Merge remote-tracking branch 'upstream/master' into kbn-56409-not-fou…

…nd-await-mount

.github/workflows/pr-project-assigner.yml

@@ -8,7 +8,7 @@ jobs:
     name: Assign a PR to project based on label
     steps:
       - name: Assign to project
-        uses: elastic/github-actions/project-assigner@v1.0.0
+        uses: elastic/github-actions/project-assigner@v1.0.1
         id: project_assigner
         with:
           issue-mappings: |

.github/workflows/project-assigner.yml

@@ -8,7 +8,7 @@ jobs:
     name: Assign issue or PR to project based on label
     steps:
       - name: Assign to project
-        uses: elastic/github-actions/project-assigner@v1.0.0
+        uses: elastic/github-actions/project-assigner@v1.0.1
         id: project_assigner
         with:
           issue-mappings: '[{"label": "Team:AppArch", "projectName": "kibana-app-arch", "columnId": 6173895}, {"label": "Feature:Lens", "projectName": "Lens", "columnId": 6219363}, {"label": "Team:Canvas", "projectName": "canvas", "columnId": 6187593}]'

docs/management/watcher-ui/index.asciidoc

@@ -34,7 +34,7 @@ If the {es} {security-features} are enabled, you must have the
 {ref}/security-privileges.html[`manage_watcher` or `monitor_watcher`]
 cluster privileges to use Watcher in {kib}.
 
-Alternately, you can have the built-in `kibana_user` role
+Alternately, you can have the built-in `kibana_admin` role
 and either of these watcher roles:
 
 * `watcher_admin`. You can perform all Watcher actions, including create and edit watches.

docs/migration/migrate_8_0.asciidoc

@@ -80,6 +80,21 @@ specified explicitly.
 
 *Impact:* Any workflow that involved manually clearing generated bundles will have to be updated with the new path.
 
+[float]
+[[breaking_80_user_role_changes]]
+=== User role changes
+
+[float]
+==== `kibana_user` role has been removed and `kibana_admin` has been added.
+
+*Details:* The `kibana_user` role has been removed and `kibana_admin` has been added to better
+reflect its intended use. This role continues to grant all access to every
+{kib} feature. If you wish to restrict access to specific features, create
+custom roles with {kibana-ref}/kibana-privileges.html[{kib} privileges].
+
+*Impact:* Any users currently assigned the `kibana_user` role will need to
+instead be assigned the `kibana_admin` role to maintain their current
+access level.
 
 [float]
 [[breaking_80_reporting_changes]]

docs/plugins/known-plugins.asciidoc

@@ -20,6 +20,7 @@ This list of plugins is not guaranteed to work on your version of Kibana. Instea
 * https://github.com/johtani/analyze-api-ui-plugin[Analyze UI] (johtani) - UI for elasticsearch _analyze API
 * https://github.com/TrumanDu/cleaner[Cleaner] (TrumanDu)- Setting index ttl.
 * https://github.com/bitsensor/elastalert-kibana-plugin[ElastAlert Kibana Plugin] (BitSensor) - UI to create, test and edit ElastAlert rules
+* https://github.com/query-ai/queryai-kibana-plugin[AI Analyst] (Query.AI) - App providing: NLP queries, automation, ML visualizations and insights
 
 [float]
 === Timelion Extensions

docs/uptime-guide/security.asciidoc

@@ -42,15 +42,15 @@ PUT /_security/role/uptime
 === Assign the role to a user
 
 Next, you'll need to create a user with both the `uptime` role, and another role with sufficient {kibana-ref}/kibana-privileges.html[Kibana privileges],
-such as the `kibana_user` role.
+such as the `kibana_admin` role.
 You can do this with the following request:
 
 ["source","sh",subs="attributes,callouts"]
 ---------------------------------------------------------------
 PUT /_security/user/jacknich
 {
   "password" : "j@rV1s",
-  "roles" : [ "uptime", "kibana_user" ],
+  "roles" : [ "uptime", "kibana_admin" ],
   "full_name" : "Jack Nicholson",
   "email" : "jacknich@example.com",
   "metadata" : {

docs/user/monitoring/viewing-metrics.asciidoc

@@ -63,7 +63,7 @@ remote monitoring cluster, you must use credentials that are valid on both the
 
 --
 
-.. Create users that have the `monitoring_user` and `kibana_user` 
+.. Create users that have the `monitoring_user` and `kibana_admin` 
 {ref}/built-in-roles.html[built-in roles].
 
