When running in FIPS mode, (fips_mode.enabled: true), the default
password hasher is now "pbkdf2_stretch"
In non-FIPS mode the default is still "bcrypt"
In 7.x and earlier, the default hasher was always "bcrypt"
In 8.0-alpha1, the default hasher on FIPS was "pbkdf2"
Resolves: #66840
A tag is required to reuse Elasticsearch breaking changes in the Stack
Guide. To display properly, the breaking changes must use external
links rather than xrefs.
This PR correctly places those tags for reuse. It also replaces
several xrefs with external links for reuse.
Updates the 8.0 breaking changes to clarify that passwords for the removed
`kibana` user are not preserved for the replacement `kibana_system` users.
Closes#59353
* deprecate the kibana reserved user; introduce kibana_system user
* fix license and test errors
* fix IdentityProviderAuthenticationIT tests
* test deprecation logging
* First pass at SetupPasswordTool updates
* fix checkstyle
* update docs
* update number of expected users
* update test to expect deprecation header
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
The order config must be explicitly specified for each realm.
It must also be unique for each realm.
This is a breaking change and will begin to take effect in 8.0
Resolves: #37614
This commit makes it an error to start a node where either of the
server contexts (xpack.security.transport.ssl and
xpack.security.http.ssl) meet either of these conditions:
1. The server lacks a certificate/key pair (i.e. neither
ssl.keystore.path not ssl.certificate are configured)
2. The server has some ssl configuration, but ssl.enabled is not
specified. This new validation does not care whether ssl.enabled is
true or false (though other validation might), it simply makes it
an error to configure server SSL without being explicit about
whether to enable that configuration.
Now that the transport client has been removed, the client transport
profile filter can be removed from security. This filter prevented node
actions from being executed using a transport client.
This commit removes the deprecated migrate tool which was used to
migrate users from the file realm to native realm when the native realm
was first created.
Removes the deprecated accept_default_password setting.
This setting become redundant when default passwords were removed
from 6.0, but the setting was kept for BWC.
Removes native role store cache settings.
These have been unused since 5.2 but were kept for BWC.
Tim Vernum
James Rodewig
debadair
Przemyslaw Gomulka
James Rodewig
Larry Gregory
Yang Wang
Tim Vernum
Jay Modi
Ryan Ernst
Lisa Cawley