This commit adds support to reload the JWT shared secret.
Notably this commit also includes support for a rotatable secret which includes
support for a configurable grace period where the elder value (after rotation)
is still accessible. This allows a time bound leniency where both values are
valid at the same time to help mitigate tightly coupled systems rotations.
The rotatable secret currently only supports checking if it is set or it matches
an external secret. However, future updates will accept a function that
can be be used as input to a 3rd party system that can try the current secret
but automatically fall back to the prior secret if that fails during the grace period.
The implementation of rotatable secret uses a StampedLock with optimistic
reads to help ensure minimal performance impact for the reading and expiry
of the secret.
This makes the data stream lifecycle generally available. This will allow
data streams to take advantage of a native simplified and resilient
lifecycle implementation.
This commit corrects the following issues with JWT and OIDC `jwkset_path` documentation:
* only https is supported for the JWT realm (OIDC support both https and http)
* JWT realm does not use a file watcher to reload the file every 5 seconds
* simplify "path" to "file name" ..technically it is resolved path, but 99% of the time it will be just
a file name in the config directory and "path" is ambiguous
* remove special mention of using the absolute path in cloud. .. this is an unnecessary implementation
detail and the only setting (of many) that calls out the cloud config directly by absolute path
* ensure the 2 different JWT documentations are the same
* make mention of when the JWT file will be reloaded (it is not backed by the file watcher, only OIDC is)
* [DOCS] Describe how to use Elastic Agent to monitor Elasticsearch
* Temporarily fix doc build
* Add question about showing Elastic Agent metrics in the monitoring UI
* Apply changes from review
* Activate link to Kibana docs
* Fix broken link
* Update docs/reference/monitoring/indices.asciidoc
This commit changes the SAML realm to use placeholder metadata (UnresolvedEntity) when the real metadata cannot be loaded over HTTPS - unless metadata.http.fail_on_error is set to true.
All future use of the realm will fail until the metadata is available, but this change allows the node to bootstrap successfully.
This PR is another round of documentation update for the JWT realm with the goal to achieve better clarity, differentiating more between the two token types and encourage readers to choose between them carefully.
Relates: #92409
This PR adds a user action to the SLM health indicator which checks each SLM policy's invocations
since last success field and reports degraded health (YELLOW) in the event that any policy is at or
above the failure threshold (default is 5 failures in a row).
This PR adds a new setting to enable tcp keepalive probes for the
connections used by the oidc back-channel communication. It defaults to
true as tcp keepalive is generally useful for ES.
Relates: #87773
In some environment, the back-channel connection can be dropped
without sending a TCP RST to ES. When that happens, reusing the same
connection results into timeout error.
This PR adds a new http.connection_pool_ttl setting to control how long
a connection in the OIDC back-channel pool can be idle before it is
closed. This allows ES to more actively close idle connections to avoid
the timeout issue.
The new setting has a 3min default which means idle connections are
closed every 3 min if server response does not specify a shorter keep-alive.
Resolves: #75515
* Revert "Revert "[DOCS] Add TSDS docs (#86905)" (#87702)"
This reverts commit 0c86d7b9b2.
* First fix to tests
* Add data_stream object to index template
* small rewording
* Add enable data stream object in gradle example setup
* Add bullet about data stream must be enabled in template
* [DOCS] Add TSDB docs
* Update docs/build.gradle
Co-authored-by: Adam Locke <adam.locke@elastic.co>
* Address Nik's comments, part 1
* Address Nik's comments, part deux
* Reword write index
* Add feature flags
* Wrap one more section in feature flag
* Small fixes
* set index.routing_path to optional
* Update storage reduction value
* Update create index template code example
Co-authored-by: James Rodewig <40268737+jrodewig@users.noreply.github.com>
Co-authored-by: Adam Locke <adam.locke@elastic.co>
* [DOCS] Document when security auto configuration is skipped
* Add xpack autoconfiguration parameter and links
* Fix typo and add related link 🔗
* Incorporate review feedback
* Remove keystore section and instead integrate into previous section
In #50535 (ES v7.6) the default values for the
`DocumentSubsetBitsetCache` settings were changed. However, the docs
were not updated at that time, and still reflect the old values for
these settings
Add initial feature overview documentation pages for User Profile and
Security Domain.
Co-authored-by: Adam Locke <adam.locke@elastic.co>
Co-authored-by: Tim Vernum <tim@adjective.org>
Co-authored-by: Albert Zaharovits <albert.zaharovits@gmail.com>
This adds the `xpack.notification.email.account.domain_allowlist` dynamic cluster setting that
allows an administrator to specify a list of domains to which emails are allowed to be sent. The
default value for this setting is `["*"]` which means all domains are allowed. It supports
rudimentary globbing (`*`) in the domain name, so `*.company.com` will work as a valid option.
Resolves https://github.com/elastic/elasticsearch/issues/84739
* Update docs for Watcher notification settings to include default xpack.notification.reporting.warning.kbn-csv-contains-formulas.text value and link to the Kibana documentation.
* Apply suggestions from code review
Co-authored-by: Adam Locke <adam.locke@elastic.co>
* Apply suggestions from code review
Co-authored-by: Adam Locke <adam.locke@elastic.co>
Co-authored-by: Adam Locke <adam.locke@elastic.co>
Andrei Dan
Jake Landis
Yang Wang
Keith Massey
Mary Gouseti
Matt Culbreth
Pablo Alcantar Morales
debadair
István Zoltán Szabó
DeDe Morton
Tim Vernum
Abdon Pijpelink
Anthony McGlone
Paramdeep Singh
Joe Gallo
James Baiera
Yang Wang
David Kilfoyle
Przemysław Witek
Adam Locke
Justin Cranford
Lee Hinman
Nicole Albee
Lisa Cawley