2019-03-29 15:04:49 +08:00
|
|
|
[float]
|
|
|
|
|
[[breaking_80_security_changes]]
|
|
|
|
|
=== Security changes
|
|
|
|
|
|
2019-04-09 09:20:59 +08:00
|
|
|
//NOTE: The notable-breaking-changes tagged regions are re-used in the
|
|
|
|
|
//Installation and Upgrade Guide
|
|
|
|
|
|
|
|
|
|
//tag::notable-breaking-changes[]
|
2020-05-08 22:21:33 +08:00
|
|
|
.The realm `order` setting is now required.
|
|
|
|
|
[%collapsible]
|
|
|
|
|
====
|
|
|
|
|
*Details* +
|
2020-01-28 14:59:54 +08:00
|
|
|
The `xpack.security.authc.realms.{type}.{name}.order` setting is now required and must be
|
|
|
|
|
specified for each explicitly configured realm. Each value must be unique.
|
|
|
|
|
The cluster will fail to start if the requirements are not met.
|
|
|
|
|
|
|
|
|
|
For example, the following configuration is invalid:
|
|
|
|
|
[source,yaml]
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
xpack.security.authc.realms.kerberos.kerb1:
|
|
|
|
|
keytab.path: es.keytab
|
|
|
|
|
remove_realm_name: false
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
|
|
And must be configured as:
|
|
|
|
|
[source,yaml]
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
xpack.security.authc.realms.kerberos.kerb1:
|
|
|
|
|
order: 0
|
|
|
|
|
keytab.path: es.keytab
|
|
|
|
|
remove_realm_name: false
|
|
|
|
|
--------------------------------------------------
|
2020-05-08 22:21:33 +08:00
|
|
|
====
|
2019-04-09 09:20:59 +08:00
|
|
|
// end::notable-breaking-changes[]
|
|
|
|
|
|
2019-04-30 22:19:09 +08:00
|
|
|
[[accept-default-password-removed]]
|
2020-05-08 22:21:33 +08:00
|
|
|
.The `accept_default_password` setting has been removed.
|
|
|
|
|
[%collapsible]
|
|
|
|
|
====
|
|
|
|
|
*Details* +
|
2019-03-29 15:04:49 +08:00
|
|
|
The `xpack.security.authc.accept_default_password` setting has not had any affect
|
|
|
|
|
since the 6.0 release of {es}. It has been removed and cannot be used.
|
2020-05-08 22:21:33 +08:00
|
|
|
====
|
2019-03-29 15:04:49 +08:00
|
|
|
|
2019-04-30 22:19:09 +08:00
|
|
|
[[roles-index-cache-removed]]
|
2020-05-08 22:21:33 +08:00
|
|
|
.The `roles.index.cache.*` settings have been removed.
|
|
|
|
|
[%collapsible]
|
|
|
|
|
====
|
|
|
|
|
*Details* +
|
2019-03-29 15:04:49 +08:00
|
|
|
The `xpack.security.authz.store.roles.index.cache.max_size` and
|
|
|
|
|
`xpack.security.authz.store.roles.index.cache.ttl` settings have
|
|
|
|
|
been removed. These settings have been redundant and deprecated
|
|
|
|
|
since the 5.2 release of {es}.
|
2020-05-08 22:21:33 +08:00
|
|
|
====
|
2019-03-29 15:04:49 +08:00
|
|
|
|
2019-05-18 02:49:05 +08:00
|
|
|
[[migrate-tool-removed]]
|
2020-05-08 22:21:33 +08:00
|
|
|
.The `elasticsearch-migrate` tool has been removed.
|
|
|
|
|
[%collapsible]
|
|
|
|
|
====
|
|
|
|
|
*Details* +
|
2019-05-18 02:49:05 +08:00
|
|
|
The `elasticsearch-migrate` tool provided a way to convert file
|
|
|
|
|
realm users and roles into the native realm. It has been deprecated
|
|
|
|
|
since 7.2.0. Users and roles should now be created in the native
|
|
|
|
|
realm directly.
