From 6792bdfc6d5d921822da7b85dfde9e668c0af7bb Mon Sep 17 00:00:00 2001 From: Joe Portner <5295965+jportner@users.noreply.github.com> Date: Mon, 18 Oct 2021 11:34:13 -0400 Subject: [PATCH] Update security deprecation messages (#115241) --- .../elasticsearch_config.test.ts | 8 +- .../elasticsearch/elasticsearch_config.ts | 86 +++++++++++++------ .../monitoring/server/deprecations.test.js | 58 ------------- .../plugins/monitoring/server/deprecations.ts | 57 ++---------- .../server/config_deprecations.test.ts | 8 +- .../security/server/config_deprecations.ts | 75 +++++++++------- 6 files changed, 117 insertions(+), 175 deletions(-) diff --git a/src/core/server/elasticsearch/elasticsearch_config.test.ts b/src/core/server/elasticsearch/elasticsearch_config.test.ts index 1d3b70348bec19..855ec75995be77 100644 --- a/src/core/server/elasticsearch/elasticsearch_config.test.ts +++ b/src/core/server/elasticsearch/elasticsearch_config.test.ts @@ -322,7 +322,7 @@ describe('deprecations', () => { const { messages } = applyElasticsearchDeprecations({ username: 'elastic' }); expect(messages).toMatchInlineSnapshot(` Array [ - "Setting [${CONFIG_PATH}.username] to \\"elastic\\" is deprecated. You should use the \\"kibana_system\\" user instead.", + "Kibana is configured to authenticate to Elasticsearch with the \\"elastic\\" user. Use a service account token instead.", ] `); }); @@ -331,7 +331,7 @@ describe('deprecations', () => { const { messages } = applyElasticsearchDeprecations({ username: 'kibana' }); expect(messages).toMatchInlineSnapshot(` Array [ - "Setting [${CONFIG_PATH}.username] to \\"kibana\\" is deprecated. You should use the \\"kibana_system\\" user instead.", + "Kibana is configured to authenticate to Elasticsearch with the \\"kibana\\" user. Use a service account token instead.", ] `); }); @@ -350,7 +350,7 @@ describe('deprecations', () => { const { messages } = applyElasticsearchDeprecations({ ssl: { key: '' } }); expect(messages).toMatchInlineSnapshot(` Array [ - "Setting [${CONFIG_PATH}.ssl.key] without [${CONFIG_PATH}.ssl.certificate] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.", + "Use both \\"elasticsearch.ssl.key\\" and \\"elasticsearch.ssl.certificate\\" to enable Kibana to use Mutual TLS authentication with Elasticsearch.", ] `); }); @@ -359,7 +359,7 @@ describe('deprecations', () => { const { messages } = applyElasticsearchDeprecations({ ssl: { certificate: '' } }); expect(messages).toMatchInlineSnapshot(` Array [ - "Setting [${CONFIG_PATH}.ssl.certificate] without [${CONFIG_PATH}.ssl.key] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.", + "Use both \\"elasticsearch.ssl.certificate\\" and \\"elasticsearch.ssl.key\\" to enable Kibana to use Mutual TLS authentication with Elasticsearch.", ] `); }); diff --git a/src/core/server/elasticsearch/elasticsearch_config.ts b/src/core/server/elasticsearch/elasticsearch_config.ts index f130504e3293af..298144ca95a02d 100644 --- a/src/core/server/elasticsearch/elasticsearch_config.ts +++ b/src/core/server/elasticsearch/elasticsearch_config.ts @@ -8,6 +8,7 @@ import { schema, TypeOf } from '@kbn/config-schema'; import { readPkcs12Keystore, readPkcs12Truststore } from '@kbn/crypto'; +import { i18n } from '@kbn/i18n'; import { Duration } from 'moment'; import { readFileSync } from 'fs'; import { ConfigDeprecationProvider } from 'src/core/server'; @@ -171,49 +172,82 @@ export const configSchema = schema.object({ }); const deprecations: ConfigDeprecationProvider = () => [ - (settings, fromPath, addDeprecation) => { + (settings, fromPath, addDeprecation, { branch }) => { const es = settings[fromPath]; if (!es) { return; } - if (es.username === 'elastic') { - addDeprecation({ - configPath: `${fromPath}.username`, - message: `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.