:06 +08:00
*Impact* +
Discontinue use of the `elasticsearch-migrate` tool. Attempts to use the
`elasticsearch-migrate` tool will result in an error.
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
====
Remove the client transport profile filter (#43236) Now that the transport client has been removed, the client transport profile filter can be removed from security. This filter prevented node actions from being executed using a transport client.
2019-07-03 17:32:24 +08:00
[[separating-node-and-client-traffic]]
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
.The `transport.profiles.*.xpack.security.type` setting has been removed.
[%collapsible]
====
*Details* +
Remove the client transport profile filter (#43236) Now that the transport client has been removed, the client transport profile filter can be removed from security. This filter prevented node actions from being executed using a transport client.
2019-07-03 17:32:24 +08:00
The `transport.profiles.*.xpack.security.type` setting has been removed since
the Transport Client has been removed and therefore all client traffic now uses
the HTTP transport. Transport profiles using this setting should be removed.
[DOCS] Add impact sections to security 8.0 breaking changes (#56439) Co-authored-by: Tim Vernum <tim@adjective.org>
2020-05-26 21:20:06 +08:00
*Impact* +
Discontinue use of the `transport.profiles.*.xpack.security.type` setting.
Specifying this setting in a transport profile in `elasticsearch.yml` will
result in an error on startup.
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
====
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
[discrete]
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
[[ssl-validation-changes]]
==== SSL/TLS configuration validation
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
.The `xpack.security.transport.ssl.enabled` setting is now required to configure `xpack.security.transport.ssl` settings.
[%collapsible]
====
*Details* +
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
It is now an error to configure any SSL settings for
`xpack.security.transport.ssl` without also configuring
`xpack.security.transport.ssl.enabled`.
[DOCS] Add impact sections to security 8.0 breaking changes (#56439) Co-authored-by: Tim Vernum <tim@adjective.org>
2020-05-26 21:20:06 +08:00
*Impact* +
If using other `xpack.security.transport.ssl` settings, you must explicitly
specify the `xpack.security.transport.ssl.enabled` setting.
If you do not want to enable SSL and are currently using other
`xpack.security.transport.ssl` settings, do one of the following:
* Explicitly specify `xpack.security.transport.ssl.enabled` as `false`
* Discontinue use of other `xpack.security.transport.ssl` settings
If you want to enable SSL, follow the instructions in
{ref}/configuring-tls.html#tls-transport[Encrypting communications between nodes
in a cluster]. As part of this configuration, explicitly specify
`xpack.security.transport.ssl.enabled` as `true`.
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
For example, the following configuration is invalid:
[source,yaml]
--------------------------------------------------
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
--------------------------------------------------
And must be configured as:
[source,yaml]
--------------------------------------------------
xpack.security.transport.ssl.enabled: true <1>
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
--------------------------------------------------
<1> or `false`.
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
====
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
.The `xpack.security.http.ssl.enabled` setting is now required to configure `xpack.security.http.ssl` settings.
[%collapsible]
====
*Details* +
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
It is now an error to configure any SSL settings for
`xpack.security.http.ssl` without also configuring
`xpack.security.http.ssl.enabled`.
[DOCS] Add impact sections to security 8.0 breaking changes (#56439) Co-authored-by: Tim Vernum <tim@adjective.org>
2020-05-26 21:20:06 +08:00
*Impact* +
If using other `xpack.security.http.ssl` settings, you must explicitly
specify the `xpack.security.http.ssl.enabled` setting.
If you do not want to enable SSL and are currently using other
`xpack.security.http.ssl` settings, do one of the following:
* Explicitly specify `xpack.security.http.ssl.enabled` as `false`
* Discontinue use of other `xpack.security.http.ssl` settings
If you want to enable SSL, follow the instructions in
{ref}/configuring-tls.html#tls-http[Encrypting HTTP client communications]. As part
of this configuration, explicitly specify `xpack.security.http.ssl.enabled`
as `true`.
