Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/master' into update-mig-doc-ap…
Browse files Browse the repository at this point in the history
…p-updater
  • Loading branch information
pgayvallet committed Jan 17, 2020
2 parents def5229 + 92b5f78 commit b2e69f0
Show file tree
Hide file tree
Showing 391 changed files with 9,202 additions and 6,284 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [DeprecationSettings](./kibana-plugin-server.deprecationsettings.md) &gt; [docLinksKey](./kibana-plugin-server.deprecationsettings.doclinkskey.md)

## DeprecationSettings.docLinksKey property

Key to documentation links

<b>Signature:</b>

```typescript
docLinksKey: string;
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [DeprecationSettings](./kibana-plugin-server.deprecationsettings.md)

## DeprecationSettings interface

UiSettings deprecation field options.

<b>Signature:</b>

```typescript
export interface DeprecationSettings
```

## Properties

| Property | Type | Description |
| --- | --- | --- |
| [docLinksKey](./kibana-plugin-server.deprecationsettings.doclinkskey.md) | <code>string</code> | Key to documentation links |
| [message](./kibana-plugin-server.deprecationsettings.message.md) | <code>string</code> | Deprecation message |

Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [DeprecationSettings](./kibana-plugin-server.deprecationsettings.md) &gt; [message](./kibana-plugin-server.deprecationsettings.message.md)

## DeprecationSettings.message property

Deprecation message

<b>Signature:</b>

```typescript
message: string;
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [ImageValidation](./kibana-plugin-server.imagevalidation.md) &gt; [maxSize](./kibana-plugin-server.imagevalidation.maxsize.md)

## ImageValidation.maxSize property

<b>Signature:</b>

```typescript
maxSize: {
length: number;
description: string;
};
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [ImageValidation](./kibana-plugin-server.imagevalidation.md)

## ImageValidation interface

<b>Signature:</b>

```typescript
export interface ImageValidation
```

## Properties

| Property | Type | Description |
| --- | --- | --- |
| [maxSize](./kibana-plugin-server.imagevalidation.maxsize.md) | <code>{</code><br/><code> length: number;</code><br/><code> description: string;</code><br/><code> }</code> | |

Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ Generate a `KibanaResponse` which renders an HTML page bootstrapped with the `co
<b>Signature:</b>

```typescript
render(options?: IRenderOptions): Promise<string>;
render(options?: Pick<IRenderOptions, 'includeUserSettings'>): Promise<string>;
```

## Parameters

| Parameter | Type | Description |
| --- | --- | --- |
| options | <code>IRenderOptions</code> | |
| options | <code>Pick&lt;IRenderOptions, 'includeUserSettings'&gt;</code> | |

<b>Returns:</b>

Expand Down
3 changes: 3 additions & 0 deletions docs/development/core/server/kibana-plugin-server.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
| [DeprecationAPIClientParams](./kibana-plugin-server.deprecationapiclientparams.md) | |
| [DeprecationAPIResponse](./kibana-plugin-server.deprecationapiresponse.md) | |
| [DeprecationInfo](./kibana-plugin-server.deprecationinfo.md) | |
| [DeprecationSettings](./kibana-plugin-server.deprecationsettings.md) | UiSettings deprecation field options. |
| [DiscoveredPlugin](./kibana-plugin-server.discoveredplugin.md) | Small container object used to expose information about discovered plugins that may or may not have been started. |
| [ElasticsearchError](./kibana-plugin-server.elasticsearcherror.md) | |
| [ElasticsearchServiceSetup](./kibana-plugin-server.elasticsearchservicesetup.md) | |
Expand All @@ -69,6 +70,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
| [ICspConfig](./kibana-plugin-server.icspconfig.md) | CSP configuration for use in Kibana. |
| [IKibanaResponse](./kibana-plugin-server.ikibanaresponse.md) | A response data object, expected to returned as a result of [RequestHandler](./kibana-plugin-server.requesthandler.md) execution |
| [IKibanaSocket](./kibana-plugin-server.ikibanasocket.md) | A tiny abstraction for TCP socket. |
| [ImageValidation](./kibana-plugin-server.imagevalidation.md) | |
| [IndexSettingsDeprecationInfo](./kibana-plugin-server.indexsettingsdeprecationinfo.md) | |
| [IRenderOptions](./kibana-plugin-server.irenderoptions.md) | |
| [IRouter](./kibana-plugin-server.irouter.md) | Registers route handlers for specified resource path and method. See [RouteConfig](./kibana-plugin-server.routeconfig.md) and [RequestHandler](./kibana-plugin-server.requesthandler.md) for more information about arguments to route registrations. |
Expand Down Expand Up @@ -140,6 +142,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
| [SessionStorage](./kibana-plugin-server.sessionstorage.md) | Provides an interface to store and retrieve data across requests. |
| [SessionStorageCookieOptions](./kibana-plugin-server.sessionstoragecookieoptions.md) | Configuration used to create HTTP session storage based on top of cookie mechanism. |
| [SessionStorageFactory](./kibana-plugin-server.sessionstoragefactory.md) | SessionStorage factory to bind one to an incoming request |
| [StringValidation](./kibana-plugin-server.stringvalidation.md) | |
| [UiSettingsParams](./kibana-plugin-server.uisettingsparams.md) | UiSettings parameters defined by the plugins. |
| [UiSettingsServiceSetup](./kibana-plugin-server.uisettingsservicesetup.md) | |
| [UiSettingsServiceStart](./kibana-plugin-server.uisettingsservicestart.md) | |
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [StringValidation](./kibana-plugin-server.stringvalidation.md)

## StringValidation interface

<b>Signature:</b>