`, - correctiveActions: { - manualSteps: [`Replace [${fromPath}.username] from "elastic" to "kibana_system".`], - }, - }); - } else if (es.username === 'kibana') { + + if (es.username === 'elastic' || es.username === 'kibana') { + const username = es.username; addDeprecation({ configPath: `${fromPath}.username`, - message: `Setting [${fromPath}.username] to "kibana" is deprecated. You should use the "kibana_system" user instead.`, - correctiveActions: { - manualSteps: [`Replace [${fromPath}.username] from "kibana" to "kibana_system".`], - }, - }); - } - if (es.ssl?.key !== undefined && es.ssl?.certificate === undefined) { - addDeprecation({ - configPath: `${fromPath}.ssl.key`, - message: `Setting [${fromPath}.ssl.key] without [${fromPath}.ssl.certificate] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`, + title: i18n.translate('core.deprecations.elasticsearchUsername.title', { + defaultMessage: 'Using "elasticsearch.username: {username}" is deprecated', + values: { username }, + }), + message: i18n.translate('core.deprecations.elasticsearchUsername.message', { + defaultMessage: + 'Kibana is configured to authenticate to Elasticsearch with the "{username}" user. Use a service account token instead.', + values: { username }, + }), + level: 'warning', + documentationUrl: `https://www.elastic.co/guide/en/elasticsearch/reference/${branch}/service-accounts.html`, correctiveActions: { manualSteps: [ - `Set [${fromPath}.ssl.certificate] in your kibana configs to enable TLS client authentication to Elasticsearch.`, + i18n.translate('core.deprecations.elasticsearchUsername.manualSteps1', { + defaultMessage: + 'Use the elasticsearch-service-tokens CLI tool to create a new service account token for the "elastic/kibana" service account.', + }), + i18n.translate('core.deprecations.elasticsearchUsername.manualSteps2', { + defaultMessage: 'Add the "elasticsearch.serviceAccountToken" setting to kibana.yml.', + }), + i18n.translate('core.deprecations.elasticsearchUsername.manualSteps3', { + defaultMessage: + 'Remove "elasticsearch.username" and "elasticsearch.password" from kibana.yml.', + }), ], }, }); - } else if (es.ssl?.certificate !== undefined && es.ssl?.key === undefined) { + } + + const addSslDeprecation = (existingSetting: string, missingSetting: string) => { addDeprecation({ - configPath: `${fromPath}.ssl.certificate`, - message: `Setting [${fromPath}.ssl.certificate] without [${fromPath}.ssl.key] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`, + configPath: existingSetting, + title: i18n.translate('core.deprecations.elasticsearchSSL.title', { + defaultMessage: 'Using "{existingSetting}" without "{missingSetting}" has no effect', + values: { existingSetting, missingSetting }, + }), + message: i18n.translate('core.deprecations.elasticsearchSSL.message', { + defaultMessage: + 'Use both "{existingSetting}" and "{missingSetting}" to enable Kibana to use Mutual TLS authentication with Elasticsearch.', + values: { existingSetting, missingSetting }, + }), + level: 'warning', + documentationUrl: `https://www.elastic.co/guide/en/kibana/${branch}/elasticsearch-mutual-tls.html`, correctiveActions: { manualSteps: [ - `Set [${fromPath}.ssl.key] in your kibana configs to enable TLS client authentication to Elasticsearch.`, + i18n.translate('core.deprecations.elasticsearchSSL.manualSteps1', { + defaultMessage: 'Add the "{missingSetting}" setting to kibana.yml.', + values: { missingSetting }, + }), + i18n.translate('core.deprecations.elasticsearchSSL.manualSteps2', { + defaultMessage: + 'Alternatively, if you don\'t want to use Mutual TLS authentication, remove "{existingSetting}" from kibana.yml.', + values: { existingSetting }, + }), ], }, }); - } else if (es.logQueries === true) { + }; + + if (es.ssl?.key !