* Revert "Revert "[DOCS] Add TSDS docs (#86905)" (#87702)"
This reverts commit 0c86d7b9b2.
* First fix to tests
* Add data_stream object to index template
* small rewording
* Add enable data stream object in gradle example setup
* Add bullet about data stream must be enabled in template
* [DOCS] Add TSDB docs
* Update docs/build.gradle
Co-authored-by: Adam Locke <adam.locke@elastic.co>
* Address Nik's comments, part 1
* Address Nik's comments, part deux
* Reword write index
* Add feature flags
* Wrap one more section in feature flag
* Small fixes
* set index.routing_path to optional
* Update storage reduction value
* Update create index template code example
Co-authored-by: James Rodewig <40268737+jrodewig@users.noreply.github.com>
Co-authored-by: Adam Locke <adam.locke@elastic.co>
* [DOCS] Document when security auto configuration is skipped
* Add xpack autoconfiguration parameter and links
* Fix typo and add related link 🔗
* Incorporate review feedback
* Remove keystore section and instead integrate into previous section
In #50535 (ES v7.6) the default values for the
`DocumentSubsetBitsetCache` settings were changed. However, the docs
were not updated at that time, and still reflect the old values for
these settings
Add initial feature overview documentation pages for User Profile and
Security Domain.
Co-authored-by: Adam Locke <adam.locke@elastic.co>
Co-authored-by: Tim Vernum <tim@adjective.org>
Co-authored-by: Albert Zaharovits <albert.zaharovits@gmail.com>
This adds the `xpack.notification.email.account.domain_allowlist` dynamic cluster setting that
allows an administrator to specify a list of domains to which emails are allowed to be sent. The
default value for this setting is `["*"]` which means all domains are allowed. It supports
rudimentary globbing (`*`) in the domain name, so `*.company.com` will work as a valid option.
Resolves https://github.com/elastic/elasticsearch/issues/84739
* Update docs for Watcher notification settings to include default xpack.notification.reporting.warning.kbn-csv-contains-formulas.text value and link to the Kibana documentation.
* Apply suggestions from code review
Co-authored-by: Adam Locke <adam.locke@elastic.co>
* Apply suggestions from code review
Co-authored-by: Adam Locke <adam.locke@elastic.co>
Co-authored-by: Adam Locke <adam.locke@elastic.co>
Add JwtRealmSettings
Include unit tests and realm security settings documentation. Covers all settings except client authentication mTLS option, and HTTP proxy option.
Refactor Open ID Connect realm to reuse ClaimSetting.java and ClaimParser.java for JWT realm.
Makes several changes to consolidate snapshot and backup-related docs.
Highlights:
* Adds info about supported ESS snapshot repository types
* Adds docs for Kibana's Snapshot and Restore feature
* Combines tutorial pages related to taking and managing snapshots
* Consolidates explanations of the snapshot process
* Incorporates SLM into the snapshot tutorial
* Removes duplicate "back up a cluster" pages
If the xpack.ml.use_auto_machine_memory_percent setting is true,
and xpack.ml.max_model_memory_limit is not set then
xpack.ml.max_model_memory_limit is now considered to be set to
the largest size that could be assigned in the cluster.
This functionality will be crucial for Cloud once the Elasticsearch
startup code is setting the Elasticsearch JVM heap size. Then the
Cloud code will no longer be able to accurately set
xpack.ml.max_model_memory_limit, so will not set it at all.
Instead the Cloud code will just set
xpack.ml.use_auto_machine_memory_percent and the ML code will
calculate the appropriate maximum model_memory_limit that should
be permitted.