 . Open {kib} in your web browser. 

docs/user/security/authorization/index.asciidoc

@@ -2,11 +2,11 @@
 [[xpack-security-authorization]]
 
 === Granting access to {kib}
-The Elastic Stack comes with the `kibana_user` {ref}/built-in-roles.html[built-in role], which you can use to grant access to all Kibana features in all spaces. To grant users access to a subset of spaces or features, you can create a custom role that grants the desired Kibana privileges. 
+The Elastic Stack comes with the `kibana_admin` {ref}/built-in-roles.html[built-in role], which you can use to grant access to all Kibana features in all spaces. To grant users access to a subset of spaces or features, you can create a custom role that grants the desired Kibana privileges. 
 
-When you assign a user multiple roles, the user receives a union of the roles’ privileges. Therefore, assigning the `kibana_user` role in addition to a custom role that grants Kibana privileges is ineffective because `kibana_user` has access to all the features in all spaces.
+When you assign a user multiple roles, the user receives a union of the roles’ privileges. Therefore, assigning the `kibana_admin` role in addition to a custom role that grants Kibana privileges is ineffective because `kibana_admin` has access to all the features in all spaces.
 
-NOTE: When running multiple tenants of Kibana by changing the `kibana.index` in your `kibana.yml`, you cannot use `kibana_user` to grant access. You must create custom roles that authorize the user for that specific tenant. Although multi-tenant installations are supported, the recommended approach to securing access to Kibana segments is to grant users access to specific spaces.
+NOTE: When running multiple tenants of Kibana by changing the `kibana.index` in your `kibana.yml`, you cannot use `kibana_admin` to grant access. You must create custom roles that authorize the user for that specific tenant. Although multi-tenant installations are supported, the recommended approach to securing access to Kibana segments is to grant users access to specific spaces.
 
 [role="xpack"]
 === {kib} role management

docs/user/security/reporting.asciidoc

@@ -85,14 +85,14 @@ elasticsearch.username: 'custom_kibana_system'
 [[reporting-roles-user-api]]
 ==== With the user API
 This example uses the {ref}/security-api-put-user.html[user API] to create a user who has the
-`reporting_user` role and the `kibana_user` role:
+`reporting_user` role and the `kibana_admin` role:
 
 [source, sh]
 ---------------------------------------------------------------
 POST /_security/user/reporter
 {
   "password" : "x-pack-test-password",
-  "roles" : ["kibana_user", "reporting_user"],
+  "roles" : ["kibana_admin", "reporting_user"],
   "full_name" : "Reporting User"
 }
 ---------------------------------------------------------------
@@ -106,11 +106,11 @@ roles on a per user basis, or assign roles to groups of users. By default, role
 mappings are configured in
 {ref}/mapping-roles.html[`config/shield/role_mapping.yml`].
 For example, the following snippet assigns the user named Bill Murray the
-`kibana_user` and `reporting_user` roles:
+`kibana_admin` and `reporting_user` roles:
 
 [source,yaml]
 --------------------------------------------------------------------------------
-kibana_user:
+kibana_admin:
   - "cn=Bill Murray,dc=example,dc=com"
 reporting_user:
   - "cn=Bill Murray,dc=example,dc=com"

docs/user/security/securing-kibana.asciidoc

@@ -104,15 +104,15 @@ You can manage privileges on the *Management / Security / Roles* page in {kib}.
 If you're using the native realm with Basic Authentication, you can assign roles
 using the *Management / Security / Users* page in {kib} or the
 {ref}/security-api.html#security-user-apis[user management APIs]. For example, 
-the following creates a user named `jacknich` and assigns it the `kibana_user` 
+the following creates a user named `jacknich` and assigns it the `kibana_admin` 
 role:
 
 [source,js]
 --------------------------------------------------------------------------------
 POST /_security/user/jacknich
 {
   "password" : "t0pS3cr3t",
-  "roles" : [ "kibana_user" ]
+  "roles" : [ "kibana_admin" ]
 }
 --------------------------------------------------------------------------------
 // CONSOLE

docs/user/visualize.asciidoc

@@ -75,6 +75,53 @@ modifications to the saved search are automatically reflected in the
 visualization. To disable automatic updates, you can disconnect a visualization
 from the saved search.
 