== undefined && es.ssl?.certificate === undefined) { + addSslDeprecation(`${fromPath}.ssl.key`, `${fromPath}.ssl.certificate`); + } else if (es.ssl?.certificate !== undefined && es.ssl?.key === undefined) { + addSslDeprecation(`${fromPath}.ssl.certificate`, `${fromPath}.ssl.key`); + } + + if (es.logQueries === true) { addDeprecation({ configPath: `${fromPath}.logQueries`, message: `Setting [${fromPath}.logQueries] is deprecated and no longer used. You should set the log level to "debug" for the "elasticsearch.queries" context in "logging.loggers".`, diff --git a/x-pack/plugins/monitoring/server/deprecations.test.js b/x-pack/plugins/monitoring/server/deprecations.test.js index 4c12979e97804f..9216132fd61196 100644 --- a/x-pack/plugins/monitoring/server/deprecations.test.js +++ b/x-pack/plugins/monitoring/server/deprecations.test.js @@ -67,64 +67,6 @@ describe('monitoring plugin deprecations', function () { }); }); - describe('elasticsearch.username', function () { - it('logs a warning if elasticsearch.username is set to "elastic"', () => { - const settings = { elasticsearch: { username: 'elastic' } }; - - const addDeprecation = jest.fn(); - transformDeprecations(settings, fromPath, addDeprecation); - expect(addDeprecation).toHaveBeenCalled(); - }); - - it('logs a warning if elasticsearch.username is set to "kibana"', () => { - const settings = { elasticsearch: { username: 'kibana' } }; - - const addDeprecation = jest.fn(); - transformDeprecations(settings, fromPath, addDeprecation); - expect(addDeprecation).toHaveBeenCalled(); - }); - - it('does not log a warning if elasticsearch.username is set to something besides "elastic" or "kibana"', () => { - const settings = { elasticsearch: { username: 'otheruser' } }; - - const addDeprecation = jest.fn(); - transformDeprecations(settings, fromPath, addDeprecation); - expect(addDeprecation).not.toHaveBeenCalled(); - }); - - it('does not log a warning if elasticsearch.username is unset', () => { - const settings = { elasticsearch: { username: undefined } }; - - const addDeprecation = jest.fn(); - transformDeprecations(settings, fromPath, addDeprecation); - expect(addDeprecation).not.toHaveBeenCalled(); - }); - - it('logs a warning if ssl.key is set and ssl.certificate is not', () => { - const settings = { elasticsearch: { ssl: { key: '' } } }; - - const addDeprecation = jest.fn(); - transformDeprecations(settings, fromPath, addDeprecation); - expect(addDeprecation).toHaveBeenCalled(); - }); - - it('logs a warning if ssl.certificate is set and ssl.key is not', () => { - const settings = { elasticsearch: { ssl: { certificate: '' } } }; - - const addDeprecation = jest.fn(); - transformDeprecations(settings, fromPath, addDeprecation); - expect(addDeprecation).toHaveBeenCalled(); - }); - - it('does not log a warning if both ssl.key and ssl.certificate are set', () => { - const settings = { elasticsearch: { ssl: { key: '', certificate: '' } } }; - - const addDeprecation = jest.fn(); - transformDeprecations(settings, fromPath, addDeprecation); - expect(addDeprecation).not.toHaveBeenCalled(); - }); - }); - describe('xpack_api_polling_frequency_millis', () => { it('should call rename for this renamed config key', () => { const settings = { xpack_api_polling_frequency_millis: 30000 }; diff --git a/x-pack/plugins/monitoring/server/deprecations.ts b/x-pack/plugins/monitoring/server/deprecations.ts index 7c3d3e3baf58a0..42868e3fa25847 100644 --- a/x-pack/plugins/monitoring/server/deprecations.ts +++ b/x-pack/plugins/monitoring/server/deprecations.ts @@ -59,56 +59,13 @@ export const deprecations = ({ } return config; }, - (config, fromPath, addDeprecation) => { - const es: Record = get(config, 'elasticsearch'); - if (es) { - if (es.username === 'elastic') { - addDeprecation({ - configPath: 'elasticsearch.username', - message: `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.