[DOCS] Add impact sections to security 8.0 breaking changes (#56439)

Co-authored-by: Tim Vernum <[email protected]>
elastic · May 26, 2020 · b79629d · b79629d
1 parent b4b31ef
commit b79629d
Showing 1 changed file with 73 additions and 0 deletions.
diff --git a/docs/reference/migration/migrate_8_0/security.asciidoc b/docs/reference/migration/migrate_8_0/security.asciidoc
@@ -12,6 +12,8 @@
 *Details* +
 The `xpack.security.authc.realms.{type}.{name}.order` setting is now required and must be
 specified for each explicitly configured realm. Each value must be unique.
+
+*Impact* +
 The cluster will fail to start if the requirements are not met.
 
 For example, the following configuration is invalid:
@@ -40,6 +42,11 @@ xpack.security.authc.realms.kerberos.kerb1:
 *Details* +
 The `xpack.security.authc.accept_default_password` setting has not had any affect
 since the 6.0 release of {es}. It has been removed and cannot be used.
+
+*Impact* +
+Discontinue use of the `xpack.security.authc.accept_default_password` setting.
+Specifying this setting in `elasticsearch.yml` will result in an error on
+startup.
 ====
 
 [[roles-index-cache-removed]]
@@ -51,6 +58,11 @@ The `xpack.security.authz.store.roles.index.cache.max_size` and
 `xpack.security.authz.store.roles.index.cache.ttl` settings have
 been removed. These settings have been redundant and deprecated
 since the 5.2 release of {es}.
+
+*Impact* +
+Discontinue use of the `xpack.security.authz.store.roles.index.cache.max_size`
+and `xpack.security.authz.store.roles.index.cache.ttl` settings. Specifying
+these settings in `elasticsearch.yml` will result in an error on startup.
 ====
 
 [[migrate-tool-removed]]
@@ -62,6 +74,10 @@ The `elasticsearch-migrate` tool provided a way to convert file
 realm users and roles into the native realm. It has been deprecated
 since 7.2.0. Users and roles should now be created in the native
 realm directly.
+
+*Impact* +
+Discontinue use of the `elasticsearch-migrate` tool. Attempts to use the
+`elasticsearch-migrate` tool will result in an error.
 ====
 
 [[separating-node-and-client-traffic]]
@@ -72,6 +88,11 @@ realm directly.
 The `transport.profiles.*.xpack.security.type` setting has been removed since
 the Transport Client has been removed and therefore all client traffic now uses
 the HTTP transport. Transport profiles using this setting should be removed.
+
+*Impact* +
+Discontinue use of the `transport.profiles.*.xpack.security.type` setting.
+Specifying this setting in a transport profile in `elasticsearch.yml` will
+result in an error on startup.
 ====
 
 [discrete]
@@ -86,6 +107,21 @@ It is now an error to configure any SSL settings for
 `xpack.security.transport.ssl` without also configuring
 `xpack.security.transport.ssl.enabled`.
 
+*Impact* +
+If using other `xpack.security.transport.ssl` settings, you must explicitly
+specify the `xpack.security.transport.ssl.enabled` setting.
+
+If you do not want to enable SSL and are currently using other
+`xpack.security.transport.ssl` settings, do one of the following:
+
+* Explicitly specify `xpack.security.transport.ssl.enabled` as `false`
+* Discontinue use of other `xpack.security.transport.ssl` settings
+
+If you want to enable SSL, follow the instructions in
+{ref}/configuring-tls.html#tls-transport[Encrypting communications between nodes
+in a cluster]. As part of this configuration, explicitly specify
+`xpack.security.transport.ssl.enabled` as `true`.
+
 For example, the following configuration is invalid:
 [source,yaml]
 --------------------------------------------------
@@ -111,6 +147,21 @@ It is now an error to configure any SSL settings for
 `xpack.security.http.ssl` without also configuring
 `xpack.security.http.ssl.enabled`.
 
+*Impact* +
+If using other `xpack.security.http.ssl` settings, you must explicitly
+specify the `xpack.security.http.ssl.enabled` setting.
+
+If you do not want to enable SSL and are currently using other
+`xpack.security.http.ssl` settings, do one of the following:
+
+* Explicitly specify `xpack.security.http.ssl.enabled` as `false`
+* Discontinue use of other `xpack.security.http.ssl` settings
+
+If you want to enable SSL, follow the instructions in
+{ref}/configuring-tls.html#tls-http[Encrypting HTTP client communications]. As part
+of this configuration, explicitly specify `xpack.security.http.ssl.enabled`
+as `true`.
+
 For example, the following configuration is invalid:
 [source,yaml]
 --------------------------------------------------
@@ -138,6 +189,13 @@ It is now an error to enable SSL for the transport interface without also config
 a certificate and key through use of the `xpack.security.transport.ssl.keystore.path`
 setting or the `xpack.security.transport.ssl.certificate` and
 `xpack.security.transport.ssl.key` settings.
+
+*Impact* +
+If `xpack.security.transport.ssl.enabled` is set to `true`, provide a
+certificate and key using the `xpack.security.transport.ssl.keystore.path`
+setting or the `xpack.security.transport.ssl.certificate` and
+`xpack.security.transport.ssl.key` settings. If a certificate and key is not
+provided, {es} will return in an error on startup.
 ====
 
 .A `xpack.security.http.ssl` certificate and key are now required to enable SSL for the HTTP server.
@@ -148,6 +206,13 @@ It is now an error to enable SSL for the HTTP (Rest) server without also configu
 a certificate and key through use of the `xpack.security.http.ssl.keystore.path`
 setting or the `xpack.security.http.ssl.certificate` and
 `xpack.security.http.ssl.key` settings.
+
+*Impact* +
+If `xpack.security.http.ssl.enabled` is set to `true`, provide a certificate and
+key using the `xpack.security.http.ssl.keystore.path` setting or the
+`xpack.security.http.ssl.certificate` and `xpack.security.http.ssl.key`
+settings. If certificate and key is not provided, {es} will return in an error
+on startup.
 ====
 
 [discrete]
@@ -163,6 +228,10 @@ The name of this user was confusing, and was often mistakenly used to login to {
 This has been renamed to `kibana_system` in order to reduce confusion, and to better
 align with other built-in system accounts.
 
+*Impact* +
+Replace any use of the `kibana` user with the `kibana_system` user. Specifying
+the `kibana` user in `kibana.yml` will result in an error on startup.
+
 If your `kibana.yml` used to contain:
 [source,yaml]
 --------------------------------------------------
@@ -187,4 +256,8 @@ elasticsearch.username: kibana_system
 Users who were previously assigned the `kibana_user` role should instead be assigned
 the `kibana_admin` role. This role grants the same set of privileges as `kibana_user`, but has been
 renamed to better reflect its intended use.
+
+*Impact* +
+Assign users with the `kibana_user` role to the `kibana_admin` role.
+Discontinue use of the `kibana_user` role.
 ====