Update security deprecation messages (#115241)

src/core/server/elasticsearch/elasticsearch_config.test.ts

@@ -322,7 +322,7 @@ describe('deprecations', () => {
     const { messages } = applyElasticsearchDeprecations({ username: 'elastic' });
     expect(messages).toMatchInlineSnapshot(`
       Array [
-        "Setting [${CONFIG_PATH}.username] to \\"elastic\\" is deprecated. You should use the \\"kibana_system\\" user instead.",
+        "Kibana is configured to authenticate to Elasticsearch with the \\"elastic\\" user. Use a service account token instead.",
       ]
     `);
   });
@@ -331,7 +331,7 @@ describe('deprecations', () => {
     const { messages } = applyElasticsearchDeprecations({ username: 'kibana' });
     expect(messages).toMatchInlineSnapshot(`
       Array [
-        "Setting [${CONFIG_PATH}.username] to \\"kibana\\" is deprecated. You should use the \\"kibana_system\\" user instead.",
+        "Kibana is configured to authenticate to Elasticsearch with the \\"kibana\\" user. Use a service account token instead.",
       ]
     `);
   });
@@ -350,7 +350,7 @@ describe('deprecations', () => {
     const { messages } = applyElasticsearchDeprecations({ ssl: { key: '' } });
     expect(messages).toMatchInlineSnapshot(`
       Array [
-        "Setting [${CONFIG_PATH}.ssl.key] without [${CONFIG_PATH}.ssl.certificate] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.",
+        "Use both \\"elasticsearch.ssl.key\\" and \\"elasticsearch.ssl.certificate\\" to enable Kibana to use Mutual TLS authentication with Elasticsearch.",
       ]
     `);
   });
@@ -359,7 +359,7 @@ describe('deprecations', () => {
     const { messages } = applyElasticsearchDeprecations({ ssl: { certificate: '' } });
     expect(messages).toMatchInlineSnapshot(`
       Array [
-        "Setting [${CONFIG_PATH}.ssl.certificate] without [${CONFIG_PATH}.ssl.key] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.",
+        "Use both \\"elasticsearch.ssl.certificate\\" and \\"elasticsearch.ssl.key\\" to enable Kibana to use Mutual TLS authentication with Elasticsearch.",
       ]
     `);
   });

src/core/server/elasticsearch/elasticsearch_config.ts

@@ -8,6 +8,7 @@
 
 import { schema, TypeOf } from '@kbn/config-schema';
 import { readPkcs12Keystore, readPkcs12Truststore } from '@kbn/crypto';
+import { i18n } from '@kbn/i18n';
 import { Duration } from 'moment';
 import { readFileSync } from 'fs';
 import { ConfigDeprecationProvider } from 'src/core/server';
@@ -171,49 +172,82 @@ export const configSchema = schema.object({
 });
 
