Merge master.

.ci/Jenkinsfile_flaky

@@ -35,7 +35,7 @@ kibanaPipeline(timeoutMinutes: 180) {
             if (!IS_XPACK) {
               kibanaPipeline.buildOss()
               if (CI_GROUP == '1') {
-                runbld("./test/scripts/jenkins_build_kbn_tp_sample_panel_action.sh", "Build kbn tp sample panel action for ciGroup1")
+                runbld("./test/scripts/jenkins_build_kbn_sample_panel_action.sh", "Build kbn tp sample panel action for ciGroup1")
               }
             } else {
               kibanaPipeline.buildXpack()

.github/CODEOWNERS

@@ -177,17 +177,23 @@
 # Elasticsearch UI
 /src/plugins/console/  @elastic/es-ui
 /src/plugins/es_ui_shared/  @elastic/es-ui
-/x-pack/plugins/console_extensions/  @elastic/es-ui
 /x-pack/legacy/plugins/cross_cluster_replication/  @elastic/es-ui
 /x-pack/legacy/plugins/index_lifecycle_management/  @elastic/es-ui
 /x-pack/legacy/plugins/index_management/  @elastic/es-ui
 /x-pack/legacy/plugins/license_management/  @elastic/es-ui
-/x-pack/plugins/remote_clusters/  @elastic/es-ui
 /x-pack/legacy/plugins/rollup/  @elastic/es-ui
-/x-pack/plugins/searchprofiler/  @elastic/es-ui
-/x-pack/plugins/painless_lab/  @elastic/es-ui
 /x-pack/legacy/plugins/snapshot_restore/  @elastic/es-ui
 /x-pack/legacy/plugins/upgrade_assistant/  @elastic/es-ui
+/x-pack/plugins/console_extensions/  @elastic/es-ui
+/x-pack/plugins/es_ui_shared/  @elastic/es-ui
+/x-pack/plugins/grokdebugger/  @elastic/es-ui
+/x-pack/plugins/index_management/  @elastic/es-ui
+/x-pack/plugins/license_management/  @elastic/es-ui
+/x-pack/plugins/painless_lab/  @elastic/es-ui
+/x-pack/plugins/remote_clusters/  @elastic/es-ui
+/x-pack/plugins/rollup/  @elastic/es-ui
+/x-pack/plugins/searchprofiler/  @elastic/es-ui
+/x-pack/plugins/snapshot_restore/  @elastic/es-ui
 /x-pack/plugins/upgrade_assistant/  @elastic/es-ui
 /x-pack/plugins/watcher/  @elastic/es-ui
 

docs/migration/migrate_8_0.asciidoc

@@ -61,24 +61,53 @@ for example, `logstash-*`.
 *Impact:* Use `xpack.security.authc.providers` instead.
 
 [float]
-==== `xpack.security.authc.saml.realm` is now mandatory when using the SAML authentication provider
-*Details:* Previously Kibana was choosing the appropriate Elasticsearch SAML realm automatically using the `Assertion Consumer Service`
-URL that it derived from the actual server address. Starting in 8.0.0, the Elasticsearch SAML realm name that Kibana will use should be
-specified explicitly.
+==== `xpack.security.authc.providers` has changed value format
+*Details:* `xpack.security.authc.providers` setting in the `kibana.yml` has changed value format.
 
-*Impact:* Always define `xpack.security.authc.saml.realm` when using the SAML authentication provider.
+*Impact:* Array of provider types as a value is no longer supported, use extended object format instead.
+
+[float]
+==== `xpack.security.authc.saml` is no longer valid
+*Details:* The deprecated `xpack.security.authc.saml` setting in the `kibana.yml` file has been removed.
+
+*Impact:* Configure SAML authentication providers using `xpack.security.authc.providers.saml.{provider unique name}.*` settings instead.
+
+[float]
+==== `xpack.security.authc.oidc` is no longer valid
+*Details:* The deprecated `xpack.security.authc.oidc` setting in the `kibana.yml` file has been removed.
+
+*Impact:* Configure OpenID Connect authentication providers using `xpack.security.authc.providers.oidc.{provider unique name}.*` settings instead.
 
 [float]
 ==== `xpack.security.public` is no longer valid
-*Details:* The deprecated `xpack.security.public` setting in the `kibana.yml` file has been removed.
+*Details:* Previously Kibana was choosing the appropriate Elasticsearch SAML realm automatically using the `Assertion Consumer Service`
+URL that it derived from the actual server address and `xpack.security.public` setting. Starting in 8.0.0, the deprecated `xpack.security.public` setting in the `kibana.yml` file has been removed and the Elasticsearch SAML realm name that Kibana will use should be specified explicitly.
 
-*Impact:* Define `xpack.security.authc.saml.realm` when using the SAML authentication provider instead.
+*Impact:* Define `xpack.security.authc.providers.saml.{provider unique name}.realm` when using the SAML authentication providers instead.
 
 [float]
 ==== `/api/security/v1/saml` endpoint is no longer supported
 *Details:* The deprecated `/api/security/v1/saml` endpoint is no longer supported.
 
-*Impact:* Rely on `/api/security/saml/callback` endpoint when using SAML instead. This change should be reflected in Kibana `server.xsrf.whitelist` config as well as in Elasticsearch and Identity Provider SAML settings.
+*Impact:* Rely on `/api/security/saml/callback` endpoint when using SAML instead. This change should be reflected in Elasticsearch and Identity Provider SAML settings.
+
+[float]
+==== `/api/security/v1/oidc` endpoint is no longer supported
+*Details:* The deprecated `/api/security/v1/oidc` endpoint is no longer supported.
+
+*Impact:* Rely on `/api/security/oidc/callback` endpoint when using OpenID Connect instead. This change should be reflected in Elasticsearch and OpenID Connect Provider settings.
+
+[float]
+==== `/api/security/v1/oidc` endpoint is no longer supported for Third Party initiated login
+*Details:* The deprecated `/api/security/v1/oidc` endpoint is no longer supported for Third Party initiated login.
+
+*Impact:* Rely on `/api/security/oidc/initiate_login` endpoint when using Third Party initiated OpenID Connect login instead. This change should be reflected in Elasticsearch and OpenID Connect Provider settings.
+
+[float]
+==== `/api/security/v1/oidc/implicit` endpoint is no longer supported
+*Details:* The deprecated `/api/security/v1/oidc/implicit` endpoint is no longer supported.
+
+*Impact:* Rely on `/api/security/oidc/implicit` endpoint when using OpenID Connect Implicit Flow instead. This change should be reflected in OpenID Connect Provider settings.
 
 [float]
 === `optimize` directory is now in the `data` folder

docs/setup/settings.asciidoc

@@ -410,9 +410,7 @@ all http requests to https over the port configured as `server.port`.
 supported protocols with versions. Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`
 
 `server.xsrf.whitelist:`:: It is not recommended to disable protections for
-arbitrary API endpoints. Instead, supply the `kbn-xsrf` header. There are some
-scenarios where whitelisting is required, however, such as
-<<kibana-authentication, SAML and OpenID Connect Single Sign-On setups>>.
+arbitrary API endpoints. Instead, supply the `kbn-xsrf` header.
 The `server.xsrf.whitelist` setting requires the following format:
 
 [source,text]