|
2020-05-08 22:21:33 +08:00
|
|
|
====
|
2019-07-03 17:32:24 +08:00
|
|
|
|
|
|
|
|
[[separating-node-and-client-traffic]]
|
2020-05-08 22:21:33 +08:00
|
|
|
.The `transport.profiles.*.xpack.security.type` setting has been removed.
|
|
|
|
|
[%collapsible]
|
|
|
|
|
====
|
|
|
|
|
*Details* +
|
2019-07-03 17:32:24 +08:00
|
|
|
The `transport.profiles.*.xpack.security.type` setting has been removed since
|
|
|
|
|
the Transport Client has been removed and therefore all client traffic now uses
|
|
|
|
|
the HTTP transport. Transport profiles using this setting should be removed.
|
2020-05-08 22:21:33 +08:00
|
|
|
====
|
2019-11-08 00:51:48 +08:00
|
|
|
|
2020-05-08 22:21:33 +08:00
|
|
|
[discrete]
|
2019-11-08 00:51:48 +08:00
|
|
|
[[ssl-validation-changes]]
|
|
|
|
|
==== SSL/TLS configuration validation
|
|
|
|
|
|
2020-05-08 22:21:33 +08:00
|
|
|
.The `xpack.security.transport.ssl.enabled` setting is now required to configure `xpack.security.transport.ssl` settings.
|
|
|
|
|
[%collapsible]
|
|
|
|
|
====
|
|
|
|
|
*Details* +
|
2019-11-08 00:51:48 +08:00
|
|
|
It is now an error to configure any SSL settings for
|
|
|
|
|
`xpack.security.transport.ssl` without also configuring
|
|
|
|
|
`xpack.security.transport.ssl.enabled`.
|
|
|
|
|
|
|
|
|
|
For example, the following configuration is invalid:
|
|
|
|
|
[source,yaml]
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
|
|
|
|
|
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
|
|
And must be configured as:
|
|
|
|
|
[source,yaml]
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
xpack.security.transport.ssl.enabled: true <1>
|
|
|
|
|
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
|
|
|
|
|
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
<1> or `false`.
|
2020-05-08 22:21:33 +08:00
|
|
|
====
|
2019-11-08 00:51:48 +08:00
|
|
|
|
2020-05-08 22:21:33 +08:00
|
|
|
.The `xpack.security.http.ssl.enabled` setting is now required to configure `xpack.security.http.ssl` settings.
|
|
|
|
|
[%collapsible]
|
|
|
|
|
====
|
|
|
|
|
*Details* +
|
2019-11-08 00:51:48 +08:00
|
|
|
It is now an error to configure any SSL settings for
|
|
|
|
|
`xpack.security.http.ssl` without also configuring
|
|
|
|
|
`xpack.security.http.ssl.enabled`.
|
|
|
|
|
|
|
|
|
|
For example, the following configuration is invalid:
|
|
|
|
|
[source,yaml]
|
|
|
|
|
--------------------------------------------------
|
2020-01-28 14:59:54 +08:00
|
|
|
xpack.security.http.ssl.certificate: elasticsearch.crt
|
|
|
|
|
xpack.security.http.ssl.key: elasticsearch.key
|
2019-11-08 00:51:48 +08:00
|
|
|
xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
|
|
And must be configured as either:
|
|
|
|
|
[source,yaml]
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
xpack.security.http.ssl.enabled: true <1>
|
2020-01-28 14:59:54 +08:00
|
|
|
xpack.security.http.ssl.certificate: elasticsearch.crt
|
|
|
|
|
xpack.security.http.ssl.key: elasticsearch.key
|
2019-11-08 00:51:48 +08:00
|
|
|
xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
<1> or `false`.