`, - correctiveActions: { - manualSteps: [`Replace [${fromPath}.username] from "elastic" to "kibana_system".`], - }, - }); - } else if (es.username === 'kibana') { - addDeprecation({ - configPath: 'elasticsearch.username', - message: `Setting [${fromPath}.username] to "kibana" is deprecated. You should use the "kibana_system" user instead.`, - correctiveActions: { - manualSteps: [`Replace [${fromPath}.username] from "kibana" to "kibana_system".`], - }, - }); - } - } - return config; - }, - (config, fromPath, addDeprecation) => { - const ssl: Record = get(config, 'elasticsearch.ssl'); - if (ssl) { - if (ssl.key !== undefined && ssl.certificate === undefined) { - addDeprecation({ - configPath: 'elasticsearch.ssl.key', - message: `Setting [${fromPath}.key] without [${fromPath}.certificate] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`, - correctiveActions: { - manualSteps: [ - `Set [${fromPath}.ssl.certificate] in your kibana configs to enable TLS client authentication to Elasticsearch.`, - ], - }, - }); - } else if (ssl.certificate !== undefined && ssl.key === undefined) { - addDeprecation({ - configPath: 'elasticsearch.ssl.certificate', - message: `Setting [${fromPath}.certificate] without [${fromPath}.key] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`, - correctiveActions: { - manualSteps: [ - `Set [${fromPath}.ssl.key] in your kibana configs to enable TLS client authentication to Elasticsearch.`, - ], - }, - }); - } - } - return config; - }, rename('xpack_api_polling_frequency_millis', 'licensing.api_polling_frequency'), + + // TODO: Add deprecations for "monitoring.ui.elasticsearch.username: elastic" and "monitoring.ui.elasticsearch.username: kibana". + // TODO: Add deprecations for using "monitoring.ui.elasticsearch.ssl.certificate" without "monitoring.ui.elasticsearch.ssl.key", and + // vice versa. + // ^ These deprecations should only be shown if they are explicitly configured for monitoring -- we should not show Monitoring + // deprecations for these settings if they are inherited from the Core elasticsearch settings. + // See the Core implementation: src/core/server/elasticsearch/elasticsearch_config.ts ]; }; diff --git a/x-pack/plugins/security/server/config_deprecations.test.ts b/x-pack/plugins/security/server/config_deprecations.test.ts index 808c0aeb85b12a..a629b6d73a682f 100644 --- a/x-pack/plugins/security/server/config_deprecations.test.ts +++ b/x-pack/plugins/security/server/config_deprecations.test.ts @@ -312,7 +312,7 @@ describe('Config Deprecations', () => { const { messages, configPaths } = applyConfigDeprecations(cloneDeep(config)); expect(messages).toMatchInlineSnapshot(` Array [ - "\\"xpack.security.authc.providers.saml..maxRedirectURLSize\\" is no longer used.", + "This setting is no longer used.", ] `); @@ -333,7 +333,7 @@ describe('Config Deprecations', () => { expect(migrated).toEqual(config); expect(messages).toMatchInlineSnapshot(` Array [ - "\\"xpack.security.authc.providers\\" accepts an extended \\"object\\" format instead of an array of provider types.", + "Use the new object format instead of an array of provider types.", ] `); }); @@ -352,8 +352,8 @@ describe('Config Deprecations', () => { expect(migrated).toEqual(config); expect(messages).toMatchInlineSnapshot(` Array [ - "\\"xpack.security.authc.providers\\" accepts an extended \\"object\\" format instead of an array of provider types.", - "Enabling both \\"basic\\" and \\"token\\" authentication providers in \\"xpack.security.authc.providers\\" is