|
|
@@ -12,6 +12,8 @@
|
|
|
*Details* +
|
|
|
The `xpack.security.authc.realms.{type}.{name}.order` setting is now required and must be
|
|
|
specified for each explicitly configured realm. Each value must be unique.
|
|
|
+
|
|
|
+*Impact* +
|
|
|
The cluster will fail to start if the requirements are not met.
|
|
|
|
|
|
For example, the following configuration is invalid:
|
|
|
@@ -40,6 +42,11 @@ xpack.security.authc.realms.kerberos.kerb1:
|
|
|
*Details* +
|
|
|
The `xpack.security.authc.accept_default_password` setting has not had any affect
|
|
|
since the 6.0 release of {es}. It has been removed and cannot be used.
|
|
|
+
|
|
|
+*Impact* +
|
|
|
+Discontinue use of the `xpack.security.authc.accept_default_password` setting.
|
|
|
+Specifying this setting in `elasticsearch.yml` will result in an error on
|
|
|
+startup.
|
|
|
====
|
|
|
|
|
|
[[roles-index-cache-removed]]
|
|
|
@@ -51,6 +58,11 @@ The `xpack.security.authz.store.roles.index.cache.max_size` and
|
|
|
`xpack.security.authz.store.roles.index.cache.ttl` settings have
|
|
|
been removed. These settings have been redundant and deprecated
|
|
|
since the 5.2 release of {es}.
|
|
|
+
|
|
|
+*Impact* +
|
|
|
+Discontinue use of the `xpack.security.authz.store.roles.index.cache.max_size`
|
|
|
+and `xpack.security.authz.store.roles.index.cache.ttl` settings. Specifying
|
|
|
+these settings in `elasticsearch.yml` will result in an error on startup.
|
|
|
====
|
|
|
|
|
|
[[migrate-tool-removed]]
|
|
|
@@ -62,6 +74,10 @@ The `elasticsearch-migrate` tool provided a way to convert file
|
|
|
realm users and roles into the native realm. It has been deprecated
|
|
|
since 7.2.0. Users and roles should now be created in the native
|
|
|
realm directly.
|
|
|
+
|
|
|
+*Impact* +
|
|
|
+Discontinue use of the `elasticsearch-migrate` tool. Attempts to use the
|
|
|
+`elasticsearch-migrate` tool will result in an error.
|
|
|
====
|
|
|
|
|
|
[[separating-node-and-client-traffic]]
|
|
|
@@ -72,6 +88,11 @@ realm directly.
|
|
|
The `transport.profiles.*.xpack.security.type` setting has been removed since
|
|
|
the Transport Client has been removed and therefore all client traffic now uses
|
|
|
the HTTP transport. Transport profiles using this setting should be removed.
|
|
|
+
|
|
|
+*Impact* +
|
|
|
+Discontinue use of the `transport.profiles.*.xpack.security.type` setting.
|
|
|
+Specifying this setting in a transport profile in `elasticsearch.yml` will
|
|
|
+result in an error on startup.
|
|
|
====
|
|
|
|
|
|
[discrete]
|
|
|
@@ -86,6 +107,21 @@ It is now an error to configure any SSL settings for
|
|
|
`xpack.security.transport.ssl` without also configuring
|
|
|
`xpack.security.transport.ssl.enabled`.
|
|
|
|
|
|
+*Impact* +
|
|
|
+If using other `xpack.security.transport.ssl` settings, you must explicitly
|
|
|
+specify the `xpack.security.transport.ssl.enabled` setting.
|
|
|
+
|
|
|
+If you do not want to enable SSL and are currently using other
|
|
|
+`xpack.security.transport.ssl` settings, do one of the following:
|
|
|
+
|
|
|
+* Explicitly specify `xpack.security.transport.ssl.enabled` as `false`
|
|
|
+* Discontinue use of other `xpack.security.transport.ssl` settings
|
|
|
+
|
|
|
+If you want to enable SSL, follow the instructions in
|
|
|
+{ref}/configuring-tls.html#tls-transport[Encrypting communications between nodes
|
|
|
+in a cluster]. As part of this configuration, explicitly specify
|
|
|
+`xpack.security.transport.ssl.enabled` as `true`.
