Merge in master

.eslintignore

@@ -8,6 +8,7 @@ bower_components
 /plugins
 /built_assets
 /html_docs
+/src/plugins/data/common/es_query/kuery/ast/_generated_/**
 /src/fixtures/vislib/mock_data
 /src/legacy/ui/public/angular-bootstrap
 /src/legacy/ui/public/flot-charts
@@ -19,7 +20,6 @@ bower_components
 /src/core/lib/kbn_internal_native_observable
 /packages/*/target
 /packages/eslint-config-kibana
-/packages/kbn-es-query/src/kuery/ast/kuery.js
 /packages/kbn-pm/dist
 /packages/kbn-plugin-generator/sao_template/template
 /packages/kbn-ui-framework/dist

.github/CODEOWNERS

@@ -77,6 +77,7 @@
 /src/dev/i18n @elastic/kibana-stack-services
 /packages/kbn-analytics/ @elastic/kibana-stack-services
 /src/legacy/core_plugins/ui_metric/ @elastic/kibana-stack-services
+/src/plugins/usage_collection/ @elastic/kibana-stack-services
 /x-pack/legacy/plugins/telemetry @elastic/kibana-stack-services
 /x-pack/legacy/plugins/alerting @elastic/kibana-stack-services
 /x-pack/legacy/plugins/actions @elastic/kibana-stack-services

.i18nrc.json

@@ -16,7 +16,6 @@
     "interpreter": "src/legacy/core_plugins/interpreter",
     "kbn": "src/legacy/core_plugins/kibana",
     "kbnDocViews": "src/legacy/core_plugins/kbn_doc_views",
-    "kbnESQuery": "packages/kbn-es-query",
     "kbnVislibVisTypes": "src/legacy/core_plugins/kbn_vislib_vis_types",
     "kibana_react": "src/legacy/core_plugins/kibana_react",
     "kibana-react": "src/plugins/kibana_react",

docs/api/role-management/put.asciidoc

@@ -26,7 +26,9 @@ To use the create or update role API, you must have the `manage_security` cluste
   (Optional, object) In the `metadata` object, keys that begin with `_` are reserved for system usage.
 
 `elasticsearch`:: 
-  (Optional, object) {es} cluster and index privileges. Valid keys include `cluster`, `indices`, and `run_as`. For more information, see {xpack-ref}/defining-roles.html[Defining Roles].
+  (Optional, object) {es} cluster and index privileges. Valid keys include 
+  `cluster`, `indices`, and `run_as`. For more information, see
+  {ref}/defining-roles.html[Defining roles].
 
 `kibana`:: 
   (list) Objects that specify the <<kibana-privileges, Kibana privileges>> for the role:

docs/developer/security/rbac.asciidoc

@@ -1,7 +1,14 @@
 [[development-security-rbac]]
 === Role-based access control
 
-Role-based access control (RBAC) in {kib} relies upon the {xpack-ref}/security-privileges.html#application-privileges[application privileges] that Elasticsearch exposes. This allows {kib} to define the privileges that {kib} wishes to grant to users, assign them to the relevant users using roles, and then authorize the user to perform a specific action. This is handled within a secured instance of the `SavedObjectsClient` and available transparently to consumers when using `request.getSavedObjectsClient()` or `savedObjects.getScopedSavedObjectsClient()`.
+Role-based access control (RBAC) in {kib} relies upon the
+{ref}/security-privileges.html#application-privileges[application privileges]
+that Elasticsearch exposes. This allows {kib} to define the privileges that
+{kib} wishes to grant to users, assign them to the relevant users using roles,
+and then authorize the user to perform a specific action. This is handled within
+a secured instance of the `SavedObjectsClient` and available transparently to
+consumers when using `request.getSavedObjectsClient()` or 
+`savedObjects.getScopedSavedObjectsClient()`.
 