+[float]
+[[vis-inspector]]
+== Inspect visualizations
+
+Many visualizations allow you to inspect the query and data behind the visualization.
+
+. In the {kib} toolbar, click *Inspect*.
+. To download the data, click *Download CSV*, then choose one of the following options:
+* *Formatted CSV* - Downloads the data in table format.
+* *Raw CSV* - Downloads the data as provided.
+. To view the requests for collecting data, select *Requests* from the *View*
+dropdown.
+
+[float]
+[[save-visualize]]
+== Save visualizations
+To use your visualizations in <<dashboard, dashboards>>, you must save them.
+
+. In the {kib} toolbar, click *Save*.
+. Enter the visualization *Title* and optional *Description*, then *Save* the visualization.
+
+To access the saved visualization, go to *Management > {kib} > Saved Objects*.
+
+[float]
+[[save-visualization-read-only-access]]
+==== Read only access
+When you have insufficient privileges to save visualizations, the following indicator is
+displayed and the *Save* button is not visible.
+
+For more information, refer to <<xpack-security-authorization>>.
+
+[role="screenshot"]
+image::visualize/images/read-only-badge.png[Example of Visualize's read only access indicator in Kibana's header]
+
+[float]
+[[visualize-share-options]]
+== Share visualizations
+
+When you've finished your visualization, you can share it outside of {kib}.
+
+From the *Share* menu, you can:
+
+* Embed the code in a web page. Users must have {kib} access
+to view an embedded visualization.
+* Share a direct link to a {kib} visualization.
+* Generate a PDF report.
+* Generate a PNG report.
 
 --
 include::{kib-repo-dir}/visualize/visualize_rollup_data.asciidoc[]
@@ -95,7 +142,3 @@ include::{kib-repo-dir}/visualize/heatmap.asciidoc[]
 include::{kib-repo-dir}/visualize/for-dashboard.asciidoc[]
 
 include::{kib-repo-dir}/visualize/vega.asciidoc[]
-
-include::{kib-repo-dir}/visualize/saving.asciidoc[]
-
-include::{kib-repo-dir}/visualize/inspector.asciidoc[]

package.json

@@ -454,7 +454,7 @@
     "murmurhash3js": "3.0.1",
     "mutation-observer": "^1.0.3",
     "nock": "10.0.6",
-    "node-sass": "^4.9.4",
+    "node-sass": "^4.13.1",
     "normalize-path": "^3.0.0",
     "nyc": "^14.1.1",
     "pixelmatch": "^5.1.0",

packages/kbn-plugin-helpers/package.json

@@ -24,7 +24,7 @@
     "gulp-zip": "5.0.1",
     "inquirer": "^1.2.2",
     "minimatch": "^3.0.4",
-    "node-sass": "^4.9.4",
+    "node-sass": "^4.13.1",
     "through2": "^2.0.3",
     "through2-map": "^3.0.0",
     "vinyl-fs": "^3.0.3"

packages/kbn-ui-framework/package.json

@@ -53,7 +53,7 @@
     "jquery": "^3.4.1",
     "keymirror": "0.1.1",
     "moment": "^2.24.0",
-    "node-sass": "^4.9.4",
+    "node-sass": "^4.13.1",
     "postcss": "^7.0.5",
     "postcss-loader": "^3.0.0",
     "raw-loader": "^3.1.0",

