Merge branch 'master' into rules-branch

.backportrc.json

@@ -1,5 +1,5 @@
 {
  "upstream": "elastic/kibana",
- "branches": [{ "name": "7.x", "checked": true }, "7.5", "7.4", "7.3", "7.2", "7.1", "7.0", "6.8", "6.7", "6.6", "6.5", "6.4", "6.3", "6.2", "6.1", "6.0", "5.6"],
+ "branches": [{ "name": "7.x", "checked": true }, "7.6", "7.5", "7.4", "7.3", "7.2", "7.1", "7.0", "6.8", "6.7", "6.6", "6.5", "6.4", "6.3", "6.2", "6.1", "6.0", "5.6"],
  "labels": ["backport"]
 }

.eslintignore

@@ -9,7 +9,7 @@ bower_components
 /built_assets
 /html_docs
 /src/plugins/data/common/es_query/kuery/ast/_generated_/**
-/src/fixtures/vislib/mock_data
+src/legacy/core_plugins/vis_type_vislib/public/vislib/__tests__/lib/fixtures/mock_data
 /src/legacy/ui/public/angular-bootstrap
 /src/legacy/ui/public/flot-charts
 /test/fixtures/scenarios

.eslintrc.js

@@ -77,7 +77,7 @@ module.exports = {
  },
  },
  {
- files: ['src/legacy/core_plugins/kbn_vislib_vis_types/**/*.{js,ts,tsx}'],
+ files: ['src/legacy/core_plugins/vis_type_vislib/**/*.{js,ts,tsx}'],
  rules: {
  'react-hooks/exhaustive-deps': 'off',
  },

.github/CODEOWNERS

@@ -117,21 +117,21 @@
 /x-pack/test/api_integration/apis/security/ @elastic/kibana-security
 
 # Kibana Localization
-/src/dev/i18n @elastic/kibana-localization
+/src/dev/i18n/ @elastic/kibana-localization
 
 # Pulse
 /packages/kbn-analytics/ @elastic/pulse
 /src/legacy/core_plugins/ui_metric/ @elastic/pulse
 /src/plugins/usage_collection/ @elastic/pulse
-/x-pack/legacy/plugins/telemetry @elastic/pulse
+/x-pack/legacy/plugins/telemetry/ @elastic/pulse
 
 # Kibana Alerting Services
-/x-pack/legacy/plugins/alerting @elastic/kibana-alerting-services
-/x-pack/legacy/plugins/actions @elastic/kibana-alerting-services
-/x-pack/legacy/plugins/task_manager @elastic/kibana-alerting-services
-/x-pack/test/alerting_api_integration @elastic/kibana-alerting-services
-/x-pack/test/plugin_api_integration/plugins/task_manager @elastic/kibana-alerting-services
-/x-pack/test/plugin_api_integration/test_suites/task_manager @elastic/kibana-alerting-services
+/x-pack/legacy/plugins/alerting/ @elastic/kibana-alerting-services
+/x-pack/legacy/plugins/actions/ @elastic/kibana-alerting-services
+/x-pack/plugins/task_manager/ @elastic/kibana-alerting-services
+/x-pack/test/alerting_api_integration/ @elastic/kibana-alerting-services
+/x-pack/test/plugin_api_integration/plugins/task_manager/ @elastic/kibana-alerting-services
+/x-pack/test/plugin_api_integration/test_suites/task_manager/ @elastic/kibana-alerting-services
 /x-pack/legacy/plugins/triggers_actions_ui/ @elastic/kibana-alerting-services
 /x-pack/test/functional_with_es_ssl/apps/triggers_actions_ui/ @elastic/kibana-alerting-services
 /x-pack/test/functional_with_es_ssl/fixtures/plugins/alerts/ @elastic/kibana-alerting-services

.i18nrc.json

@@ -21,7 +21,7 @@
  "interpreter": "src/legacy/core_plugins/interpreter",
  "kbn": "src/legacy/core_plugins/kibana",
  "kbnDocViews": "src/legacy/core_plugins/kbn_doc_views",
- "kbnVislibVisTypes": "src/legacy/core_plugins/kbn_vislib_vis_types",
+ "kbnVislibVisTypes": "src/legacy/core_plugins/vis_type_vislib",
  "management": ["src/legacy/core_plugins/management", "src/plugins/management"],
  "kibana_react": "src/legacy/core_plugins/kibana_react",
  "kibana-react": "src/plugins/kibana_react",