|
2020-05-08 22:21:33 +08:00
|
|
|
====
|
2019-11-08 00:51:48 +08:00
|
|
|
|
2020-05-08 22:21:33 +08:00
|
|
|
.A `xpack.security.transport.ssl` certificate and key are now required to enable SSL for the transport interface.
|
|
|
|
|
[%collapsible]
|
|
|
|
|
====
|
|
|
|
|
*Details* +
|
2019-11-08 00:51:48 +08:00
|
|
|
It is now an error to enable SSL for the transport interface without also configuring
|
|
|
|
|
a certificate and key through use of the `xpack.security.transport.ssl.keystore.path`
|
|
|
|
|
setting or the `xpack.security.transport.ssl.certificate` and
|
|
|
|
|
`xpack.security.transport.ssl.key` settings.
|
2020-05-08 22:21:33 +08:00
|
|
|
====
|
2019-11-08 00:51:48 +08:00
|
|
|
|
2020-05-08 22:21:33 +08:00
|
|
|
.A `xpack.security.http.ssl` certificate and key are now required to enable SSL for the HTTP server.
|
|
|
|
|
[%collapsible]
|
|
|
|
|
====
|
|
|
|
|
*Details* +
|
2019-11-08 00:51:48 +08:00
|
|
|
It is now an error to enable SSL for the HTTP (Rest) server without also configuring
|
|
|
|
|
a certificate and key through use of the `xpack.security.http.ssl.keystore.path`
|
|
|
|
|
setting or the `xpack.security.http.ssl.certificate` and
|
|
|
|
|
`xpack.security.http.ssl.key` settings.
|
2020-05-08 22:21:33 +08:00
|
|
|
====
|
2020-04-28 01:31:21 +08:00
|
|
|
|
2020-05-08 22:21:33 +08:00
|
|
|
[discrete]
|
2020-04-28 01:31:21 +08:00
|
|
|
[[builtin-users-changes]]
|
|
|
|
|
==== Changes to built-in users
|
|
|
|
|
|
2020-05-08 22:21:33 +08:00
|
|
|
.The `kibana` user has been renamed `kibana_system`.
|
|
|
|
|
[%collapsible]
|
|
|
|
|
====
|
|
|
|
|
*Details* +
|
2020-04-28 01:31:21 +08:00
|
|
|
The `kibana` user was historically used to authenticate {kib} to {es}.
|
|
|
|
|
The name of this user was confusing, and was often mistakenly used to login to {kib}.
|
|
|
|
|
This has been renamed to `kibana_system` in order to reduce confusion, and to better
|
|
|
|
|
align with other built-in system accounts.
|
|
|
|
|
|
|
|
|
|
If your `kibana.yml` used to contain:
|
|
|
|
|
[source,yaml]
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
elasticsearch.username: kibana
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
|
|
then you should update to use the new `kibana_system` user instead:
|
|
|
|
|
[source,yaml]
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
elasticsearch.username: kibana_system
|
|
|
|
|
--------------------------------------------------
|
2020-05-08 22:21:33 +08:00
|
|
|
====
|
2020-04-28 01:31:21 +08:00
|
|
|
|
2020-05-08 22:21:33 +08:00
|
|
|
[discrete]
|
2020-04-28 01:31:21 +08:00
|
|
|
[[builtin-roles-changes]]
|
|
|
|
|
==== Changes to built-in roles
|
|
|
|
|
|
2020-05-08 22:21:33 +08:00
|
|
|
.The `kibana_user` role has been renamed to `kibana_admin`.
|
|
|
|
|
[%collapsible]
|
|
|
|
|
====
|
|
|
|
|
*Details* +
|
2020-04-28 01:31:21 +08:00
|
|
|
Users who were previously assigned the `kibana_user` role should instead be assigned
|
|
|
|
|
the `kibana_admin` role. This role grants the same set of privileges as `kibana_user`, but has been
|
|
|
|
|
renamed to better reflect its intended use.
|
2020-05-08 22:21:33 +08:00
|
|
|
====
|