```typescript
export interface StringValidation
```

## Properties

| Property | Type | Description |
| --- | --- | --- |
| [message](./kibana-plugin-server.stringvalidation.message.md) | <code>string</code> | |
| [regexString](./kibana-plugin-server.stringvalidation.regexstring.md) | <code>string</code> | |

Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [StringValidation](./kibana-plugin-server.stringvalidation.md) &gt; [message](./kibana-plugin-server.stringvalidation.message.md)

## StringValidation.message property

<b>Signature:</b>

```typescript
message: string;
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [StringValidation](./kibana-plugin-server.stringvalidation.md) &gt; [regexString](./kibana-plugin-server.stringvalidation.regexstring.md)

## StringValidation.regexString property

<b>Signature:</b>

```typescript
regexString: string;
```
6 changes: 3 additions & 3 deletions docs/maps/maps-aggregations.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,13 @@ The *Grid aggregation* source uses {ref}/search-aggregations-bucket-geotilegrid-

You can symbolize grid aggregation metrics as:

*Points*:: Creates a <<vector-layer, vector layer>> with a point for each gridded cell.
The point location is the weighted centroid for all geo-points in the gridded cell.

*Grid rectangles*:: Creates a <<vector-layer, vector layer>> with a bounding box polygon for each gridded cell.

*Heat map*:: Creates a <<heatmap-layer, heat map layer>> that clusters the weighted centroids for each gridded cell.

*Clusters*:: Creates a <<vector-layer, vector layer>> with a cluster symbol for each gridded cell.
The cluster location is the weighted centroid for all geo-points in the gridded cell.


[role="xpack"]
[[maps-top-hits-aggregation]]
Expand Down
2 changes: 1 addition & 1 deletion docs/maps/maps-getting-started.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ image::maps/images/grid_metrics_both.png[]
. In the map legend, click *Add layer*.
. Click the *Grid aggregation* data source.
. Set *Index pattern* to *kibana_sample_data_logs*.
. Set *Show as* to *points*.
. Set *Show as* to *clusters*.
. Click the *Add layer* button.
. Set *Name* to `Total Requests and Bytes`.
. Set *Visibility* to the range [0, 9].
Expand Down
2 changes: 1 addition & 1 deletion docs/maps/vector-layer.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ NOTE: Document results are limited to the `index.max_result_window` index settin
Use <<maps-aggregations, aggregations>> to plot large data sets.

*Grid aggregation*:: Geospatial data grouped in grids with metrics for each gridded cell.
Set *Show as* to *grid rectangles* or *points*.
Set *Show as* to *grid rectangles* or *clusters*.
The index must contain at least one field mapped as {ref}/geo-point.html[geo_point].

*EMS Boundaries*:: Administrative boundaries from https://www.elastic.co/elastic-maps-service[Elastic Maps Service].
Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
[role="xpack"]
[[elasticsearch-mutual-tls]]
=== Mutual TLS authentication between {kib} and {es}
++++
<titleabbrev>Mutual TLS with {es}</titleabbrev>
++++

In a standard Transport Layer Security (TLS/SSL) configuration, the server presents a signed certificate to authenticate itself to the
client. In a mutual TLS configuration, the client also presents a signed certificate to authenticate itself to the server.

When {security} is enabled on your cluster, each request that {kib} makes to {es} must be authenticated. Most requests made through {kib} to
{es} are authenticated by using the credentials of the logged-in user. There are, however, a few internal requests that the {kib} server
needs to make to the {es} cluster. For this reason, you must configure credentials for the {kib} server to use for those requests.

If {kib} has `elasticsearch.username` and `elasticsearch.password` configured, it will attempt to use these to authenticate to {es} via the
{ref}/native-realm.html[Native realm]. However, {kib} also supports mutual TLS authentication with {es} via a {ref}/pki-realm.html[Public
Key Infrastructure (PKI) realm]. To do so, {es} needs to verify the signature on the {kib} client certificate, and it also needs to map the
certificate's distinguished name (DN) to the appropriate `kibana_system` role.

NOTE: Using a PKI realm is a gold feature. For a comparison of the Elastic license levels, see https://www.elastic.co/subscriptions[the
subscription page].