.sass-lint.yml

@@ -2,7 +2,7 @@ files:
  include:
  - 'src/legacy/core_plugins/metrics/**/*.s+(a|c)ss'
  - 'src/legacy/core_plugins/timelion/**/*.s+(a|c)ss'
- - 'src/legacy/ui/public/vislib/**/*.s+(a|c)ss'
+ - 'src/legacy/core_plugins/vis_type_vislib/**/*.s+(a|c)ss'
  - 'x-pack/legacy/plugins/rollup/**/*.s+(a|c)ss'
  - 'x-pack/legacy/plugins/security/**/*.s+(a|c)ss'
  - 'x-pack/legacy/plugins/canvas/**/*.s+(a|c)ss'

docs/maps/maps-getting-started.asciidoc

@@ -68,30 +68,35 @@ and lighter shades symbolize countries with less traffic.
 . Click the *EMS Boundaries* data source.
 . From the *Layer* dropdown menu, select *World Countries*.
 . Click the *Add layer* button.
-. Set *Layer name* to `Total Requests by Country`.
-. Set *Layer transparency* to 0.5.
+. Set *Name* to `Total Requests by Country`.
+. Set *Opacity* to 50%.
+. Click *Add* under *Tooltip fields*.
+. In the popover, select *ISO 3166-1 alpha-2 code* and *name* and click *Add*.
 
 ===== Join the vector layer with the sample web log index
 
 You now have a vector layer containing the world countries.
 To symbolize countries by web traffic, you'll need to augment the world country features with the count of Elasticsearch weblog documents originating from each country.
-To do this, you'll create a <<terms-join, terms join>> to link the vector source *World Countries* to
+To do this, you'll create a <<terms-join, term join>> to link the vector source *World Countries* to
 the {es} index `kibana_sample_data_logs` on the shared key iso2 = geo.src.
 
 . Click plus image:maps/images/gs_plus_icon.png[] to the right of *Term Joins* label.
 . Click *Join --select--*
 . Set *Left field* to *ISO 3166-1 alpha-2 code*.
 . Set *Right source* to *kibana_sample_data_logs*.
 . Set *Right field* to *geo.src*.
+. Click *and use metric count*.
+. Set *Custom label* to *web logs count*.
 
 ===== Set the layer style
 
 All of the world countries are still a single color because the layer is using <<maps-vector-style-static, static styling>>.
 To shade the world countries based on which country is sending the most requests, you'll need to use <<maps-vector-style-data-driven, data driven styling>>.
 
-. Click image:maps/images/gs_link_icon.png[] to the right of *Fill color*.
+. Under *Fill color*, change the selected value from *Solid* to *By value*.
+. In the field select input, select *web logs count*.
 . Select the grey color ramp.
-. In the field select input, select *count of kibana_sample_data_logs:geo.src*.
+. Under *Border color*, change the selected color to *white*.
 . Click *Save & close*.
 +
 Your map now looks like this:
@@ -119,9 +124,11 @@ The layer is only visible when users zoom in the map past zoom level 9.
 . Click the *Documents* data source.
 . Set *Index pattern* to *kibana_sample_data_logs*.
 . Click the *Add layer* button.
-. Set *Layer name* to `Actual Requests`.
-. Set *Zoom range for layer visibility* to the range [9, 24].
-. Set *Layer transparency* to 1.
+. Set *Name* to `Actual Requests`.
+. Set *Visibilty* to the range [9, 24].
+. Set *Opacity* to 100%.
+. Click *Add* under *Tooltip fields*.
+. In the popover, select *clientip*, *timestamp*, *host*, *request*, *response*, *machine.os*, *agent*, and *bytes* and click *Add*.
 . Set *Fill color* to *#2200ff*.
 . Click *Save & close*.
 +
@@ -152,28 +159,28 @@ image::maps/images/grid_metrics_both.png[]
 . Set *Index pattern* to *kibana_sample_data_logs*.
 . Set *Show as* to *points*.
 . Click the *Add layer* button.
-. Set *Layer name* to `Total Requests and Bytes`.
-. Set *Zoom range for layer visibility* to the range [0, 9].
-. Set *Layer transparency* to 1.
+. Set *Name* to `Total Requests and Bytes`.
+. Set *Visibility* to the range [0, 9].
+. Set *Opacity* to 100%.
 