 const deprecations: ConfigDeprecationProvider = () => [
-  (settings, fromPath, addDeprecation) => {
+  (settings, fromPath, addDeprecation, { branch }) => {
     const es = settings[fromPath];
     if (!es) {
       return;
     }
-    if (es.username === 'elastic') {
-      addDeprecation({
-        configPath: `${fromPath}.username`,
-        message: `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.`,
-        correctiveActions: {
-          manualSteps: [`Replace [${fromPath}.username] from "elastic" to "kibana_system".`],
-        },
-      });
-    } else if (es.username === 'kibana') {
+
+    if (es.username === 'elastic' || es.username === 'kibana') {
+      const username = es.username;
       addDeprecation({
         configPath: `${fromPath}.username`,
-        message: `Setting [${fromPath}.username] to "kibana" is deprecated. You should use the "kibana_system" user instead.`,
-        correctiveActions: {
-          manualSteps: [`Replace [${fromPath}.username] from "kibana" to "kibana_system".`],
-        },
-      });
-    }
-    if (es.ssl?.key !== undefined && es.ssl?.certificate === undefined) {
-      addDeprecation({
-        configPath: `${fromPath}.ssl.key`,
-        message: `Setting [${fromPath}.ssl.key] without [${fromPath}.ssl.certificate] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`,
+        title: i18n.translate('core.deprecations.elasticsearchUsername.title', {
+          defaultMessage: 'Using "elasticsearch.username: {username}" is deprecated',
+          values: { username },
+        }),
+        message: i18n.translate('core.deprecations.elasticsearchUsername.message', {
+          defaultMessage:
+            'Kibana is configured to authenticate to Elasticsearch with the "{username}" user. Use a service account token instead.',
+          values: { username },
+        }),
+        level: 'warning',
+        documentationUrl: `https://www.elastic.co/guide/en/elasticsearch/reference/${branch}/service-accounts.html`,
         correctiveActions: {
           manualSteps: [
-            `Set [${fromPath}.ssl.certificate] in your kibana configs to enable TLS client authentication to Elasticsearch.`,
+            i18n.translate('core.deprecations.elasticsearchUsername.manualSteps1', {
+              defaultMessage:
+                'Use the elasticsearch-service-tokens CLI tool to create a new service account token for the "elastic/kibana" service account.',
+            }),
+            i18n.translate('core.deprecations.elasticsearchUsername.manualSteps2', {
+              defaultMessage: 'Add the "elasticsearch.serviceAccountToken" setting to kibana.yml.',
+            }),
+            i18n.translate('core.deprecations.elasticsearchUsername.manualSteps3', {
+              defaultMessage:
+                'Remove "elasticsearch.username" and "elasticsearch.password" from kibana.yml.',
+            }),
           ],
         },
       });
-    } else if (es.ssl?.certificate !== undefined && es.ssl?.key === undefined) {
+    }
+
+    const addSslDeprecation = (existingSetting: string, missingSetting: string) => {
       addDeprecation({
-        configPath: `${fromPath}.ssl.certificate`,
-        message: `Setting [${fromPath}.ssl.certificate] without [${fromPath}.ssl.key] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`,
+        configPath: existingSetting,
+        title: i18n.translate('core.deprecations.elasticsearchSSL.title', {
+          defaultMessage: 'Using "{existingSetting}" without "{missingSetting}" has no effect',
+          values: { existingSetting, missingSetting },
+        }),
+        message: i18n.translate('core.deprecations.elasticsearchSSL.message', {
+          defaultMessage:
+            'Use both "{existingSetting}" and "{missingSetting}" to enable Kibana to use Mutual TLS authentication with Elasticsearch.',
+          values: { existingSetting, missingSetting },
+        }),
+        level: 'warning',
+        documentationUrl: `https://www.elastic.co/guide/en/kibana/${branch}/elasticsearch-mutual-tls.html`,
         correctiveActions: {
           manualSteps: [
-            `Set [${fromPath}.ssl.key] in your kibana configs to enable TLS client authentication to Elasticsearch.`,
+            i18n.translate('core.deprecations.elasticsearchSSL.manualSteps1', {
+              defaultMessage: 'Add the "{missingSetting}" setting to kibana.yml.',
+              values: { missingSetting },
+            }),
+            i18n.translate('core.deprecations.elasticsearchSSL.manualSteps2', {
+              defaultMessage:
+                'Alternatively, if you don\'t want to use Mutual TLS authentication, remove "{existingSetting}" from kibana.yml.',
+              values: { existingSetting },
+            }),
           ],
         },
       });
-    } else if (es.logQueries === true) {
+    };
+
+    if (es.ssl?.key !== undefined && es.ssl?.certificate === undefined) {
+      addSslDeprecation(`${fromPath}.ssl.key`, `${fromPath}.ssl.certificate`);
+    } else if (es.ssl?.certificate !== undefined && es.ssl?.key === undefined) {
+      addSslDeprecation(`${fromPath}.ssl.certificate`, `${fromPath}.ssl.key`);
+    }
+
+    if (es.logQueries === true) {
       addDeprecation({
         configPath: `${fromPath}.logQueries`,
         message: `Setting [${fromPath}.logQueries] is deprecated and no longer used. You should set the log level to "debug" for the "elasticsearch.queries" context in "logging.loggers".`,

x-pack/plugins/monitoring/server/deprecations.test.js

@@ -67,64 +67,6 @@ describe('monitoring plugin deprecations', function () {
     });
   });
 
-  describe('elasticsearch.username', function () {
-    it('logs a warning if elasticsearch.username is set to "elastic"', () => {
-      const settings = { elasticsearch: { username: 'elastic' } };
-
-      const addDeprecation = jest.fn();
-      transformDeprecations(settings, fromPath, addDeprecation);
-      expect(addDeprecation).toHaveBeenCalled();
-    });
-
-    it('logs a warning if elasticsearch.username is set to "kibana"', () => {
-      const settings = { elasticsearch: { username: 'kibana' } };
-
-      const addDeprecation = jest.fn();
-      transformDeprecations(settings, fromPath, addDeprecation);
-      expect(addDeprecation).toHaveBeenCalled();
-    });
-
-    it('does not log a warning if elasticsearch.username is set to something besides "elastic" or "kibana"', () => {
-      const settings = { elasticsearch: { username: 'otheruser' } };
-
-      const addDeprecation = jest.fn();
-      transformDeprecations(settings, fromPath, addDeprecation);
-      expect(addDeprecation).not.toHaveBeenCalled();
-    });
-
-    it('does not log a warning if elasticsearch.username is unset', () => {
-      const settings = { elasticsearch: { username: undefined } };
-
-      const addDeprecation = jest.fn();
-      transformDeprecations(settings, fromPath, addDeprecation);
-      expect(addDeprecation).not.toHaveBeenCalled();
-    });
-
-    it('logs a warning if ssl.key is set and ssl.certificate is not', () => {
-      const settings = { elasticsearch: { ssl: { key: '' } } };
-
-      const addDeprecation = jest.fn();
-      transformDeprecations(settings, fromPath, addDeprecation);
-      expect(addDeprecation).toHaveBeenCalled();
-    });
-
-    it('logs a warning if ssl.certificate is set and ssl.key is not', () => {
-      const settings = { elasticsearch: { ssl: { certificate: '' } } };
-
-      const addDeprecation = jest.fn();
-      transformDeprecations(settings, fromPath, addDeprecation);
-      expect(addDeprecation).toHaveBeenCalled();
-    });
-
-    it('does not log a warning if both ssl.key and ssl.certificate are set', () => {
-      const settings = { elasticsearch: { ssl: { key: '', certificate: '' } } };
-
-      const addDeprecation = jest.fn();
-      transformDeprecations(settings, fromPath, addDeprecation);
-      expect(addDeprecation).not.toHaveBeenCalled();
-    });
-  });
-
   describe('xpack_api_polling_frequency_millis', () => {
     it('should call rename for this renamed config key', () => {
       const settings = { xpack_api_polling_frequency_millis: 30000 };