deprecated. Login page will only use \\"token\\" provider.", + "Use the new object format instead of an array of provider types.", + "Use only one of these providers. When both providers are set, Kibana only uses the \\"token\\" provider.", ] `); }); diff --git a/x-pack/plugins/security/server/config_deprecations.ts b/x-pack/plugins/security/server/config_deprecations.ts index 46fbbcec5188ee..0c76840819b3d5 100644 --- a/x-pack/plugins/security/server/config_deprecations.ts +++ b/x-pack/plugins/security/server/config_deprecations.ts @@ -13,22 +13,23 @@ export const securityConfigDeprecationProvider: ConfigDeprecationProvider = ({ renameFromRoot, unused, }) => [ - rename('sessionTimeout', 'session.idleTimeout'), - rename('authProviders', 'authc.providers'), + rename('sessionTimeout', 'session.idleTimeout', { level: 'warning' }), + rename('authProviders', 'authc.providers', { level: 'warning' }), - rename('audit.appender.kind', 'audit.appender.type'), - rename('audit.appender.layout.kind', 'audit.appender.layout.type'), - rename('audit.appender.policy.kind', 'audit.appender.policy.type'), - rename('audit.appender.strategy.kind', 'audit.appender.strategy.type'), - rename('audit.appender.path', 'audit.appender.fileName'), + rename('audit.appender.kind', 'audit.appender.type', { level: 'warning' }), + rename('audit.appender.layout.kind', 'audit.appender.layout.type', { level: 'warning' }), + rename('audit.appender.policy.kind', 'audit.appender.policy.type', { level: 'warning' }), + rename('audit.appender.strategy.kind', 'audit.appender.strategy.type', { level: 'warning' }), + rename('audit.appender.path', 'audit.appender.fileName', { level: 'warning' }), renameFromRoot( 'security.showInsecureClusterWarning', - 'xpack.security.showInsecureClusterWarning' + 'xpack.security.showInsecureClusterWarning', + { level: 'warning' } ), - unused('authorization.legacyFallback.enabled'), - unused('authc.saml.maxRedirectURLSize'), + unused('authorization.legacyFallback.enabled', { level: 'warning' }), + unused('authc.saml.maxRedirectURLSize', { level: 'warning' }), // Deprecation warning for the legacy audit logger. (settings, fromPath, addDeprecation, { branch }) => { const auditLoggingEnabled = settings?.xpack?.security?.audit?.enabled ?? false; @@ -57,30 +58,33 @@ export const securityConfigDeprecationProvider: ConfigDeprecationProvider = ({ }, // Deprecation warning for the old array-based format of `xpack.security.authc.providers`. - (settings, fromPath, addDeprecation) => { + (settings, _fromPath, addDeprecation, { branch }) => { if (Array.isArray(settings?.xpack?.security?.authc?.providers)) { addDeprecation({ configPath: 'xpack.security.authc.providers', title: i18n.translate('xpack.security.deprecations.authcProvidersTitle', { - defaultMessage: - 'Defining "xpack.security.authc.providers" as an array of provider types is deprecated', + defaultMessage: 'The array format for "xpack.security.authc.providers" is deprecated', }), message: i18n.translate('xpack.security.deprecations.authcProvidersMessage', { - defaultMessage: - '"xpack.security.authc.providers" accepts an extended "object" format instead of an array of provider types.', + defaultMessage: 'Use the new object format instead of an array of provider types.', }), + level: 'warning', + documentationUrl: `https://www.elastic.co/guide/en/kibana/${branch}/security-settings-kb.html#authentication-security-settings`, correctiveActions: { manualSteps: [ - i18n.translate('xpack.security.deprecations.authcProviders.manualStepOneMessage', { + i18n.translate('xpack.security.deprecations.authcProviders.manualSteps1', { defaultMessage: - 'Use the extended object format for "xpack.security.authc.providers" in your Kibana