This commit removes the checks that prevented the use of API Keys and
Service Account (Service Tokens) on nodes without HTTPS
(xpack.security.http.ssl.enabled)
As a consequence of removing this check, the API Key service is now
automatically enabled, but can be explicitly disabled with
xpack.security.authc.api_key.enabled: false
When running in FIPS mode, (fips_mode.enabled: true), the default
password hasher is now "pbkdf2_stretch"
In non-FIPS mode the default is still "bcrypt"
In 7.x and earlier, the default hasher was always "bcrypt"
In 8.0-alpha1, the default hasher on FIPS was "pbkdf2"
Resolves: #66840
In theory, Elasticsearch supported configuring a PKCS#11 keystore
anywhere where a keystore/truststore could be used. For example:
xpack.security.http.ssl.keystore.type: pkcs11
However, this support was poorly tested and broken.
This commit removes PKCS#11 support from any configurable SSL context.
It does not affect the ability to use a PKCS#11 keystore as the JRE's
system default keystore/truststore.
The value of `*.ssl.client_authentication` is `required` for
everything except `xpack.security.http.ssl.client_authentication`, for
which is it `none`.
The doc template for this setting was configured to have a default
value, and allow an override. However, the default was set to `none`
when it should have been `required`.
The override for `http` was correctly set to `none` (but that didn't
really do anything, since that was the same as the default).
This commit changes the default to `required`, which matches the code
(see `XPackSettings.CLIENT_AUTH_DEFAULT`), and leaves the override for
http as `none` (see `XPackSettings.HTTP_CLIENT_AUTH_DEFAULT`).
Recent JDK releases have disabled TLS v1.0 and TLS v1.1 by default
See
- https://java.com/en/jre-jdk-cryptoroadmap.html
- https://bugs.openjdk.java.net/browse/JDK-8202343
This change adds documentation clarifying which TLS versions are
supported on which JDKs (in general terms, rather than specific builds)
and how to change the configuration if necessary.
Co-authored-by: Adam Locke <adam.locke@elastic.co>
Watcher uses a connection pool for outgoing HTTP traffic, which means
that some HTTP connections may live for a long time, possibly in an idle
state. Such connections may be silently torn down by a remote device, so
that when we re-use them we encounter a `Connection reset` or similar
error.
This commit introduces a setting allowing users to set a finite expiry
time on these connections, and also enables TCP keepalives on them by
default so that a remote teardown will be actively detected sooner.
Closes#52997
This commit increases the xpack.ml.max_open_jobs from 20 to 512. Additionally, it ignores nodes that cannot provide an accurate view into their native memory.
If a node does not have a view into its native memory, we ignore it for assignment.
This effectively fixes a bug with autoscaling. Autoscaling relies on jobs with adequate memory to assign jobs to nodes. If that is hampered by the xpack.ml.max_open_jobs scaling decisions are hampered.
This aims at making the shrink action retryable. Every step is
retryable, but in order to provide an experience where ILM tries
to achieve a successful shrink even when the target node goes
missing permanently or the shrunk index cannot recover, this also
introduces a retryable shrink cycle within the shrink action.
The shrink action will generate a unique index name that'll be the
shrunk index name. The generated index name is stored in the lifecycle
state.
If the shrink action ends up waiting for the source shards to
colocate or for the shrunk index to recover for more than the configured
`LIFECYCLE_STEP_WAIT_TIME_THRESHOLD` setting, it will move back
to clean up the attempted (and failed) shrunk index and will retry
generating a new index name and attempting to shrink the source
to the newly generated index name.
Support for additional Client authentication methods was added in
the OIDC realm in #58708. This change adds the `rp.client_auth_method`
and `rp.client_auth_signature_algorithm` settings in the realm settings
reference doc.
Type configuration parameter was removed in 7.0. This change cleans
up some sentences where references to it had remained even after
we removed the parameter itself.
* Support audit ignore policy by index privileges
Adding new audit ignore policy - privileges
For example, following policy will filter out all events, which actions
minimal required privilege is either "read" or "delete":
xpack.security.audit.logfile.events.ignore_filters:
example:
privileges: ["read", "delete"]
Resolve: #60877
Related: #10836
Related: #37148
* Support audit ignore policy by index privileges
Adding new audit ignore policy - privileges
For example, following policy will filter out all events, which actions
required privilege is either "read" or "delete":
xpack.security.audit.logfile.events.ignore_filters:
example:
privileges: ["read", "delete"]
Resolve: #60877
Related: #10836
Related: #37148
* To avoid ambiguity (as cluster and index policies may have the same
name) changing implementation to have to separate policies for
`index_privileges` and `cluster_privileges`.
