Skip to content

Commit

Permalink
Merge branch 'master' into bugfix/expression-service-render-swallows-…
Browse files Browse the repository at this point in the history
…errors
  • Loading branch information
elasticmachine authored Nov 27, 2019
2 parents 4b730df + 2d696eb commit b37a36f
Show file tree
Hide file tree
Showing 470 changed files with 9,053 additions and 6,683 deletions.
2 changes: 1 addition & 1 deletion .eslintignore
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ bower_components
/plugins
/built_assets
/html_docs
/src/plugins/data/common/es_query/kuery/ast/_generated_/**
/src/fixtures/vislib/mock_data
/src/legacy/ui/public/angular-bootstrap
/src/legacy/ui/public/flot-charts
Expand All @@ -19,7 +20,6 @@ bower_components
/src/core/lib/kbn_internal_native_observable
/packages/*/target
/packages/eslint-config-kibana
/packages/kbn-es-query/src/kuery/ast/kuery.js
/packages/kbn-pm/dist
/packages/kbn-plugin-generator/sao_template/template
/packages/kbn-ui-framework/dist
Expand Down
1 change: 1 addition & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@
/src/dev/i18n @elastic/kibana-stack-services
/packages/kbn-analytics/ @elastic/kibana-stack-services
/src/legacy/core_plugins/ui_metric/ @elastic/kibana-stack-services
/src/plugins/usage_collection/ @elastic/kibana-stack-services
/x-pack/legacy/plugins/telemetry @elastic/kibana-stack-services
/x-pack/legacy/plugins/alerting @elastic/kibana-stack-services
/x-pack/legacy/plugins/actions @elastic/kibana-stack-services
Expand Down
1 change: 0 additions & 1 deletion .i18nrc.json
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
"interpreter": "src/legacy/core_plugins/interpreter",
"kbn": "src/legacy/core_plugins/kibana",
"kbnDocViews": "src/legacy/core_plugins/kbn_doc_views",
"kbnESQuery": "packages/kbn-es-query",
"kbnVislibVisTypes": "src/legacy/core_plugins/kbn_vislib_vis_types",
"kibana_react": "src/legacy/core_plugins/kibana_react",
"kibana-react": "src/plugins/kibana_react",
Expand Down
4 changes: 3 additions & 1 deletion docs/api/role-management/put.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,9 @@ To use the create or update role API, you must have the `manage_security` cluste
(Optional, object) In the `metadata` object, keys that begin with `_` are reserved for system usage.

`elasticsearch`::
(Optional, object) {es} cluster and index privileges. Valid keys include `cluster`, `indices`, and `run_as`. For more information, see {xpack-ref}/defining-roles.html[Defining Roles].
(Optional, object) {es} cluster and index privileges. Valid keys include
`cluster`, `indices`, and `run_as`. For more information, see
{ref}/defining-roles.html[Defining roles].

`kibana`::
(list) Objects that specify the <<kibana-privileges, Kibana privileges>> for the role:
Expand Down
9 changes: 8 additions & 1 deletion docs/developer/security/rbac.asciidoc
Original file line number Diff line number Diff line change
@@ -1,7 +1,14 @@
[[development-security-rbac]]
=== Role-based access control

Role-based access control (RBAC) in {kib} relies upon the {xpack-ref}/security-privileges.html#application-privileges[application privileges] that Elasticsearch exposes. This allows {kib} to define the privileges that {kib} wishes to grant to users, assign them to the relevant users using roles, and then authorize the user to perform a specific action. This is handled within a secured instance of the `SavedObjectsClient` and available transparently to consumers when using `request.getSavedObjectsClient()` or `savedObjects.getScopedSavedObjectsClient()`.
Role-based access control (RBAC) in {kib} relies upon the
{ref}/security-privileges.html#application-privileges[application privileges]
that Elasticsearch exposes. This allows {kib} to define the privileges that
{kib} wishes to grant to users, assign them to the relevant users using roles,
and then authorize the user to perform a specific action. This is handled within
a secured instance of the `SavedObjectsClient` and available transparently to
consumers when using `request.getSavedObjectsClient()` or
`savedObjects.getScopedSavedObjectsClient()`.

