-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DOCS] Update Kibana install docs for security ON by default Beta #118770
[DOCS] Update Kibana install docs for security ON by default Beta #118770
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, a couple of suggestions below. I'd also like @thomheymann to weigh in.
If this is the first time you're starting {kib}, this command generates a | ||
unique link to enroll your {kib} instance with {es}. | ||
|
||
. In your terminal, click the generated link to open {kib} in your browser. | ||
|
||
. In your browser, paste the enrollment token for {kib} and click the | ||
button to connect your {kib} instance with {es}. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this sort of glosses over the difference between the Kibana auth code and the Elastic enrollment token.
Maybe we could use a couple of screenshots here? Or maybe we could clarify this text a bit more? I'm not sure what the best approach is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So even if I go to http://0.0.0.0:5601/
(without the unique part of the URL), Kibana prompts me to enter the enrollment token because it’s the first time I’ve configured it. That’s cool!
If I click Configure manually and then enter http://0.0.0.0:9200
, Kibana indicates that it can't connect to my cluster.
If I then go back and enter the enrollment code that Elasticsearch generated, I get this prompt to enter a verification code. I looked back in the Kibana terminal, and sure enough, there was a verification code!
- @jportner, is this the behavior that you mentioned?
- @thomheymann, are users only prompted for this verification code if they attempt to configure manually? Also, do you know why I received an error when trying to connect to
http://0.0.0.0:9200
manually?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Joe's description is correct but I would call the code "verification code". We ask for it whenever someone attempts to configure Kibana using interactive setup UI without having followed the link that was generated when starting Kibana. It doesn't matter whether they do that using the enrollment token or using the manual configuration mode. Keep in mind that we only ask for the verification code when required (i.e. the user did not follow the interactive setup link and the user has entered the enrollment token / manual connection details and clicked "Configure Elastic") so you will not see it simply by viewing the enrollment token screen or the manual configuration screen.
For clarification: The "Check address" step does not require the verification code so it is expected that you don't see it at that stage.
I'm not sure if we need to go into too much detail regarding this step in the docs since most users will (hopefully) never see it. Might be worth adding a note to the docs but I would try and keep it simple since the popup does explain what to do.
Ok, I think that I unlocked the manual configuration workflow (achievement unlocked 🔓) Go to Click Configure manually and try to enter Enter the new URL and click Configure manually -- this produces a new login screen I've not seen previously that asks for the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for putting this together Adam. Looks great!
I've added a couple comments suggestions below but happy to go with what you recommend.
@lockewritesdocs Sorry you had to struggle through this, I didn't realise you hadn't seen the manual configuration screen.
Good point - it might be worth adding some more guidance around this in the UI. I'll add a note to #118654 |
💚 Build Succeeded
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
…astic#118770) * [DOCS] Update install docs for security ON by default * Incorporating reviewer feedback and expanding RPM + Debian steps * Update Debian and RPM enrollment token process
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
…astic#118770) * [DOCS] Update install docs for security ON by default * Incorporating reviewer feedback and expanding RPM + Debian steps * Update Debian and RPM enrollment token process
…astic#118770) * [DOCS] Update install docs for security ON by default * Incorporating reviewer feedback and expanding RPM + Debian steps * Update Debian and RPM enrollment token process
…18770) * [DOCS] Update install docs for security ON by default * Incorporating reviewer feedback and expanding RPM + Debian steps * Update Debian and RPM enrollment token process
…astic#118770) * [DOCS] Update install docs for security ON by default * Incorporating reviewer feedback and expanding RPM + Debian steps * Update Debian and RPM enrollment token process
Summary
In 8.0, security is enabled and configured when users start Elasticsearch. An enrollment token is generated for Kibana, which users can copy and paste to enroll Kibana with Elasticsearch. This PR:
tar.gz
, Windows, Deb, RPM)tar.gz
, Windows)Preview links:
Note: Security ON by default currently does not support Homebrew, but hopefully will for 8.0.