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
For example, the following configuration is invalid:
[source,yaml]
--------------------------------------------------
Make order setting required for Realm config (#51195) The order config must be explicitly specified for each realm. It must also be unique for each realm. This is a breaking change and will begin to take effect in 8.0 Resolves: #37614
2020-01-28 14:59:54 +08:00
xpack.security.http.ssl.certificate: elasticsearch.crt
xpack.security.http.ssl.key: elasticsearch.key
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
--------------------------------------------------
And must be configured as either:
[source,yaml]
--------------------------------------------------
xpack.security.http.ssl.enabled: true <1>
Make order setting required for Realm config (#51195) The order config must be explicitly specified for each realm. It must also be unique for each realm. This is a breaking change and will begin to take effect in 8.0 Resolves: #37614
2020-01-28 14:59:54 +08:00
xpack.security.http.ssl.certificate: elasticsearch.crt
xpack.security.http.ssl.key: elasticsearch.key
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
--------------------------------------------------
<1> or `false`.
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
====
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
Compress audit logs (#64472) audit logs should be compressed when rolling over due to size based triggering policy breaching 1GB. Files are not being deleted. closes #63843
2020-12-03 00:36:31 +08:00
.A `xpack.security.transport.ssl` certificate and key are now required to enable SSL for the transport interface.
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
[%collapsible]
====
*Details* +
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
It is now an error to enable SSL for the transport interface without also configuring
a certificate and key through use of the `xpack.security.transport.ssl.keystore.path`
setting or the `xpack.security.transport.ssl.certificate` and
`xpack.security.transport.ssl.key` settings.
[DOCS] Add impact sections to security 8.0 breaking changes (#56439) Co-authored-by: Tim Vernum <tim@adjective.org>
2020-05-26 21:20:06 +08:00
*Impact* +
If `xpack.security.transport.ssl.enabled` is set to `true`, provide a
certificate and key using the `xpack.security.transport.ssl.keystore.path`
setting or the `xpack.security.transport.ssl.certificate` and
`xpack.security.transport.ssl.key` settings. If a certificate and key is not
provided, {es} will return in an error on startup.
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
====
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
.A `xpack.security.http.ssl` certificate and key are now required to enable SSL for the HTTP server.
[%collapsible]
====
*Details* +
Reject misconfigured/ambiguous SSL server config (#45892) This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
2019-11-08 00:51:48 +08:00
It is now an error to enable SSL for the HTTP (Rest) server without also configuring
a certificate and key through use of the `xpack.security.http.ssl.keystore.path`
setting or the `xpack.security.http.ssl.certificate` and
`xpack.security.http.ssl.key` settings.
[DOCS] Add impact sections to security 8.0 breaking changes (#56439) Co-authored-by: Tim Vernum <tim@adjective.org>
2020-05-26 21:20:06 +08:00
*Impact* +
If `xpack.security.http.ssl.enabled` is set to `true`, provide a certificate and
key using the `xpack.security.http.ssl.keystore.path` setting or the
`xpack.security.http.ssl.certificate` and `xpack.security.http.ssl.key`
settings. If certificate and key is not provided, {es} will return in an error
on startup.
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
====
Deprecate the kibana reserved user; introduce kibana_system user (#54967) * deprecate the kibana reserved user; introduce kibana_system user * fix license and test errors * fix IdentityProviderAuthenticationIT tests * test deprecation logging * First pass at SetupPasswordTool updates * fix checkstyle * update docs * update number of expected users * update test to expect deprecation header Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2020-04-28 01:31:21 +08:00
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
[discrete]
Deprecate the kibana reserved user; introduce kibana_system user (#54967) * deprecate the kibana reserved user; introduce kibana_system user * fix license and test errors * fix IdentityProviderAuthenticationIT tests * test deprecation logging * First pass at SetupPasswordTool updates * fix checkstyle * update docs * update number of expected users * update test to expect deprecation header Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2020-04-28 01:31:21 +08:00
[[builtin-users-changes]]
==== Changes to built-in users
[DOCS] Clarify that passwords are not preserved for `kibana_system` user (#59449) Updates the 8.0 breaking changes to clarify that passwords for the removed `kibana` user are not preserved for the replacement `kibana_system` users. Closes #59353
2020-07-14 03:58:36 +08:00
.The `kibana` user has been replaced by `kibana_system`.
