Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use "critical" deprecation level for elasticsearch.username: elastic configuration #122704

Closed
jportner opened this issue Jan 11, 2022 · 1 comment · Fixed by #122717
Closed

Use "critical" deprecation level for elasticsearch.username: elastic configuration #122704

jportner opened this issue Jan 11, 2022 · 1 comment · Fixed by #122717
Labels
chore Feature:Upgrade Assistant impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. loe:small Small Level of Effort Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@jportner
Copy link
Contributor

jportner commented Jan 11, 2022
edited
Loading

In #51101, we outlined our intent to prevent Kibana from authenticating to Elasticsearch using the elastic superuser in production. (We already prevent this in dev mode)

At first we'd hoped to make that breaking change in the 8.0 release, but we decided to defer it along with several other planned breaking changes.

Now, elastic/elasticsearch#81400 will change the superuser role to remove write access to system indices. That will implicitly prevent Kibana from using the elastic superuser to authenticate to Elasticsearch, since Kibana needs to be able to write to system indices.

In #115241, we made a change to treat this as a "warning" deprecation level in the Upgrade Assistant. We need to instead treat it as a "critical" deprecation level in the 7.17 release, because this configuration will no longer work starting in 8.0.
@jportner jportner added chore Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Upgrade Assistant labels Jan 11, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

This was referenced Jan 11, 2022
Closed
Merged
@jportner jportner linked a pull request Jan 11, 2022 that will close this issue
[7.17] Change elasticsearch.username: elastic deprecation level to critical #122717
Merged
@exalate-issue-sync exalate-issue-sync bot added impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. loe:small Small Level of Effort labels Jan 12, 2022
@jportner jportner mentioned this issue Feb 4, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
chore Feature:Upgrade Assistant impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. loe:small Small Level of Effort Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[7.17] Change elasticsearch.username: elastic deprecation level to critical jportner/kibana
2 participants
@jportner @elasticmachine