x-pack/plugins/monitoring/server/deprecations.ts

@@ -59,56 +59,13 @@ export const deprecations = ({
       }
       return config;
     },
-    (config, fromPath, addDeprecation) => {
-      const es: Record<string, any> = get(config, 'elasticsearch');
-      if (es) {
-        if (es.username === 'elastic') {
-          addDeprecation({
-            configPath: 'elasticsearch.username',
-            message: `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.`,
-            correctiveActions: {
-              manualSteps: [`Replace [${fromPath}.username] from "elastic" to "kibana_system".`],
-            },
-          });
-        } else if (es.username === 'kibana') {
-          addDeprecation({
-            configPath: 'elasticsearch.username',
-            message: `Setting [${fromPath}.username] to "kibana" is deprecated. You should use the "kibana_system" user instead.`,
-            correctiveActions: {
-              manualSteps: [`Replace [${fromPath}.username] from "kibana" to "kibana_system".`],
-            },
-          });
-        }
-      }
-      return config;
-    },
-    (config, fromPath, addDeprecation) => {
-      const ssl: Record<string, any> = get(config, 'elasticsearch.ssl');
-      if (ssl) {
-        if (ssl.key !== undefined && ssl.certificate === undefined) {
-          addDeprecation({
-            configPath: 'elasticsearch.ssl.key',
-            message: `Setting [${fromPath}.key] without [${fromPath}.certificate] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`,
-            correctiveActions: {
-              manualSteps: [
-                `Set [${fromPath}.ssl.certificate] in your kibana configs to enable TLS client authentication to Elasticsearch.`,
-              ],
-            },
-          });
-        } else if (ssl.certificate !== undefined && ssl.key === undefined) {
-          addDeprecation({
-            configPath: 'elasticsearch.ssl.certificate',
-            message: `Setting [${fromPath}.certificate] without [${fromPath}.key] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`,
-            correctiveActions: {
-              manualSteps: [
-                `Set [${fromPath}.ssl.key] in your kibana configs to enable TLS client authentication to Elasticsearch.`,
-              ],
-            },
-          });
-        }
-      }
-      return config;
-    },
     rename('xpack_api_polling_frequency_millis', 'licensing.api_polling_frequency'),
+
+    // TODO: Add deprecations for "monitoring.ui.elasticsearch.username: elastic" and "monitoring.ui.elasticsearch.username: kibana".
+    // TODO: Add deprecations for using "monitoring.ui.elasticsearch.ssl.certificate" without "monitoring.ui.elasticsearch.ssl.key", and
+    // vice versa.
+    // ^ These deprecations should only be shown if they are explicitly configured for monitoring -- we should not show Monitoring
+    // deprecations for these settings if they are inherited from the Core elasticsearch settings.
+    // See the Core implementation: src/core/server/elasticsearch/elasticsearch_config.ts
   ];
 };

x-pack/plugins/security/server/config_deprecations.test.ts

@@ -312,7 +312,7 @@ describe('Config Deprecations', () => {
     const { messages, configPaths } = applyConfigDeprecations(cloneDeep(config));
     expect(messages).toMatchInlineSnapshot(`
       Array [
-        "\\"xpack.security.authc.providers.saml.<provider-name>.maxRedirectURLSize\\" is no longer used.",
+        "This setting is no longer used.",
       ]
     `);
 
@@ -333,7 +333,7 @@ describe('Config Deprecations', () => {
     expect(migrated).toEqual(config);
     expect(messages).toMatchInlineSnapshot(`
       Array [
-        "\\"xpack.security.authc.providers\\" accepts an extended \\"object\\" format instead of an array of provider types.",
+        "Use the new object format instead of an array of provider types.",
       ]
     `);
   });
@@ -352,8 +352,8 @@ describe('Config Deprecations', () => {
     expect(migrated).toEqual(config);
     expect(messages).toMatchInlineSnapshot(`
       Array [
-        "\\"xpack.security.authc.providers\\" accepts an extended \\"object\\" format instead of an array of provider types.",
-        "Enabling both \\"basic\\" and \\"token\\" authentication providers in \\"xpack.security.authc.providers\\" is deprecated. Login page will only use \\"token\\" provider.",
+        "Use the new object format instead of an array of provider types.",
+        "Use only one of these providers. When both providers are set, Kibana only uses the \\"token\\" provider.",
       ]
     `);
   });