* [csp] reject legacy browsers by default
The csp.strict config is now enabled by default, so legacy browsers like
IE11 will not be able to access Kibana unless the deployment has
explicitly enabled it.
* docs: csp.strict breaking change
* configurable global socket timeouts
* update snapshots
* update tests
* add test
* add test
* add test
* happy path
* test happy path
* docs
* stop server after
* csp: warn legacy browsers that do not support CSP
The new csp.warnLegacyBrowsers configuration is enabled by default, and
it shows a warning message to any legacy browser when they access Kibana
to indicate that they are not enforcing the basic security protections
of the current install.
The protections check is the same as csp.strict, so this feature is
designed to be used as an alternative to aid in BWC. When csp.strict is
enabled, warnLegacyBrowsers is effectively ignored.
* fix ChromeService tests
* more test fixes
* csp injectvars in legacy test bundle
* update warning text and make it translatable
* no need to warn in legacy browser unit tests
* tests for chrome legacy browser warning
* document legacy browser warning breaking change
* update csp warning toast message
* add period, remove dev code
A content security policy is a great addition to the protections built
into Kibana, but it's not effective in older browsers (like IE11) that
do not enforce the policy.
When CSP strict mode is enabled, right before the Kibana app is
bootstrapped, a basic safety check is performed to see if "naked" inline
scripts are rejected. If inline scripting is allowed by the browser,
then an error message is presented to the user and Kibana never attempts
to bootstrap.
* csp: nonce and unsafe-eval for scripts
To kick things off, a rudimentary CSP implementation only allows
dynamically loading new JavaScript if it includes an associated nonce
that is generated on every load of the app.
A more sophisticated content security policy is necessary, particularly
one that bans eval for scripts, but one step at a time.
* img-src is not necessary if the goal is not to restrict
* configurable CSP owned by security team
* smoke test
* remove x-content-security-policy
* document csp.rules
* fix tsconfig for test
* switch integration test back to regular js
* stop looking for tsconfig in test
* grrr, linting errors not caught by precommit
* docs: people -> you for consistency sake
Co-Authored-By: epixa <court@epixa.com>
* Disabling TLSv1 from being enabled by default
* Adding breaking change docs
* Update docs/migration/migrate_7_0.asciidoc
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Using the schema defaults
* Fixing type definitions
* Adjusting logic for no supported protocols
* Adding minSize: 1 to the supported protocols
* Adding option to always present the certificate when connecting to ES
* Updating docs
* Adding some more tests
* Adding alwaysPresentCertificate option to monitoring
* [config] logging.useUTC -> logging.timezone
* docs
* [env] exit if starting as root
* fix import path
* add link and timezone example
* Revert "[env] exit if starting as root"
This reverts commit f6e9090833a5180fe360a9ff54543c37c0ca3a58.
* Add clarification for server.ssl.supportedProtocols setting
Added clarification that the setting has to be an array. With the current wording you can assume that you can just add it as a simple string.
* Update settings.asciidoc
* Update settings.asciidoc
extra dot
* Update config schema to allow map.tilemap & map.regionmap
* Inject map.regionmap & map.tilemap. Fall back to top-level config declarations if needed
* Warn user on use of legacy map config vals
* Don't create default map objects for deprecated entries. Add notes indicating top-level objects are deprecated
* Update map references in docs
* Shuffle map configurations in docs to be grouped together
* add logQueries to docs
* remove extra space
* logQuerie => logQueries
* better working
* use code font for logging.verbose and true, remove x-pack in front of monitoring
It is not very useful to have:
* shardTimeout disabled if requestTimeout is enabled (means infinite es overruns)
* shardTimeout > requestTimeout if both enabled (means finite es overruns)
* shardTimeout < requestTimeout if both enabled (means partial results from es?)
The only option that really makes sense is to have shardTimeout === requestTimeout, so that's what I've done here.
* [server/rewriteBasePath] add option to enable basePath rewriting
* [server/rewriteBasePath/docs] end sentences with periods
* [server/rewriteBasePath] simplify Joi schema a smidge
* [server/rewriteBasePath] rename test file to match source
* [server/rewriteBasePath] initialize server in before/after hooks
* [server/rewriteBasePath] rephrase deprecation warning
* [server/config/schema] verify that non-strings are not accepted for basePath
* [server/config/schema] toss a trailing comma in there
* Remove tribe node support
Tribe node is being removed from Elasticsearch since it has been
superseded by Cross-Cluster-Search.
* console: remove unnecessary isEnabled
The default behavior for the plugin is to be disabled when its `enabled`
configuration is set to false, so this custom isEnabled function is not
necessary any longer.
* [docs] uniform colons
* [docs] Add more text about elasticsearch.ssl settings
* [docs] Add more text about elasticsearch.ssl.verificationMode setting
* [docs] spelling error
* [docs] clarify wording
* Region map settings clarifications (#14893)
Improve documentation.
This also includes some additions to clarify the new includeElasticMapsService setting.
It also fully qualify all names
* enable turning on/off of warnings
* add tooltip
* add server setting so users can opt out of connecting to the EMS service
* replace WMS options with custom directive, so we can reuse it in region maps
* add wms settings form to Region Map
* no need to recreate map after leaflet upgrade
* add WMS map to region map
* linting issues
* fix rebase
* improve wording
* add global config
* fix typo