 ===== Configure the aggregation metrics
 
-. Click plus image:maps/images/gs_plus_icon.png[] to the right of *Metrics* label.
+. Click *Add metric* under of *Metrics* label.
 . Select *Sum* in the aggregation select.
 . Select *bytes* in the field select.
 
 ===== Set the layer style
 
 . In *Layer style*, change *Symbol size*:
- .. Set *Min size* to 1.
+ .. Set *Min size* to 7.
  .. Set *Max size* to 25.
- .. In the field select, select *sum of bytes*.
+ .. Change the field select from *count* to *sum of bytes*.
 . Click *Save & close* button.
 +
 Your map now looks like this between zoom levels 0 and 9:
 +
 [role="screenshot"]
-image::maps/images/gs_add_es_layer.png[]
+image::maps/images/sample_data_web_logs.png[]
 
 [role="xpack"]
 [[maps-save]]

docs/user/security/securing-communications/elasticsearch-mutual-tls.asciidoc

@@ -0,0 +1,120 @@
+[role="xpack"]
+[[elasticsearch-mutual-tls]]
+=== Mutual TLS authentication between {kib} and {es}
+++++
+<titleabbrev>Mutual TLS with {es}</titleabbrev>
+++++
+
+In a standard Transport Layer Security (TLS/SSL) configuration, the server presents a signed certificate to authenticate itself to the
+client. In a mutual TLS configuration, the client also presents a signed certificate to authenticate itself to the server.
+
+When {security} is enabled on your cluster, each request that {kib} makes to {es} must be authenticated. Most requests made through {kib} to
+{es} are authenticated by using the credentials of the logged-in user. There are, however, a few internal requests that the {kib} server
+needs to make to the {es} cluster. For this reason, you must configure credentials for the {kib} server to use for those requests.
+
+If {kib} has `elasticsearch.username` and `elasticsearch.password` configured, it will attempt to use these to authenticate to {es} via the
+{ref}/native-realm.html[Native realm]. However, {kib} also supports mutual TLS authentication with {es} via a {ref}/pki-realm.html[Public
+Key Infrastructure (PKI) realm]. To do so, {es} needs to verify the signature on the {kib} client certificate, and it also needs to map the
+certificate's distinguished name (DN) to the appropriate `kibana_system` role.
+
+NOTE: Using a PKI realm is a gold feature. For a comparison of the Elastic license levels, see https://www.elastic.co/subscriptions[the
+subscription page].
+
+To configure {kib} and {es} to use mutual TLS authentication:
+
+. <<using-kibana-with-security,Set up {kib} to work with {security}>> with a username and password.
+
+. <<configuring-tls-kib-es,Set up TLS encryption between {kib} and {es}>>. At a minimum, this requires a server certificate for {es}.
+
+. Create a client certificate and private key for {kib} to use when connecting to {es}.
++ 
+--
+NOTE: This is not the same as the <<configuring-tls-browser-kib,server certificate>> that {kib} will present to web browsers.
+
+You may choose to generate a certificate and private key using {ref}/certutil.html[the {es} certutil tool]. At this point, you will have
+already set up a certificate authority (CA) to sign the {es} server certificate. You may choose to use the same CA to sign the {kib} client
+certificate. You would do this like so:
+
+[source,sh]
+--------------------------------------------------------------------------------
+bin/elasticsearch-certutil cert -ca elastic-stack-ca.p12 -name kibana-client
+--------------------------------------------------------------------------------
+
+This will generate a certificate and private key in a PKCS #12 keystore named `kibana-client.p12`. The certificate has a Common Name (CN) of
+"kibana-client".
+
+You will also need to use the CA certificate when setting up the PKI realm in {es}. While you could use the CA keystore in the above example
+for this purpose, it is bad practice to expose the CA's private key in such a manner. Instead, you can extract the CA certificate (without
+its private key) like so:
+
+[source,sh]
+--------------------------------------------------------------------------------
+openssl pkcs12 -in kibana-client.p12 -cacerts -nokeys -out ca.crt
+--------------------------------------------------------------------------------
+--
+
+. Configure a PKI realm and a Native realm in your {es} cluster:
++
+--
+By default, {es} provides a Native realm. However, to support both a PKI realm (for {kib}) and a Native realm (for end users), you must
+configure each realm in `elasticsearch.yml`:
+
+[source,yaml]
+--------------------------------------------------------------------------------
+xpack.security.authc.realms.pki.realm1.order: 1
+xpack.security.authc.realms.pki.realm1.certificate_authorities: "/path/to/ca.crt"
+xpack.security.authc.realms.native.realm2.order: 2
+--------------------------------------------------------------------------------
+
+--
+
+. Configure your {es} cluster to request client certificates:
++
+--
+By default, {es} will not request a client certificate when establishing a TLS connection. To change this, you must set up optional client
+certificate authentication in `elasticsearch.yml`:
+
+[source,yaml]
+--------------------------------------------------------------------------------
+xpack.security.http.ssl.client_authentication: "optional"
+--------------------------------------------------------------------------------
+--
+
+. Restart your {es} cluster.
+
+. Use {kib} to create a <<role-mappings,role mapping>> for your new client certificate:
++
+--
+This role mapping will assign the `kibana_system` role to any user that matches the included mapping rule, which is set to equal the client
+certificate's DN attribute:
+
+[role="screenshot"]
+image:user/security/images/mutual-tls-role-mapping.png["Role mapping for the {kib} client certificate"]
+--
+
+. Configure {kib} to use the client certificate:
++
+--
+Assuming you used the {es} certutil tool to generate a certificate and private key in a PKCS #12 keystore, add the following values to
+`kibana.yml`:
+
+[source,yaml]
+--------------------------------------------------------------------------------
+elasticsearch.ssl.keystore.path: "/path/to/kibana-client.p12"
+elasticsearch.ssl.keystore.password: "decryption password"
+--------------------------------------------------------------------------------
+
+The decryption password should match what you entered when prompted by the {es} certutil tool.
+
+You must also remove the `elasticsearch.username` and `elasticsearch.password` values from the configuration file. Otherwise, {kib} will
+attempt to use those to authenticate via the Native realm.
+
+TIP: Alternatively, {kib} also supports using a client certificate and private key in PEM format with the `elasticsearch.ssl.certificate`
+and `elasticsearch.ssl.key` settings. For more information, see <<settings,{kib} configuration settings>>.
+--
+
+. Restart {kib}.
+
+NOTE: The steps above enable {kib} to authenticate to {es} using a certificate. However, end users will only be able to authenticate to
+{kib} with a username and password. To allow end users to authenticate to {kib} using certificates, see <<pki-authentication,{kib} PKI
+authentication>>.