configuration.', + 'Remove the "xpack.security.authc.providers" setting from kibana.yml.', + }), + i18n.translate('xpack.security.deprecations.authcProviders.manualSteps2', { + defaultMessage: 'Add your authentication providers using the new object format.', }), ], }, }); } }, - (settings, fromPath, addDeprecation) => { + (settings, _fromPath, addDeprecation, { branch }) => { const hasProviderType = (providerType: string) => { const providers = settings?.xpack?.security?.authc?.providers; if (Array.isArray(providers)) { @@ -93,31 +97,35 @@ export const securityConfigDeprecationProvider: ConfigDeprecationProvider = ({ }; if (hasProviderType('basic') && hasProviderType('token')) { + const basicProvider = 'basic'; + const tokenProvider = 'token'; addDeprecation({ configPath: 'xpack.security.authc.providers', title: i18n.translate('xpack.security.deprecations.basicAndTokenProvidersTitle', { defaultMessage: - 'Both "basic" and "token" authentication providers are enabled in "xpack.security.authc.providers"', + 'Using both "{basicProvider}" and "{tokenProvider}" providers in "xpack.security.authc.providers" has no effect', + values: { basicProvider, tokenProvider }, }), message: i18n.translate('xpack.security.deprecations.basicAndTokenProvidersMessage', { defaultMessage: - 'Enabling both "basic" and "token" authentication providers in "xpack.security.authc.providers" is deprecated. Login page will only use "token" provider.', + 'Use only one of these providers. When both providers are set, Kibana only uses the "{tokenProvider}" provider.', + values: { tokenProvider }, }), + level: 'warning', + documentationUrl: `https://www.elastic.co/guide/en/kibana/${branch}/security-settings-kb.html#authentication-security-settings`, correctiveActions: { manualSteps: [ - i18n.translate( - 'xpack.security.deprecations.basicAndTokenProviders.manualStepOneMessage', - { - defaultMessage: - 'Remove either the "basic" or "token" auth provider in "xpack.security.authc.providers" from your Kibana configuration.', - } - ), + i18n.translate('xpack.security.deprecations.basicAndTokenProviders.manualSteps1', { + defaultMessage: + 'Remove the "{basicProvider}" provider from "xpack.security.authc.providers" in kibana.yml.', + values: { basicProvider }, + }), ], }, }); } }, - (settings, fromPath, addDeprecation) => { + (settings, _fromPath, addDeprecation, { branch }) => { const samlProviders = (settings?.xpack?.security?.authc?.providers?.saml ?? {}) as Record< string, any @@ -131,17 +139,18 @@ export const securityConfigDeprecationProvider: ConfigDeprecationProvider = ({ configPath: `xpack.security.authc.providers.saml.${foundProvider[0]}.maxRedirectURLSize`, title: i18n.translate('xpack.security.deprecations.maxRedirectURLSizeTitle', { defaultMessage: - '"xpack.security.authc.providers.saml..maxRedirectURLSize" is deprecated', + '"xpack.security.authc.providers.saml..maxRedirectURLSize" has no effect', }), message: i18n.translate('xpack.security.deprecations.maxRedirectURLSizeMessage', { - defaultMessage: - '"xpack.security.authc.providers.saml..maxRedirectURLSize" is no longer used.', + defaultMessage: 'This setting is no longer used.', }), + level: 'warning', + documentationUrl: `https://www.elastic.co/guide/en/kibana/${branch}/security-settings-kb.html#authentication-security-settings`, correctiveActions: { manualSteps: [ - i18n.translate('xpack.security.deprecations.maxRedirectURLSize.manualStepOneMessage', { + i18n.translate('xpack.security.deprecations.maxRedirectURLSize.manualSteps1', { defaultMessage: - 'Remove "xpack.security.authc.providers.saml..maxRedirectURLSize" from your Kibana configuration.', + 'Remove "xpack.security.authc.providers.saml..maxRedirectURLSize" from kibana.yml.', }), ], },