[[development-rbac-privileges]]
==== {kib} Privileges
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,5 @@ Search for objects
<b>Signature:</b>

```typescript
find: <T extends SavedObjectAttributes>(options: Pick<SavedObjectFindOptionsServer, "search" | "filter" | "type" | "searchFields" | "defaultSearchOperator" | "hasReference" | "sortField" | "page" | "perPage" | "fields">) => Promise<SavedObjectsFindResponsePublic<T>>;
find: <T extends SavedObjectAttributes>(options: Pick<SavedObjectFindOptionsServer, "search" | "filter" | "type" | "fields" | "searchFields" | "defaultSearchOperator" | "hasReference" | "sortField" | "page" | "perPage">) => Promise<SavedObjectsFindResponsePublic<T>>;
```
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ export declare class SavedObjectsClient
| [bulkGet](./kibana-plugin-public.savedobjectsclient.bulkget.md) | | <code>(objects?: {</code><br/><code> id: string;</code><br/><code> type: string;</code><br/><code> }[]) =&gt; Promise&lt;SavedObjectsBatchResponse&lt;SavedObjectAttributes&gt;&gt;</code> | Returns an array of objects by id |
| [create](./kibana-plugin-public.savedobjectsclient.create.md) | | <code>&lt;T extends SavedObjectAttributes&gt;(type: string, attributes: T, options?: SavedObjectsCreateOptions) =&gt; Promise&lt;SimpleSavedObject&lt;T&gt;&gt;</code> | Persists an object |
| [delete](./kibana-plugin-public.savedobjectsclient.delete.md) | | <code>(type: string, id: string) =&gt; Promise&lt;{}&gt;</code> | Deletes an object |
| [find](./kibana-plugin-public.savedobjectsclient.find.md) | | <code>&lt;T extends SavedObjectAttributes&gt;(options: Pick&lt;SavedObjectFindOptionsServer, &quot;search&quot; &#124; &quot;filter&quot; &#124; &quot;type&quot; &#124; &quot;searchFields&quot; &#124; &quot;defaultSearchOperator&quot; &#124; &quot;hasReference&quot; &#124; &quot;sortField&quot; &#124; &quot;page&quot; &#124; &quot;perPage&quot; &#124; &quot;fields&quot;&gt;) =&gt; Promise&lt;SavedObjectsFindResponsePublic&lt;T&gt;&gt;</code> | Search for objects |
| [find](./kibana-plugin-public.savedobjectsclient.find.md) | | <code>&lt;T extends SavedObjectAttributes&gt;(options: Pick&lt;SavedObjectFindOptionsServer, &quot;search&quot; &#124; &quot;filter&quot; &#124; &quot;type&quot; &#124; &quot;fields&quot; &#124; &quot;searchFields&quot; &#124; &quot;defaultSearchOperator&quot; &#124; &quot;hasReference&quot; &#124; &quot;sortField&quot; &#124; &quot;page&quot; &#124; &quot;perPage&quot;&gt;) =&gt; Promise&lt;SavedObjectsFindResponsePublic&lt;T&gt;&gt;</code> | Search for objects |
| [get](./kibana-plugin-public.savedobjectsclient.get.md) | | <code>&lt;T extends SavedObjectAttributes&gt;(type: string, id: string) =&gt; Promise&lt;SimpleSavedObject&lt;T&gt;&gt;</code> | Fetches a single object |

## Methods
Expand Down
2 changes: 1 addition & 1 deletion docs/getting-started/tutorial-full-experience.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ and whether it's _tokenized_, or broken up into separate words.

NOTE: If security is enabled, you must have the `all` Kibana privilege to run this tutorial.
You must also have the `create`, `manage` `read`, `write,` and `delete`
index privileges. See {xpack-ref}/security-privileges.html[Security Privileges]
index privileges. See {ref}/security-privileges.html[Security privileges]
for more information.

In Kibana *Dev Tools > Console*, set up a mapping for the Shakespeare data set:
Expand Down
4 changes: 2 additions & 2 deletions docs/getting-started/tutorial-sample-data.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ with Kibana sample data and learn to:


NOTE: If security is enabled, you must have `read`, `write`, and `manage` privileges
on the `kibana_sample_data_*` indices. See {xpack-ref}/security-privileges.html[Security Privileges]
for more information.
on the `kibana_sample_data_*` indices. See
{ref}/security-privileges.html[Security privileges] for more information.


[float]
Expand Down
2 changes: 1 addition & 1 deletion docs/management/managing-indices.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ If security is enabled,
you must have the `monitor` cluster privilege and the `view_index_metadata`
and `manage` index privileges to view the data.
For index templates, you must have the `manage_index_templates` cluster privilege.
See {xpack-ref}/security-privileges.html[Security Privileges] for more
See {ref}/security-privileges.html[Security privileges] for more
information.

Before using this feature, you should be familiar with index management
Expand Down
12 changes: 9 additions & 3 deletions docs/settings/security-settings.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -49,10 +49,16 @@ is set to `true` if `server.ssl.certificate` and `server.ssl.key` are set. Set
this to `true` if SSL is configured outside of {kib} (for example, you are
routing requests through a load balancer or proxy).

`xpack.security.sessionTimeout`::
`xpack.security.session.idleTimeout`::
Sets the session duration (in milliseconds). By default, sessions stay active
until the browser is closed. When this is set to an explicit timeout, closing the
browser still requires the user to log back in to {kib}.
until the browser is closed. When this is set to an explicit idle timeout, closing
the browser still requires the user to log back in to {kib}.