src/core/server/elasticsearch/elasticsearch_config.ts

@@ -103,7 +103,19 @@ const configSchema = schema.object({
   ),
   apiVersion: schema.string({ defaultValue: DEFAULT_API_VERSION }),
   healthCheck: schema.object({ delay: schema.duration({ defaultValue: 2500 }) }),
-  ignoreVersionMismatch: schema.boolean({ defaultValue: false }),
+  ignoreVersionMismatch: schema.conditional(
+    schema.contextRef('dev'),
+    false,
+    schema.boolean({
+      validate: rawValue => {
+        if (rawValue === true) {
+          return '"ignoreVersionMismatch" can only be set to true in development mode';
+        }
+      },
+      defaultValue: false,
+    }),
+    schema.boolean({ defaultValue: false })
+  ),
 });
 
 const deprecations: ConfigDeprecationProvider = () => [

src/core/server/elasticsearch/elasticsearch_service.mock.ts

@@ -23,6 +23,7 @@ import { IScopedClusterClient } from './scoped_cluster_client';
 import { ElasticsearchConfig } from './elasticsearch_config';
 import { ElasticsearchService } from './elasticsearch_service';
 import { InternalElasticsearchServiceSetup, ElasticsearchServiceSetup } from './types';
+import { NodesVersionCompatibility } from './version_check/ensure_es_version';
 
 const createScopedClusterClientMock = (): jest.Mocked<IScopedClusterClient> => ({
   callAsInternalUser: jest.fn(),
@@ -71,6 +72,12 @@ type MockedInternalElasticSearchServiceSetup = jest.Mocked<
 const createInternalSetupContractMock = () => {
   const setupContract: MockedInternalElasticSearchServiceSetup = {
     ...createSetupContractMock(),
+    esNodesCompatibility$: new BehaviorSubject<NodesVersionCompatibility>({
+      isCompatible: true,
+      incompatibleNodes: [],
+      warningNodes: [],
+      kibanaVersion: '8.0.0',
+    }),
     legacy: {
       config$: new BehaviorSubject({} as ElasticsearchConfig),
     },

src/core/server/elasticsearch/elasticsearch_service.test.ts

@@ -31,6 +31,7 @@ import { httpServiceMock } from '../http/http_service.mock';
 import { ElasticsearchConfig } from './elasticsearch_config';
 import { ElasticsearchService } from './elasticsearch_service';
 import { elasticsearchServiceMock } from './elasticsearch_service.mock';
+import { duration } from 'moment';
 
 let elasticsearchService: ElasticsearchService;
 const configService = configServiceMock.create();
@@ -41,7 +42,7 @@ configService.atPath.mockReturnValue(
   new BehaviorSubject({
     hosts: ['http://1.2.3.4'],
     healthCheck: {
-      delay: 2000,
+      delay: duration(2000),
     },
     ssl: {
       verificationMode: 'none',
@@ -125,7 +126,7 @@ describe('#setup', () => {
       const config = MockClusterClient.mock.calls[0][0];
       expect(config).toMatchInlineSnapshot(`
 Object {
-  "healthCheckDelay": 2000,
+  "healthCheckDelay": "PT2S",
   "hosts": Array [
     "http://8.8.8.8",
   ],
@@ -150,7 +151,7 @@ Object {
       const config = MockClusterClient.mock.calls[0][0];
       expect(config).toMatchInlineSnapshot(`
 Object {
-  "healthCheckDelay": 2000,
+  "healthCheckDelay": "PT2S",
   "hosts": Array [
     "http://1.2.3.4",
   ],
@@ -174,7 +175,7 @@ Object {
         new BehaviorSubject({
           hosts: ['http://1.2.3.4', 'http://9.8.7.6'],
           healthCheck: {
-            delay: 2000,
+            delay: duration(2000),
           },
           ssl: {
             verificationMode: 'none',
@@ -196,7 +197,7 @@ Object {
       const config = MockClusterClient.mock.calls[0][0];
       expect(config).toMatchInlineSnapshot(`
         Object {
-          "healthCheckDelay": 2000,
+          "healthCheckDelay": "PT2S",
           "hosts": Array [
             "http://8.8.8.8",
           ],