 [[development-rbac-privileges]]
 ==== {kib} Privileges

docs/development/core/public/kibana-plugin-public.savedobjectsclient.find.md

@@ -9,5 +9,5 @@ Search for objects
 <b>Signature:</b>
 
 ```typescript
-find: <T extends SavedObjectAttributes>(options: Pick<SavedObjectFindOptionsServer, "search" | "filter" | "type" | "searchFields" | "defaultSearchOperator" | "hasReference" | "sortField" | "page" | "perPage" | "fields">) => Promise<SavedObjectsFindResponsePublic<T>>;
+find: <T extends SavedObjectAttributes>(options: Pick<SavedObjectFindOptionsServer, "search" | "filter" | "type" | "fields" | "searchFields" | "defaultSearchOperator" | "hasReference" | "sortField" | "page" | "perPage">) => Promise<SavedObjectsFindResponsePublic<T>>;
 ```

docs/development/core/public/kibana-plugin-public.savedobjectsclient.md

@@ -20,7 +20,7 @@ export declare class SavedObjectsClient
 |  [bulkGet](./kibana-plugin-public.savedobjectsclient.bulkget.md) |  | <code>(objects?: {</code><br/><code>        id: string;</code><br/><code>        type: string;</code><br/><code>    }[]) =&gt; Promise&lt;SavedObjectsBatchResponse&lt;SavedObjectAttributes&gt;&gt;</code> | Returns an array of objects by id |
 |  [create](./kibana-plugin-public.savedobjectsclient.create.md) |  | <code>&lt;T extends SavedObjectAttributes&gt;(type: string, attributes: T, options?: SavedObjectsCreateOptions) =&gt; Promise&lt;SimpleSavedObject&lt;T&gt;&gt;</code> | Persists an object |
 |  [delete](./kibana-plugin-public.savedobjectsclient.delete.md) |  | <code>(type: string, id: string) =&gt; Promise&lt;{}&gt;</code> | Deletes an object |
-|  [find](./kibana-plugin-public.savedobjectsclient.find.md) |  | <code>&lt;T extends SavedObjectAttributes&gt;(options: Pick&lt;SavedObjectFindOptionsServer, &quot;search&quot; &#124; &quot;filter&quot; &#124; &quot;type&quot; &#124; &quot;searchFields&quot; &#124; &quot;defaultSearchOperator&quot; &#124; &quot;hasReference&quot; &#124; &quot;sortField&quot; &#124; &quot;page&quot; &#124; &quot;perPage&quot; &#124; &quot;fields&quot;&gt;) =&gt; Promise&lt;SavedObjectsFindResponsePublic&lt;T&gt;&gt;</code> | Search for objects |
+|  [find](./kibana-plugin-public.savedobjectsclient.find.md) |  | <code>&lt;T extends SavedObjectAttributes&gt;(options: Pick&lt;SavedObjectFindOptionsServer, &quot;search&quot; &#124; &quot;filter&quot; &#124; &quot;type&quot; &#124; &quot;fields&quot; &#124; &quot;searchFields&quot; &#124; &quot;defaultSearchOperator&quot; &#124; &quot;hasReference&quot; &#124; &quot;sortField&quot; &#124; &quot;page&quot; &#124; &quot;perPage&quot;&gt;) =&gt; Promise&lt;SavedObjectsFindResponsePublic&lt;T&gt;&gt;</code> | Search for objects |
 |  [get](./kibana-plugin-public.savedobjectsclient.get.md) |  | <code>&lt;T extends SavedObjectAttributes&gt;(type: string, id: string) =&gt; Promise&lt;SimpleSavedObject&lt;T&gt;&gt;</code> | Fetches a single object |
 
 ## Methods

docs/development/core/server/kibana-plugin-server.md

@@ -115,6 +115,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 |  [SavedObjectsResolveImportErrorsOptions](./kibana-plugin-server.savedobjectsresolveimporterrorsoptions.md) | Options to control the "resolve import" operation. |
 |  [SavedObjectsUpdateOptions](./kibana-plugin-server.savedobjectsupdateoptions.md) |  |
 |  [SavedObjectsUpdateResponse](./kibana-plugin-server.savedobjectsupdateresponse.md) |  |
+|  [SessionCookieValidationResult](./kibana-plugin-server.sessioncookievalidationresult.md) | Return type from a function to validate cookie contents. |
 |  [SessionStorage](./kibana-plugin-server.sessionstorage.md) | Provides an interface to store and retrieve data across requests. |
 |  [SessionStorageCookieOptions](./kibana-plugin-server.sessionstoragecookieoptions.md) | Configuration used to create HTTP session storage based on top of cookie mechanism. |
 |  [SessionStorageFactory](./kibana-plugin-server.sessionstoragefactory.md) | SessionStorage factory to bind one to an incoming request |

docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.isvalid.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [SessionCookieValidationResult](./kibana-plugin-server.sessioncookievalidationresult.md) &gt; [isValid](./kibana-plugin-server.sessioncookievalidationresult.isvalid.md)
+
+## SessionCookieValidationResult.isValid property
+
+Whether the cookie is valid or not.
+
+<b>Signature:</b>
+
+```typescript
+isValid: boolean;
+```

docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.md

@@ -0,0 +1,21 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [SessionCookieValidationResult](./kibana-plugin-server.sessioncookievalidationresult.md)
+
+## SessionCookieValidationResult interface
+
+Return type from a function to validate cookie contents.
+
+<b>Signature:</b>
+
+```typescript
+export interface SessionCookieValidationResult 
+```
+
+## Properties
+
+|  Property | Type | Description |
+|  --- | --- | --- |
+|  [isValid](./kibana-plugin-server.sessioncookievalidationresult.isvalid.md) | <code>boolean</code> | Whether the cookie is valid or not. |
+|  [path](./kibana-plugin-server.sessioncookievalidationresult.path.md) | <code>string</code> | The "Path" attribute of the cookie; if the cookie is invalid, this is used to clear it. |
+

docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.path.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [SessionCookieValidationResult](./kibana-plugin-server.sessioncookievalidationresult.md) &gt; [path](./kibana-plugin-server.sessioncookievalidationresult.path.md)
+
+## SessionCookieValidationResult.path property
+
+The "Path" attribute of the cookie; if the cookie is invalid, this is used to clear it.
+
+<b>Signature:</b>
+
+```typescript
+path?: string;
+```

docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.encryptionkey.md

@@ -4,7 +4,7 @@
 
 ## SessionStorageCookieOptions.encryptionKey property
 
-A key used to encrypt a cookie value. Should be at least 32 characters long.
+A key used to encrypt a cookie's value. Should be at least 32 characters long.
 
 <b>Signature:</b>
 

docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.md

@@ -16,8 +16,8 @@ export interface SessionStorageCookieOptions<T>
 
 |  Property | Type | Description |
 |  --- | --- | --- |
-|  [encryptionKey](./kibana-plugin-server.sessionstoragecookieoptions.encryptionkey.md) | <code>string</code> | A key used to encrypt a cookie value. Should be at least 32 characters long. |
+|  [encryptionKey](./kibana-plugin-server.sessionstoragecookieoptions.encryptionkey.md) | <code>string</code> | A key used to encrypt a cookie's value. Should be at least 32 characters long. |
 |  [isSecure](./kibana-plugin-server.sessionstoragecookieoptions.issecure.md) | <code>boolean</code> | Flag indicating whether the cookie should be sent only via a secure connection. |
 |  [name](./kibana-plugin-server.sessionstoragecookieoptions.name.md) | <code>string</code> | Name of the session cookie. |
-|  [validate](./kibana-plugin-server.sessionstoragecookieoptions.validate.md) | <code>(sessionValue: T) =&gt; boolean &#124; Promise&lt;boolean&gt;</code> | Function called to validate a cookie content. |
+|  [validate](./kibana-plugin-server.sessionstoragecookieoptions.validate.md) | <code>(sessionValue: T &#124; T[]) =&gt; SessionCookieValidationResult</code> | Function called to validate a cookie's decrypted value. |
 

docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.validate.md

@@ -4,10 +4,10 @@
 
 ## SessionStorageCookieOptions.validate property
 
-Function called to validate a cookie content.
+Function called to validate a cookie's decrypted value.
 