|
|
|
+
|
|
|
For example, the following configuration is invalid:
|
|
|
[source,yaml]
|
|
|
--------------------------------------------------
|
|
|
@@ -111,6 +147,21 @@ It is now an error to configure any SSL settings for
|
|
|
`xpack.security.http.ssl` without also configuring
|
|
|
`xpack.security.http.ssl.enabled`.
|
|
|
|
|
|
+*Impact* +
|
|
|
+If using other `xpack.security.http.ssl` settings, you must explicitly
|
|
|
+specify the `xpack.security.http.ssl.enabled` setting.
|
|
|
+
|
|
|
+If you do not want to enable SSL and are currently using other
|
|
|
+`xpack.security.http.ssl` settings, do one of the following:
|
|
|
+
|
|
|
+* Explicitly specify `xpack.security.http.ssl.enabled` as `false`
|
|
|
+* Discontinue use of other `xpack.security.http.ssl` settings
|
|
|
+
|
|
|
+If you want to enable SSL, follow the instructions in
|
|
|
+{ref}/configuring-tls.html#tls-http[Encrypting HTTP client communications]. As part
|
|
|
+of this configuration, explicitly specify `xpack.security.http.ssl.enabled`
|
|
|
+as `true`.
|
|
|
+
|
|
|
For example, the following configuration is invalid:
|
|
|
[source,yaml]
|
|
|
--------------------------------------------------
|
|
|
@@ -138,6 +189,13 @@ It is now an error to enable SSL for the transport interface without also config
|
|
|
a certificate and key through use of the `xpack.security.transport.ssl.keystore.path`
|
|
|
setting or the `xpack.security.transport.ssl.certificate` and
|
|
|
`xpack.security.transport.ssl.key` settings.
|
|
|
+
|
|
|
+*Impact* +
|
|
|
+If `xpack.security.transport.ssl.enabled` is set to `true`, provide a
|
|
|
+certificate and key using the `xpack.security.transport.ssl.keystore.path`
|
|
|
+setting or the `xpack.security.transport.ssl.certificate` and
|
|
|
+`xpack.security.transport.ssl.key` settings. If a certificate and key is not
|
|
|
+provided, {es} will return in an error on startup.
|
|
|
====
|
|
|
|
|
|
.A `xpack.security.http.ssl` certificate and key are now required to enable SSL for the HTTP server.
|
|
|
@@ -148,6 +206,13 @@ It is now an error to enable SSL for the HTTP (Rest) server without also configu
|
|
|
a certificate and key through use of the `xpack.security.http.ssl.keystore.path`
|
|
|
setting or the `xpack.security.http.ssl.certificate` and
|
|
|
`xpack.security.http.ssl.key` settings.
|
|
|
+
|
|
|
+*Impact* +
|
|
|
+If `xpack.security.http.ssl.enabled` is set to `true`, provide a certificate and
|
|
|
+key using the `xpack.security.http.ssl.keystore.path` setting or the
|
|
|
+`xpack.security.http.ssl.certificate` and `xpack.security.http.ssl.key`
|
|
|
+settings. If certificate and key is not provided, {es} will return in an error
|
|
|
+on startup.
|
|
|
====
|
|
|
|
|
|
[discrete]
|
|
|
@@ -163,6 +228,10 @@ The name of this user was confusing, and was often mistakenly used to login to {
|
|
|
This has been renamed to `kibana_system` in order to reduce confusion, and to better
|
|
|
align with other built-in system accounts.
|
|
|
|
|
|
+*Impact* +
|
|
|
+Replace any use of the `kibana` user with the `kibana_system` user. Specifying
|
|
|
+the `kibana` user in `kibana.yml` will result in an error on startup.
|
|
|
+
|
|
|
If your `kibana.yml` used to contain:
|
|
|
[source,yaml]
|
|
|
--------------------------------------------------
|
|
|
@@ -187,4 +256,8 @@ elasticsearch.username: kibana_system
|
|
|
Users who were previously assigned the `kibana_user` role should instead be assigned
|
|
|
the `kibana_admin` role. This role grants the same set of privileges as `kibana_user`, but has been
|
|
|
renamed to better reflect its intended use.
|
|
|
+
|
|
|
+*Impact* +
|
|
|
+Assign users with the `kibana_user` role to the `kibana_admin` role.
|
|
|
+Discontinue use of the `kibana_user` role.
|
|
|
====
|
James Rodewig