Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOCS] Add impact sections to security 8.0 breaking changes #56439

Merged
merged 4 commits into from
May 26, 2020
Merged

[DOCS] Add impact sections to security 8.0 breaking changes #56439

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1c8bda9
[DOCS] Add impact sections to security 8.0 breaking changes
jrodewig May 8, 2020
fdb1f6f
Update docs/reference/migration/migrate_8_0/security.asciidoc
jrodewig May 21, 2020
bcbe90c
address review feedback
jrodewig May 21, 2020
88550e2
update links
jrodewig May 21, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 73 additions & 0 deletions docs/reference/migration/migrate_8_0/security.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
*Details* +
The `xpack.security.authc.realms.{type}.{name}.order` setting is now required and must be
specified for each explicitly configured realm. Each value must be unique.

*Impact* +
The cluster will fail to start if the requirements are not met.

For example, the following configuration is invalid:
Expand Down Expand Up @@ -40,6 +42,11 @@ xpack.security.authc.realms.kerberos.kerb1:
*Details* +
The `xpack.security.authc.accept_default_password` setting has not had any affect
since the 6.0 release of {es}. It has been removed and cannot be used.

*Impact* +
Discontinue use of the `xpack.security.authc.accept_default_password` setting.
Specifying this setting in `elasticsearch.yml` will result in an error on
startup.
====

[[roles-index-cache-removed]]
Expand All @@ -51,6 +58,11 @@ The `xpack.security.authz.store.roles.index.cache.max_size` and
`xpack.security.authz.store.roles.index.cache.ttl` settings have
been removed. These settings have been redundant and deprecated
since the 5.2 release of {es}.

*Impact* +
Discontinue use of the `xpack.security.authz.store.roles.index.cache.max_size`
and `xpack.security.authz.store.roles.index.cache.ttl` settings. Specifying
these settings in `elasticsearch.yml` will result in an error on startup.
====

[[migrate-tool-removed]]
Expand All @@ -62,6 +74,10 @@ The `elasticsearch-migrate` tool provided a way to convert file
realm users and roles into the native realm. It has been deprecated
since 7.2.0. Users and roles should now be created in the native
realm directly.

*Impact* +
Discontinue use of the `elasticsearch-migrate` tool. Attempts to use the
`elasticsearch-migrate` tool will result in an error.
====

[[separating-node-and-client-traffic]]
Expand All @@ -72,6 +88,11 @@ realm directly.
The `transport.profiles.*.xpack.security.type` setting has been removed since
the Transport Client has been removed and therefore all client traffic now uses
the HTTP transport. Transport profiles using this setting should be removed.

*Impact* +
Discontinue use of the `transport.profiles.*.xpack.security.type` setting.
Specifying this setting in a transport profile in `elasticsearch.yml` will
result in an error on startup.
====

[discrete]
Expand All @@ -86,6 +107,21 @@ It is now an error to configure any SSL settings for
`xpack.security.transport.ssl` without also configuring
`xpack.security.transport.ssl.enabled`.

*Impact* +
If using other `xpack.security.transport.ssl` settings, you must explicitly
specify the `xpack.security.transport.ssl.enabled` setting.

If you do not want to enable SSL and are currently using other
`xpack.security.transport.ssl` settings, do one of the following:

* Explicitly specify `xpack.security.transport.ssl.enabled` as `false`
* Discontinue use of other `xpack.security.transport.ssl` settings

If you want to enable SSL, follow the instructions in
{ref}/configuring-tls.html#tls-transport[Encrypting communications between nodes
in a cluster]. As part of this configuration, explicitly specify
`xpack.security.transport.ssl.enabled` as `true`.

For example, the following configuration is invalid:
[source,yaml]
--------------------------------------------------
Expand All @@ -111,6 +147,21 @@ It is now an error to configure any SSL settings for
`xpack.security.http.ssl` without also configuring
`xpack.security.http.ssl.enabled`.

*Impact* +
If using other `xpack.security.http.ssl` settings, you must explicitly
specify the `xpack.security.http.ssl.enabled` setting.

If you do not want to enable SSL and are currently using other
`xpack.security.http.ssl` settings, do one of the following:

* Explicitly specify `xpack.security.http.ssl.enabled` as `false`
* Discontinue use of other `xpack.security.http.ssl` settings

If you want to enable SSL, follow the instructions in
{ref}/configuring-tls.html#tls-http[Encrypting HTTP client communications]. As part
of this configuration, explicitly specify `xpack.security.http.ssl.enabled`
as `true`.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment above for transport.ssl.enabled applies here too.

For example, the following configuration is invalid:
[source,yaml]
--------------------------------------------------
Expand Down Expand Up @@ -138,6 +189,13 @@ It is now an error to enable SSL for the transport interface without also config
a certificate and key through use of the `xpack.security.transport.ssl.keystore.path`
setting or the `xpack.security.transport.ssl.certificate` and
`xpack.security.transport.ssl.key` settings.

*Impact* +
If `xpack.security.transport.ssl.enabled` is set to `true`, provide a
certificate and key using the `xpack.security.transport.ssl.keystore.path`
setting or the `xpack.security.transport.ssl.certificate` and
`xpack.security.transport.ssl.key` settings. If a certificate and key is not
provided, {es} will return in an error on startup.
====

.A `xpack.security.http.ssl` certificate and key are now required to enable SSL for the HTTP server.
Expand All @@ -148,6 +206,13 @@ It is now an error to enable SSL for the HTTP (Rest) server without also configu
a certificate and key through use of the `xpack.security.http.ssl.keystore.path`
setting or the `xpack.security.http.ssl.certificate` and
`xpack.security.http.ssl.key` settings.

*Impact* +
If `xpack.security.http.ssl.enabled` is set to `true`, provide a certificate and
key using the `xpack.security.http.ssl.keystore.path` setting or the
`xpack.security.http.ssl.certificate` and `xpack.security.http.ssl.key`
settings. If certificate and key is not provided, {es} will return in an error
on startup.
====

[discrete]
Expand All @@ -163,6 +228,10 @@ The name of this user was confusing, and was often mistakenly used to login to {
This has been renamed to `kibana_system` in order to reduce confusion, and to better
align with other built-in system accounts.

*Impact* +
Replace any use of the `kibana` user with the `kibana_system` user. Specifying
the `kibana` user in `kibana.yml` will result in an error on startup.

If your `kibana.yml` used to contain:
[source,yaml]
--------------------------------------------------
Expand All @@ -187,4 +256,8 @@ elasticsearch.username: kibana_system
Users who were previously assigned the `kibana_user` role should instead be assigned
the `kibana_admin` role. This role grants the same set of privileges as `kibana_user`, but has been
renamed to better reflect its intended use.

*Impact* +
Assign users with the `kibana_user` role to the `kibana_admin` role.
Discontinue use of the `kibana_user` role.
====