 <b>Signature:</b>
 
 ```typescript
-validate: (sessionValue: T) => boolean | Promise<boolean>;
+validate: (sessionValue: T | T[]) => SessionCookieValidationResult;
 ```

docs/getting-started/tutorial-full-experience.asciidoc

@@ -91,7 +91,7 @@ and whether it's _tokenized_, or broken up into separate words.
 
 NOTE: If security is enabled, you must have the `all` Kibana privilege to run this tutorial.
 You must also have the `create`, `manage` `read`, `write,` and `delete` 
-index privileges. See {xpack-ref}/security-privileges.html[Security Privileges] 
+index privileges. See {ref}/security-privileges.html[Security privileges] 
 for more information.
 
 In Kibana *Dev Tools > Console*, set up a mapping for the Shakespeare data set:

docs/getting-started/tutorial-sample-data.asciidoc

@@ -12,8 +12,8 @@ with Kibana sample data and learn to:
 
 
 NOTE: If security is enabled, you must have `read`, `write`, and `manage` privileges
-on the `kibana_sample_data_*` indices. See {xpack-ref}/security-privileges.html[Security Privileges] 
-for more information.
+on the `kibana_sample_data_*` indices. See
+{ref}/security-privileges.html[Security privileges] for more information.
 
 
 [float]

docs/management/managing-indices.asciidoc

@@ -22,7 +22,7 @@ If security is enabled,
 you must have the `monitor` cluster privilege and the `view_index_metadata` 
 and `manage` index privileges to view the data.  
 For index templates, you must have the `manage_index_templates` cluster privilege.
-See {xpack-ref}/security-privileges.html[Security Privileges] for more
+See {ref}/security-privileges.html[Security privileges] for more
 information.
 
 Before using this feature, you should be familiar with index management 

docs/setup/install.asciidoc

@@ -54,8 +54,8 @@ Formulae are available from the Elastic Homebrew tap for installing {kib} on mac
 <<brew>>
 
 IMPORTANT: If your Elasticsearch installation is protected by
-{xpack-ref}/elasticsearch-security.html[{security}] see
-{kibana-ref}/using-kibana-with-security.html[Configuring Security in Kibana] for
+{ref}/elasticsearch-security.html[{security}] see
+{kibana-ref}/using-kibana-with-security.html[Configuring security in Kibana] for
 additional setup instructions.
 
 include::install/targz.asciidoc[]

docs/user/security/authentication/index.asciidoc

@@ -14,16 +14,17 @@
 - <<oidc>>
 
 [[basic-authentication]]
-==== Basic Authentication
+==== Basic authentication
 
 Basic authentication requires a username and password to successfully log in to {kib}. It is enabled by default and based on the Native security realm provided by {es}. The basic authentication provider uses a Kibana provided login form, and supports authentication using the `Authorization` request header's `Basic` scheme.
 
 The session cookies that are issued by the basic authentication provider are stateless. Therefore, logging out of Kibana when using the basic authentication provider clears the session cookies from the browser but does not invalidate the session cookie for reuse.
 
-For more information about basic authentication and built-in users, see {xpack-ref}/setting-up-authentication.html[Setting Up User Authentication].
+For more information about basic authentication and built-in users, see
+{ref}/setting-up-authentication.html[User authentication].
 
 [[token-authentication]]
-==== Token Authentication
+==== Token authentication
 
 Token authentication allows users to login using the same Kibana provided login form as basic authentication. The token authentication provider is built on {es}'s token APIs. The bearer tokens returned by {es}'s {ref}/security-api-get-token.html[get token API] can be used directly with Kibana using the `Authorization` request header with the `Bearer` scheme.
 