`xpack.security.session.lifespan`::
Sets the maximum duration (in milliseconds), also known as "absolute timeout". By
default, a session can be renewed indefinitely. When this value is set, a session
will end once its lifespan is exceeded, even if the user is not idle. NOTE: if
`idleTimeout` is not set, this setting will still cause sessions to expire.

`xpack.security.loginAssistanceMessage`::
Adds a message to the login screen. Useful for displaying information about maintenance windows, links to corporate sign up pages etc.
4 changes: 2 additions & 2 deletions docs/setup/install.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,8 @@ Formulae are available from the Elastic Homebrew tap for installing {kib} on mac
<<brew>>

IMPORTANT: If your Elasticsearch installation is protected by
{xpack-ref}/elasticsearch-security.html[{security}] see
{kibana-ref}/using-kibana-with-security.html[Configuring Security in Kibana] for
{ref}/elasticsearch-security.html[{security}] see
{kibana-ref}/using-kibana-with-security.html[Configuring security in Kibana] for
additional setup instructions.

include::install/targz.asciidoc[]
Expand Down
32 changes: 17 additions & 15 deletions docs/user/security/authentication/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -14,16 +14,17 @@
- <<oidc>>

[[basic-authentication]]
==== Basic Authentication
==== Basic authentication

Basic authentication requires a username and password to successfully log in to {kib}. It is enabled by default and based on the Native security realm provided by {es}. The basic authentication provider uses a Kibana provided login form, and supports authentication using the `Authorization` request header's `Basic` scheme.

The session cookies that are issued by the basic authentication provider are stateless. Therefore, logging out of Kibana when using the basic authentication provider clears the session cookies from the browser but does not invalidate the session cookie for reuse.

For more information about basic authentication and built-in users, see {xpack-ref}/setting-up-authentication.html[Setting Up User Authentication].
For more information about basic authentication and built-in users, see
{ref}/setting-up-authentication.html[User authentication].

[[token-authentication]]
==== Token Authentication
==== Token authentication

Token authentication allows users to login using the same Kibana provided login form as basic authentication. The token authentication provider is built on {es}'s token APIs. The bearer tokens returned by {es}'s {ref}/security-api-get-token.html[get token API] can be used directly with Kibana using the `Authorization` request header with the `Bearer` scheme.

Expand All @@ -46,7 +47,7 @@ xpack.security.authc.providers: [token, basic]
--------------------------------------------------------------------------------

[[pki-authentication]]
==== Public Key Infrastructure (PKI) Authentication
==== Public key infrastructure (PKI) authentication

[IMPORTANT]
============================================================================
Expand Down Expand Up @@ -76,9 +77,9 @@ xpack.security.authc.providers: [pki, basic]
Note that with `server.ssl.clientAuthentication` set to `required`, users are asked to provide a valid client certificate, even if they want to authenticate with username and password. Depending on the security policies, it may or may not be desired. If not, `server.ssl.clientAuthentication` can be set to `optional`. In this case, {kib} still requests a client certificate, but the client won't be required to present one. The `optional` client authentication mode might also be needed in other cases, for example, when PKI authentication is used in conjunction with Reporting.

[[saml]]
==== SAML Single Sign-On
==== SAML single sign-on

SAML authentication allows users to log in to {kib} with an external Identity Provider, such as Okta or Auth0. Make sure that SAML is enabled and configured in {es} before setting it up in {kib}. See {xpack-ref}/saml-guide.html[Configuring SAML Single-Sign-On on the Elastic Stack].
SAML authentication allows users to log in to {kib} with an external Identity Provider, such as Okta or Auth0. Make sure that SAML is enabled and configured in {es} before setting it up in {kib}. See {ref}/saml-guide.html[Configuring SAML single sign-on on the Elastic Stack].

Set the configuration values in `kibana.yml` as follows:

Expand Down Expand Up @@ -106,7 +107,7 @@ server.xsrf.whitelist: [/api/security/saml/callback]
Users will be able to log in to {kib} via SAML Single Sign-On by navigating directly to the {kib} URL. Users who aren't authenticated are redirected to the Identity Provider for login. Most Identity Providers maintain a long-lived session—users who logged in to a different application using the same Identity Provider in the same browser are automatically authenticated. An exception is if {es} or the Identity Provider is configured to force user to re-authenticate. This login scenario is called _Service Provider initiated login_.