docs/user/security/securing-kibana.asciidoc

@@ -88,6 +88,8 @@ xpack.security.session.lifespan: "8h"
 
 . Optional: <<configuring-tls,Configure {kib} to encrypt communications>>. 
 
+. Optional: <<elasticsearch-mutual-tls,Configure {kib} to authenticate to {es} with a client certificate>>.
+
 . Restart {kib}.
 
 . [[kibana-roles]]Choose an authentication mechanism and grant users the privileges they need to
@@ -141,4 +143,5 @@ NOTE: This must be a user who has been assigned <<kibana-privileges, Kibana priv
 
 include::authentication/index.asciidoc[]
 include::securing-communications/index.asciidoc[]
+include::securing-communications/elasticsearch-mutual-tls.asciidoc[]
 include::audit-logging.asciidoc[]

examples/README.md

@@ -5,4 +5,3 @@ This folder contains example plugins. To run the plugins in this folder, use th
 ```
 yarn start --run-examples
 ```
-

examples/bfetch_explorer/kibana.json

@@ -0,0 +1,10 @@
+{
+ "id": "bfetchExplorer",
+ "version": "0.0.1",
+ "kibanaVersion": "kibana",
+ "configPath": ["bfetch_explorer"],
+ "server": true,
+ "ui": true,
+ "requiredPlugins": ["bfetch"],
+ "optionalPlugins": []
+}

examples/bfetch_explorer/package.json

@@ -0,0 +1,17 @@
+{
+ "name": "bfetch_explorer",
+ "version": "1.0.0",
+ "main": "target/examples/bfetch_explorer",
+ "kibana": {
+ "version": "kibana",
+ "templateVersion": "1.0.0"
+ },
+ "license": "Apache-2.0",
+ "scripts": {
+ "kbn": "node ../../scripts/kbn.js",
+ "build": "rm -rf './target' && tsc"
+ },
+ "devDependencies": {
+ "typescript": "3.7.2"
+ }
+}