@@ -46,7 +47,7 @@ xpack.security.authc.providers: [token, basic]
 --------------------------------------------------------------------------------
 
 [[pki-authentication]]
-==== Public Key Infrastructure (PKI) Authentication
+==== Public key infrastructure (PKI) authentication
 
 [IMPORTANT]
 ============================================================================
@@ -76,9 +77,9 @@ xpack.security.authc.providers: [pki, basic]
 Note that with `server.ssl.clientAuthentication` set to `required`, users are asked to provide a valid client certificate, even if they want to authenticate with username and password. Depending on the security policies, it may or may not be desired. If not, `server.ssl.clientAuthentication` can be set to `optional`. In this case, {kib} still requests a client certificate, but the client won't be required to present one. The `optional` client authentication mode might also be needed in other cases, for example, when PKI authentication is used in conjunction with Reporting.
 
 [[saml]]
-==== SAML Single Sign-On
+==== SAML single sign-on
 
-SAML authentication allows users to log in to {kib} with an external Identity Provider, such as Okta or Auth0. Make sure that SAML is enabled and configured in {es} before setting it up in {kib}. See {xpack-ref}/saml-guide.html[Configuring SAML Single-Sign-On on the Elastic Stack].
+SAML authentication allows users to log in to {kib} with an external Identity Provider, such as Okta or Auth0. Make sure that SAML is enabled and configured in {es} before setting it up in {kib}. See {ref}/saml-guide.html[Configuring SAML single sign-on on the Elastic Stack].
 
 Set the configuration values in `kibana.yml` as follows:
 
@@ -106,7 +107,7 @@ server.xsrf.whitelist: [/api/security/saml/callback]
 Users will be able to log in to {kib} via SAML Single Sign-On by navigating directly to the {kib} URL. Users who aren't authenticated are redirected to the Identity Provider for login. Most Identity Providers maintain a long-lived session—users who logged in to a different application using the same Identity Provider in the same browser are automatically authenticated. An exception is if {es} or the Identity Provider is configured to force user to re-authenticate. This login scenario is called _Service Provider initiated login_.
 
 [float]
-===== SAML and Basic Authentication
+===== SAML and basic authentication
 
 SAML support in {kib} is designed to be the primary (or sole) authentication method for users of that {kib} instance. However, you can configure both SAML and Basic authentication for the same {kib} instance:
 
@@ -135,7 +136,7 @@ xpack.security.authc.saml.maxRedirectURLSize: 1kb
 --------------------------------------------------------------------------------
 
 [[oidc]]
-==== OpenID Connect Single Sign-On
+==== OpenID Connect single sign-on
 
 Similar to SAML, authentication with OpenID Connect allows users to log in to {kib} using an OpenID Connect Provider such as Google, or Okta. OpenID Connect
 should also be configured in {es}. For more details, see {ref}/oidc-guide.html[Configuring single sign-on to the {stack} using OpenID Connect].
@@ -166,7 +167,7 @@ server.xsrf.whitelist: [/api/security/v1/oidc]
 --------------------------------------------------------------------------------
 
 [float]
-===== OpenID Connect and Basic Authentication
+===== OpenID Connect and basic authentication
 
 Similar to SAML, OpenID Connect support in {kib} is designed to be the primary (or sole) authentication method for users
 of that {kib} instance. However, you can configure both OpenID Connect and Basic authentication for the same {kib} instance:
@@ -179,12 +180,12 @@ xpack.security.authc.providers: [oidc, basic]
 Users will be able to access the login page and use Basic authentication by navigating to the `/login` URL.
 
 [float]
-==== Single Sign-On provider details
+==== Single sign-on provider details
 
 The following sections apply both to <<saml>> and <<oidc>> 
 
 [float]
-===== Access and Refresh Tokens
+===== Access and refresh tokens
 
 Once the user logs in to {kib} Single Sign-On, either using SAML or OpenID Connect, {es} issues access and refresh tokens
 that {kib} encrypts and stores them in its own session cookie. This way, the user isn't redirected to the Identity Provider
@@ -202,7 +203,7 @@ If {kib} can't redirect the user to the external authentication provider (for ex
 indicates that both access and refresh tokens are expired. Reloading the current {kib} page fixes the error.
 
 [float]
-===== Local and Global Logout
+===== Local and global logout
 
 During logout, both the {kib} session cookie and access/refresh token pair are invalidated. Even if the cookie has been
 leaked, it can't be re-used after logout. This is known as "local" logout.