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
[%collapsible]
====
*Details* +
Deprecate the kibana reserved user; introduce kibana_system user (#54967) * deprecate the kibana reserved user; introduce kibana_system user * fix license and test errors * fix IdentityProviderAuthenticationIT tests * test deprecation logging * First pass at SetupPasswordTool updates * fix checkstyle * update docs * update number of expected users * update test to expect deprecation header Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2020-04-28 01:31:21 +08:00
The `kibana` user was historically used to authenticate {kib} to {es}.
The name of this user was confusing, and was often mistakenly used to login to {kib}.
This has been renamed to `kibana_system` in order to reduce confusion, and to better
align with other built-in system accounts.
[DOCS] Add impact sections to security 8.0 breaking changes (#56439) Co-authored-by: Tim Vernum <tim@adjective.org>
2020-05-26 21:20:06 +08:00
*Impact* +
Replace any use of the `kibana` user with the `kibana_system` user. Specifying
the `kibana` user in `kibana.yml` will result in an error on startup.
Deprecate the kibana reserved user; introduce kibana_system user (#54967) * deprecate the kibana reserved user; introduce kibana_system user * fix license and test errors * fix IdentityProviderAuthenticationIT tests * test deprecation logging * First pass at SetupPasswordTool updates * fix checkstyle * update docs * update number of expected users * update test to expect deprecation header Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2020-04-28 01:31:21 +08:00
If your `kibana.yml` used to contain:
[source,yaml]
--------------------------------------------------
elasticsearch.username: kibana
--------------------------------------------------
then you should update to use the new `kibana_system` user instead:
[source,yaml]
--------------------------------------------------
elasticsearch.username: kibana_system
--------------------------------------------------
[DOCS] Clarify that passwords are not preserved for `kibana_system` user (#59449) Updates the 8.0 breaking changes to clarify that passwords for the removed `kibana` user are not preserved for the replacement `kibana_system` users. Closes #59353
2020-07-14 03:58:36 +08:00
IMPORTANT: The new `kibana_system` user does not preserve the previous `kibana`
user password. You must explicitly set a password for the `kibana_system` user.
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
====
Deprecate the kibana reserved user; introduce kibana_system user (#54967) * deprecate the kibana reserved user; introduce kibana_system user * fix license and test errors * fix IdentityProviderAuthenticationIT tests * test deprecation logging * First pass at SetupPasswordTool updates * fix checkstyle * update docs * update number of expected users * update test to expect deprecation header Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2020-04-28 01:31:21 +08:00
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
[discrete]
Deprecate the kibana reserved user; introduce kibana_system user (#54967) * deprecate the kibana reserved user; introduce kibana_system user * fix license and test errors * fix IdentityProviderAuthenticationIT tests * test deprecation logging * First pass at SetupPasswordTool updates * fix checkstyle * update docs * update number of expected users * update test to expect deprecation header Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2020-04-28 01:31:21 +08:00
[[builtin-roles-changes]]
==== Changes to built-in roles
[DOCS] Minor reword in 8.0 breaking changes
2020-05-11 23:43:59 +08:00
.The `kibana_user` role has been renamed `kibana_admin`.
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
[%collapsible]
====
*Details* +
Deprecate the kibana reserved user; introduce kibana_system user (#54967) * deprecate the kibana reserved user; introduce kibana_system user * fix license and test errors * fix IdentityProviderAuthenticationIT tests * test deprecation logging * First pass at SetupPasswordTool updates * fix checkstyle * update docs * update number of expected users * update test to expect deprecation header Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2020-04-28 01:31:21 +08:00
Users who were previously assigned the `kibana_user` role should instead be assigned
the `kibana_admin` role. This role grants the same set of privileges as `kibana_user`, but has been
renamed to better reflect its intended use.
[DOCS] Add impact sections to security 8.0 breaking changes (#56439) Co-authored-by: Tim Vernum <tim@adjective.org>
2020-05-26 21:20:06 +08:00
*Impact* +
Assign users with the `kibana_user` role to the `kibana_admin` role.
Discontinue use of the `kibana_user` role.
[DOCS] Collapse remaining 8.0 breaking changes (#56418)
2020-05-08 22:21:33 +08:00
====