Update Kibana to stop exposing directory listings

[dlapiduz]

In order to stop exposing directory listings we should update kibana to 4.3.5.

Acceptance Criteria:

• https://logs.fr.cloud.gov/bundles/node_modules/ returns 404

Implementation Idea:

• Upload new blob for 4.3.5
• Change https://github.com/18F/logsearch-for-cloudfoundry/blob/master/packages/kibana-for-cf/packaging to reflect that

[jmcarp]

@dlapiduz: looks like kibana 4.3.5 isn't a thing. Should we use the latest version under the current minor version (4.3.3)? The version used by upstream logsearch-for-cloudfoundry (4.4.2)? Or the latest under the current major version (4.5.3)?

[dlapiduz]

@jmcarp sorry, yeah I meant 4.5.3

[mogul]

Merged but not yet built and deployed.

[jmcarp]

Turns out that the upgraded kibana also requires a newer version of elastic. We could try updating to a newer version of logsearch-boshrelease, but we're pretty far behind now, so that could be scary (although it needs to happen eventually). Also, upgrading didn't appear to stop kibana from serving node_modules. Which version of kibana fixed that issue @dlapiduz?

[jmcarp]

Hilarious: the fix on kibana that I'm guessing @dlapiduz was looking for didn't actually make it into 4.x--looks like it's slated for 5.x, and not included in any stable releases: elastic/kibana#6764.

In the meantime, we need to either roll back the kibana upgrade or start on #131.

[mogul]

@jmcarp will ask for a 4.x that includes the two-line fix upstream.

[jmcarp]

Sorry this hasn't made progress. This will be resolved in the kibana 5.x release, and it sounds like we don't need to do anything about it in the meantime. I'm going to close this, but @mogul please reopen if I'm misunderstanding.

[mogul]

I'm reopening, but applying the label blocked so it's clear we can't progress this until another thing happens (eg the Kibana 5.x release).

[mogul]

(I also moved it back to the Backlog just to emphasize that other things have to take priority.)

[mogul]

Just an update... There's an RC for Kibana 5 now: https://github.com/elastic/kibana/releases/tag/v5.0.0-rc1

[jmcarp]

By the way, for this change to reach us, it has to propagate through logsearch-boshrelease and logsearch-for-cloudfoundry, which likely means us or altoros spending time updating the cf auth kibana plugin, since the kibana plugin interface breaks from 4.x to 5.x. In other words, we're probably looking at more time after the release comes out, and the timing might not be under our control unless we want to fork things.

[mogul]

OK, well, one milestone reached: Kibana 5.00 is available as of six days ago

[brittag]

Might be worth checking in on those upstream projects since it's been a few weeks - not sure how to check for this myself.

[brittag]

I checked on this as part of our monthly update of our POAM, and for my own future reference, here are the two files that seem helpful to check for Kibana version status:

• https://github.com/cloudfoundry-community/logsearch-for-cloudfoundry/blob/master/packages/cf-kibana/spec - currently version 4.4.2
• https://github.com/cloudfoundry-community/logsearch-boshrelease/blob/develop/packages/kibana/spec - currently version 4.5.4