If both are set for the same policy, throw the IllegalArgumentException.
* To avoid ambiguity (as cluster and index policies may have the same
name) changing implementation to have to separate policies for
`index_privileges` and `cluster_privileges`.
If both are set for the same policy, throw the IllegalArgumentException.
* Fixing Api key related privilege check which expects request and
authentication by introducing overloaded
version of findPrivilegesThatGrant
just checking if privileges which can grant the action regardless of the
request and authentication context.
* Fixing a test; adding a caching mechanism to avoid calling
findPrivilegesThatGrant each
time.
* Support audit ignore policy by index privileges
Addressing review feedback
* Support audit ignore policy by index privileges
Addressing review comments + changing approach:
- use permission check instead of simple "checkIfGrants"
- adding more testing
* Support audit ignore policy by index privileges
Addressing review comments + changing approach:
- use permission check instead of simple "checkIfGrants"
- adding more testing
* Support audit ignore policy by index privileges
Addressing review comments + changing approach:
- use permission check instead of simple "checkIfGrants"
- adding more testing
* Support audit ignore policy by index privileges
Addressing review comments + changing approach:
- use permission check instead of simple "checkIfGrants"
- adding more testing
* Revert "Support audit ignore policy by index privileges"
This reverts commit 152821e7
* Revert "Support audit ignore policy by index privileges"
This reverts commit 79649e9a
* Revert "Support audit ignore policy by index privileges"
This reverts commit 96d22a42
* Revert "Support audit ignore policy by index privileges"
This reverts commit 67574b2f
* Revert "Support audit ignore policy by index privileges"
This reverts commit 35573c8b
* Revert "Fixing a test; adding a caching mechanism to avoid calling findPrivilegesThatGrant each time."
This reverts commit 7faa52f3
* Revert "Fixing Api key related privilege check which expects request and authentication by introducing overloaded version of findPrivilegesThatGrant just checking if privileges which can grant the action regardless of the request and authentication context."
This reverts commit 72b9aefe
* Revert "To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException."
This reverts commit 7dd8fe7d
* Revert "To avoid ambiguity (as cluster and index policies may have the same name) changing implementation to have to separate policies for `index_privileges` and `cluster_privileges`. If both are set for the same policy, throw the IllegalArgumentException."
This reverts commit cb5bc09c
* Revert "Support audit ignore policy by index privileges"
This reverts commit a918da10
* Support audit ignore policy by actions
Getting back to action filtering
* Support audit ignore policy by actions
Cleaning up some tests
* Support audit ignore policy by actions
Cleaning up some tests
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Audit log doc changes about:
* the new security_config_change event type (main scope of this PR)
* remove mentions of the 6.5 audit format changes (the JSON format)
* mention the new archiving and rotation by size (in v8 only)
* mention the request.id event attribute used to correlate audit events
* mention that audit is only available on certain subscription levels
* add an exhaustive audit event example list (because schema became too complex to explain in words 😢 given the new security_config_change events)
* move the ignore policies are explained on a separate page (it was collocated with the logfile output since we had multiple outputs and the policies were specific the the logfile only).
Co-authored-by: Lisa Cawley lcawley@elastic.co
Relates #62916Closes#29912
David Kilfoyle
Przemysław Witek
Yang Wang
Adam Locke
Justin Cranford
Tim Vernum
Joe Gallo
Yang Wang
Lee Hinman
Nicole Albee
Lisa Cawley
James Rodewig
James Rodewig
David Roberts
Tim Vernum
Andrei Dan
David Turner
Benjamin Trent
István Zoltán Szabó
Jake Landis
Ioannis Kakavas
Lyudmila Fokina
Albert Zaharovits
Przemko Robakowski