[float]
===== SAML and Basic Authentication
===== SAML and basic authentication

SAML support in {kib} is designed to be the primary (or sole) authentication method for users of that {kib} instance. However, you can configure both SAML and Basic authentication for the same {kib} instance:

Expand Down Expand Up @@ -135,7 +136,7 @@ xpack.security.authc.saml.maxRedirectURLSize: 1kb
--------------------------------------------------------------------------------

[[oidc]]
==== OpenID Connect Single Sign-On
==== OpenID Connect single sign-on

Similar to SAML, authentication with OpenID Connect allows users to log in to {kib} using an OpenID Connect Provider such as Google, or Okta. OpenID Connect
should also be configured in {es}. For more details, see {ref}/oidc-guide.html[Configuring single sign-on to the {stack} using OpenID Connect].
Expand Down Expand Up @@ -166,7 +167,7 @@ server.xsrf.whitelist: [/api/security/v1/oidc]
--------------------------------------------------------------------------------

[float]
===== OpenID Connect and Basic Authentication
===== OpenID Connect and basic authentication

Similar to SAML, OpenID Connect support in {kib} is designed to be the primary (or sole) authentication method for users
of that {kib} instance. However, you can configure both OpenID Connect and Basic authentication for the same {kib} instance:
Expand All @@ -179,18 +180,19 @@ xpack.security.authc.providers: [oidc, basic]
Users will be able to access the login page and use Basic authentication by navigating to the `/login` URL.

[float]
==== Single Sign-On provider details
==== Single sign-on provider details

The following sections apply both to <<saml>> and <<oidc>>

[float]
===== Access and Refresh Tokens
===== Access and refresh tokens

Once the user logs in to {kib} Single Sign-On, either using SAML or OpenID Connect, {es} issues access and refresh tokens
that {kib} encrypts and stores them in its own session cookie. This way, the user isn't redirected to the Identity Provider
for every request that requires authentication. It also means that the {kib} session depends on the `xpack.security.sessionTimeout`
setting and the user is automatically logged out if the session expires. An access token that is stored in the session cookie
can expire, in which case {kib} will automatically renew it with a one-time-use refresh token and store it in the same cookie.
for every request that requires authentication. It also means that the {kib} session depends on the <<security-ui-settings,
`xpack.security.session.idleTimeout` and `xpack.security.session.lifespan`>> settings, and the user is automatically logged
out if the session expires. An access token that is stored in the session cookie can expire, in which case {kib} will
automatically renew it with a one-time-use refresh token and store it in the same cookie.

{kib} can only determine if an access token has expired if it receives a request that requires authentication. If both access
and refresh tokens have already expired (for example, after 24 hours of inactivity), {kib} initiates a new "handshake" and
Expand All @@ -201,7 +203,7 @@ If {kib} can't redirect the user to the external authentication provider (for ex
indicates that both access and refresh tokens are expired. Reloading the current {kib} page fixes the error.

[float]
===== Local and Global Logout
===== Local and global logout

During logout, both the {kib} session cookie and access/refresh token pair are invalidated. Even if the cookie has been
leaked, it can't be re-used after logout. This is known as "local" logout.
Expand Down
8 changes: 4 additions & 4 deletions docs/user/security/reporting.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ user actions in {kib}.
To use {reporting} with {security} enabled, you need to
<<using-kibana-with-security,set up {kib} to work with {security}>>.
If you are automatically generating reports with
{xpack-ref}/xpack-alerting.html[{watcher}], you also need to configure {watcher}
{ref}/xpack-alerting.html[{watcher}], you also need to configure {watcher}
to trust the {kib} server's certificate. For more information, see
<<securing-reporting>>.

Expand All @@ -35,7 +35,7 @@ POST /_security/user/reporter
* If you are using an LDAP or Active Directory realm, you can either assign
roles on a per user basis, or assign roles to groups of users. By default, role
mappings are configured in
{xpack-ref}/mapping-roles.html[`config/shield/role_mapping.yml`].
{ref}/mapping-roles.html[`config/shield/role_mapping.yml`].
For example, the following snippet assigns the user named Bill Murray the
`kibana_user` and `reporting_user` roles:
+
Expand All @@ -55,7 +55,7 @@ In a production environment, you should restrict access to
the {reporting} endpoints to authorized users. This requires that you:

. Enable {security} on your {es} cluster. For more information,
see {xpack-ref}/security-getting-started.html[Getting Started with Security].
see {ref}/security-getting-started.html[Getting Started with Security].
. Configure an SSL certificate for Kibana. For more information, see
<<using-kibana-with-security>>.
. Configure {watcher} to trust the Kibana server's certificate by adding it to
Expand Down Expand Up @@ -83,4 +83,4 @@ includes a watch that submits requests as the built-in `elastic` user:
<<automating-report-generation>>.

For more information about configuring watches, see
{xpack-ref}/how-watcher-works.html[How Watcher Works].
{ref}/how-watcher-works.html[How Watcher works].
Loading

0 comments on commit b37a36f

Please sign in to comment.