From b79629d08cda56cca8ffa057bbd4ada6e30aa217 Mon Sep 17 00:00:00 2001 From: James Rodewig Date: Tue, 26 May 2020 09:20:06 -0400 Subject: [PATCH] [DOCS] Add impact sections to security 8.0 breaking changes (#56439) Co-authored-by: Tim Vernum --- .../migration/migrate_8_0/security.asciidoc | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/docs/reference/migration/migrate_8_0/security.asciidoc b/docs/reference/migration/migrate_8_0/security.asciidoc index da7d5e5d1d4e8..5d09c5b9568b8 100644 --- a/docs/reference/migration/migrate_8_0/security.asciidoc +++ b/docs/reference/migration/migrate_8_0/security.asciidoc @@ -12,6 +12,8 @@ *Details* + The `xpack.security.authc.realms.{type}.{name}.order` setting is now required and must be specified for each explicitly configured realm. Each value must be unique. + +*Impact* + The cluster will fail to start if the requirements are not met. For example, the following configuration is invalid: @@ -40,6 +42,11 @@ xpack.security.authc.realms.kerberos.kerb1: *Details* + The `xpack.security.authc.accept_default_password` setting has not had any affect since the 6.0 release of {es}. It has been removed and cannot be used. + +*Impact* + +Discontinue use of the `xpack.security.authc.accept_default_password` setting. +Specifying this setting in `elasticsearch.yml` will result in an error on +startup. ==== [[roles-index-cache-removed]] @@ -51,6 +58,11 @@ The `xpack.security.authz.store.roles.index.cache.max_size` and `xpack.security.authz.store.roles.index.cache.ttl` settings have been removed. These settings have been redundant and deprecated since the 5.2 release of {es}. + +*Impact* + +Discontinue use of the `xpack.security.authz.store.roles.index.cache.max_size` +and `xpack.security.authz.store.roles.index.cache.ttl` settings. Specifying +these settings in `elasticsearch.yml` will result in an error on startup. ==== [[migrate-tool-removed]] @@ -62,6 +74,10 @@ The `elasticsearch-migrate` tool provided a way to convert file realm users and roles into the native realm. It has been deprecated since 7.2.0. Users and roles should now be created in the native realm directly. + +*Impact* + +Discontinue use of the `elasticsearch-migrate` tool. Attempts to use the +`elasticsearch-migrate` tool will result in an error. ==== [[separating-node-and-client-traffic]] @@ -72,6 +88,11 @@ realm directly. The `transport.profiles.*.xpack.security.type` setting has been removed since the Transport Client has been removed and therefore all client traffic now uses the HTTP transport. Transport profiles using this setting should be removed. + +*Impact* + +Discontinue use of the `transport.profiles.*.xpack.security.type` setting. +Specifying this setting in a transport profile in `elasticsearch.yml` will +result in an error on startup. ==== [discrete] @@ -86,6 +107,21 @@ It is now an error to configure any SSL settings for `xpack.security.transport.ssl` without also configuring `xpack.security.transport.ssl.enabled`. +*Impact* + +If using other `xpack.security.transport.ssl` settings, you must explicitly +specify the `xpack.security.transport.ssl.enabled` setting. + +If you do not want to enable SSL and are currently using other +`xpack.security.transport.ssl` settings, do one of the following: + +* Explicitly specify `xpack.security.transport.ssl.enabled` as `false` +* Discontinue use of other `xpack.security.transport.ssl` settings + +If you want to enable SSL, follow the instructions in +{ref}/configuring-tls.html#tls-transport[Encrypting communications between nodes +in a cluster]. As part of this configuration, explicitly specify +`xpack.security.transport.ssl.enabled` as `true`. + For example, the following configuration is invalid: [source,yaml] -------------------------------------------------- @@ -111,6 +147,21 @@ It is now an error to configure any SSL settings for `xpack.security.http.ssl` without also configuring `xpack.security.http.ssl.enabled`. +*Impact* + +If using other `xpack.security.http.ssl` settings, you must explicitly +specify the `xpack.security.http.ssl.enabled` setting. + +If you do not want to enable SSL and are currently using other +`xpack.security.http.ssl` settings, do one of the following: + +* Explicitly specify `xpack.security.http.ssl.enabled` as `false` +* Discontinue use of other `xpack.security.http.ssl` settings + +If you want to enable SSL, follow the instructions in +{ref}/configuring-tls.html#tls-http[Encrypting HTTP client communications]. As part +of this configuration, explicitly specify `xpack.security.http.ssl.enabled` +as `true`. + For example, the following configuration is invalid: [source,yaml] -------------------------------------------------- @@ -138,6 +189,13 @@ It is now an error to enable SSL for the transport interface without also config a certificate and key through use of the `xpack.security.transport.ssl.keystore.path` setting or the `xpack.security.transport.ssl.certificate` and `xpack.security.transport.ssl.key` settings. + +*Impact* + +If `xpack.security.transport.ssl.enabled` is set to `true`, provide a +certificate and key using the `xpack.security.transport.ssl.keystore.path` +setting or the `xpack.security.transport.ssl.certificate` and +`xpack.security.transport.ssl.key` settings. If a certificate and key is not +provided, {es} will return in an error on startup. ==== .A `xpack.security.http.ssl` certificate and key are now required to enable SSL for the HTTP server. @@ -148,6 +206,13 @@ It is now an error to enable SSL for the HTTP (Rest) server without also configu a certificate and key through use of the `xpack.security.http.ssl.keystore.path` setting or the `xpack.security.http.ssl.certificate` and `xpack.security.http.ssl.key` settings. + +*Impact* + +If `xpack.security.http.ssl.enabled` is set to `true`, provide a certificate and +key using the `xpack.security.http.ssl.keystore.path` setting or the +`xpack.security.http.ssl.certificate` and `xpack.security.http.ssl.key` +settings. If certificate and key is not provided, {es} will return in an error +on startup. ==== [discrete] @@ -163,6 +228,10 @@ The name of this user was confusing, and was often mistakenly used to login to { This has been renamed to `kibana_system` in order to reduce confusion, and to better align with other built-in system accounts. +*Impact* + +Replace any use of the `kibana` user with the `kibana_system` user. Specifying +the `kibana` user in `kibana.yml` will result in an error on startup. + If your `kibana.yml` used to contain: [source,yaml] -------------------------------------------------- @@ -187,4 +256,8 @@ elasticsearch.username: kibana_system Users who were previously assigned the `kibana_user` role should instead be assigned the `kibana_admin` role. This role grants the same set of privileges as `kibana_user`, but has been renamed to better reflect its intended use. + +*Impact* + +Assign users with the `kibana_user` role to the `kibana_admin` role. +Discontinue use of the `kibana_user` role. ====