To configure {kib} and {es} to use mutual TLS authentication:

. <<using-kibana-with-security,Set up {kib} to work with {security}>> with a username and password.

. <<configuring-tls-kib-es,Set up TLS encryption between {kib} and {es}>>. At a minimum, this requires a server certificate for {es}.

. Create a client certificate and private key for {kib} to use when connecting to {es}.
+
--
NOTE: This is not the same as the <<configuring-tls-browser-kib,server certificate>> that {kib} will present to web browsers.

You may choose to generate a certificate and private key using {ref}/certutil.html[the {es} certutil tool]. At this point, you will have
already set up a certificate authority (CA) to sign the {es} server certificate. You may choose to use the same CA to sign the {kib} client
certificate. You would do this like so:

[source,sh]
--------------------------------------------------------------------------------
bin/elasticsearch-certutil cert -ca elastic-stack-ca.p12 -name kibana-client
--------------------------------------------------------------------------------

This will generate a certificate and private key in a PKCS #12 keystore named `kibana-client.p12`. The certificate has a Common Name (CN) of
"kibana-client".

You will also need to use the CA certificate when setting up the PKI realm in {es}. While you could use the CA keystore in the above example
for this purpose, it is bad practice to expose the CA's private key in such a manner. Instead, you can extract the CA certificate (without
its private key) like so:

[source,sh]
--------------------------------------------------------------------------------
openssl pkcs12 -in kibana-client.p12 -cacerts -nokeys -out ca.crt
--------------------------------------------------------------------------------
--

. Configure a PKI realm and a Native realm in your {es} cluster:
+
--
By default, {es} provides a Native realm. However, to support both a PKI realm (for {kib}) and a Native realm (for end users), you must
configure each realm in `elasticsearch.yml`:

[source,yaml]
--------------------------------------------------------------------------------
xpack.security.authc.realms.pki.realm1.order: 1
xpack.security.authc.realms.pki.realm1.certificate_authorities: "/path/to/ca.crt"
xpack.security.authc.realms.native.realm2.order: 2
--------------------------------------------------------------------------------

--

. Configure your {es} cluster to request client certificates:
+
--
By default, {es} will not request a client certificate when establishing a TLS connection. To change this, you must set up optional client
certificate authentication in `elasticsearch.yml`:

[source,yaml]
--------------------------------------------------------------------------------
xpack.security.http.ssl.client_authentication: "optional"
--------------------------------------------------------------------------------
--

. Restart your {es} cluster.

. Use {kib} to create a <<role-mappings,role mapping>> for your new client certificate:
+
--
This role mapping will assign the `kibana_system` role to any user that matches the included mapping rule, which is set to equal the client
certificate's DN attribute:

[role="screenshot"]
image:user/security/images/mutual-tls-role-mapping.png["Role mapping for the {kib} client certificate"]
--

. Configure {kib} to use the client certificate:
+
--
Assuming you used the {es} certutil tool to generate a certificate and private key in a PKCS #12 keystore, add the following values to
`kibana.yml`:

[source,yaml]
--------------------------------------------------------------------------------
elasticsearch.ssl.keystore.path: "/path/to/kibana-client.p12"
elasticsearch.ssl.keystore.password: "decryption password"
--------------------------------------------------------------------------------

The decryption password should match what you entered when prompted by the {es} certutil tool.

You must also remove the `elasticsearch.username` and `elasticsearch.password` values from the configuration file. Otherwise, {kib} will
attempt to use those to authenticate via the Native realm.

TIP: Alternatively, {kib} also supports using a client certificate and private key in PEM format with the `elasticsearch.ssl.certificate`
and `elasticsearch.ssl.key` settings. For more information, see <<settings,{kib} configuration settings>>.
--

. Restart {kib}.

NOTE: The steps above enable {kib} to authenticate to {es} using a certificate. However, end users will only be able to authenticate to
{kib} with a username and password. To allow end users to authenticate to {kib} using certificates, see <<pki-authentication,{kib} PKI
authentication>>.
3 changes: 3 additions & 0 deletions docs/user/security/securing-kibana.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,8 @@ xpack.security.session.lifespan: "8h"

. Optional: <<configuring-tls,Configure {kib} to encrypt communications>>.

. Optional: <<elasticsearch-mutual-tls,Configure {kib} to authenticate to {es} with a client certificate>>.

. Restart {kib}.

. [[kibana-roles]]Choose an authentication mechanism and grant users the privileges they need to
Expand Down Expand Up @@ -141,4 +143,5 @@ NOTE: This must be a user who has been assigned <<kibana-privileges, Kibana priv

include::authentication/index.asciidoc[]
include::securing-communications/index.asciidoc[]
include::securing-communications/elasticsearch-mutual-tls.asciidoc[]
include::audit-logging.asciidoc[]
Loading

0 comments on commit b2e69f0

Please sign in to comment.