Update security deprecation messages

[jportner]

See also: #111160

This PR updates various security deprecation messages for display in the Upgrade Assistant. Note that currently the Upgrade Assistant is not enabled for the master branch, only for 7.x.

I updated the following deprecations:

1. Using "elasticsearch.username: kibana" is deprecated
2. Using "elasticsearch.username: elastic" is deprecated
3. Using "elasticsearch.ssl.certificate" without "elasticsearch.ssl.key" has no effect
4. Using "elasticsearch.ssl.key" without "elasticsearch.ssl.certificate" has no effect
5. The array format for "xpack.security.authc.providers" is deprecated
6. Using both "basic" and "token" providers in "xpack.security.authc.providers" has no effect
7. "xpack.security.authc.providers.saml..maxRedirectURLSize" has no effect

Note, all of these have been deprecated for some time, but will not be actually changing/breaking in the 8.0 release. I am following the deprecation message guidance which says we should not say "this will be removed in the future" or anything to that effect. All of these are a warning level, which indicates nothing will break if the operator chooses not to address these deprecations.

Screenshots

(1) and (2), which use the same string templates and are mutually exclusive

(3) and (4), which use the same string templates are mutually exclusive

(5)

(6)

(7)

[jportner]

Author's notes for reviewers. I already went over these once with @gchaps but will tag her again for a final review.

[jportner]

The monitoring code had identical deprecations for (1), (2), (3), and (4) in the PR description. It would basically make those deprecations show up twice, which is confusing.

We currently don't have the ability to differentiate if these options were set in the raw Monitoring config (monitoring.ui.elasticsearch.*) or if they were inherited from the Core config (elasticsearch.*). Monitoring should only register config deprecations for actual Monitoring config settings.

Since these are not breaking in 8.0, I think we should remove these Monitoring deprecations completely until we refactor the code and can differentiate between the two.

[TinaHeiligers]

Since these are not breaking in 8.0, I think we should remove these Monitoring deprecations completely until we refactor the code and can differentiate between the two

Is there a follow up issue for that? Removing deprecations that seem to be duplicates make sense. I just want to make sure we do actually follow up on this a.s.a.p.

[jportner]

I'll make a note to create a follow-up after this merges. I'll add a permalink to this section in the follow up issue's description.

[jportner]

I added a follow-up issue for this: #115597

[jportner]

I changed Core deprecations here, but these particular ones were added by the Platform Security team, so I thought it would be prudent to update them along with our other deprecations 👍

[jportner]

@elasticmachine merge upstream

[legrego]

Changes look great! I'm about to test locally now, but wanted to leave my minor feedback in the meantime

[legrego]

I really wish we had markdown support here. I think we have enough information here to build a correct object-based representation of their array-based configuration, which would make the upgrade process so much nicer.

[jportner]

Agree 100%. It doesn't sound like that will land in 7.16.0, but I think we'd be justified to backport it to 7.16.1 to make the upgrade experience smoother. In that case I'd like to go back and tweak some of these messages that would be better served by markdown

[TinaHeiligers]

I hear you! Time permitting, we'll try to slot kibana/issues/111068 in. However, there are some gotcha's with i18n and a few other considerations we need to account for that make the task a little more complex.

[legrego]

Is there a reason to say "the login page", and not "Kibana"? This also technically applies to API consumers, where the login page is not used.

[jportner]

Ah, I wasn't sure, the existing string said "login page" so I left it. @azasypkin do you have any opinion here? Should we just change it to "When both providers are set, Kibana only uses the "token" provider. ?

[jportner]

Tentatively changed in e584ec4 👍

[azasypkin]

It seems I wanted to be technically correct here since you can hit login endpoint with the specific provider name directly and use that specific provider, login page cannot do this 😆 But yeah, don't have a strong opinion here, Kibana instead of login page sounds good to me as well.

[TinaHeiligers]

Thanks for updating the deprecation levels here!
A few comments/suggestions and a question about wording.

[TinaHeiligers]

Suggested change

	'Use only one of these providers. When both providers are set, the login page only uses the "{tokenProvider}" provider.',
	'Only use one provider. When both providers are set, the login page only uses the "{tokenProvider}" provider.',

[jportner]

I'll defer to @gchaps here, but I worded it this way because the user may have other providers configured too (saml, oidc, etc). So I don't want to suggest that they should remove all but one provider.

[phillipb]

LGTM

[TinaHeiligers]

Thanks for the changes!
LGTM

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: e584ec4
• Storybooks Preview

Metrics [docs]

✅ unchanged

History

• 💔 Build #161587 failed 3913a50

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[jportner]

@elasticmachine merge upstream

[legrego]

LGTM, thanks for the edits!

[jportner]

I added b409027 to address #115344 👍

[kibanamachine]

💚 Build Succeeded

• Buildkite Build
• Commit: b409027
• Storybooks Preview

Metrics [docs]

✅ unchanged

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[TinaHeiligers]

@jportner we're auditing the kibana.yml file and the deprecations added here mention using a service account token rather than username/password for Kibana <-> ES auth when deprecated values are set (elastic/kibana).

Should we consider removing the kibana username/password config option in the main template or at least mention that it might be deprecated in a future release?
OTOH, with the new make it minor strategy, maybe we shouldn't mention it will be removed in favor of service account tokens.
WDYT?

[jportner]

Hey @TinaHeiligers, great question!

I apologize that this isn't super clear, some of this discussion took place over email with the ES Security team and was not captured in GitHub.

To summarize our current state of thinking:

• We are not planning to deprecate elasticsearch.username and elasticsearch.password
• However, with the new Security On By Default initiative, we want to start guiding users towards using a Service Account Token instead, which is a better paradigm in general for machine-to-machine authentication
• Since we deprecated using the "elastic" and "kibana" users to authenticate Kibana to Elasticsearch (e.g., elasticsearch.username: elastic and elasticsearch.username: kibana, respectively), we decided to go ahead and tell affected users to use a Service Account Token in the Upgrade Assistant, because Elasticsearch allows it even without TLS enabled starting in 7.16

The kibana.yml template file already contains elasticsearch.username, elasticsearch.password, and elasticsearch.serviceAccountToken, so I think it's good for now.

I do think we need to make additional changes in the 8.0 Kibana Security docs to make sure they flow well with the 8.0 Elastic Stack Security docs, so I'm glad you brought this up. I created an issue for it here: #117223