Merge branch 'master' into fix-repo-root-finding-for-ci

elastic · Jul 12, 2021 · d8d1284 · d8d1284
2 parents eb65fae + 76f4956
commit d8d1284
Show file tree

Hide file tree

Showing 237 changed files with 2,267 additions and 3,230 deletions.
diff --git a/config/kibana.yml b/config/kibana.yml
@@ -42,6 +42,10 @@
 #elasticsearch.username: "kibana_system"
 #elasticsearch.password: "pass"
 
+# Kibana can also authenticate to Elasticsearch via "service account tokens".
+# If may use this token instead of a username/password.
+# elasticsearch.serviceAccountToken: "my_token"
+
 # Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
 # These settings enable SSL for outgoing requests from the Kibana server to the browser.
 #server.ssl.enabled: false

diff --git a/dev_docs/tutorials/debugging.mdx b/dev_docs/tutorials/debugging.mdx
@@ -0,0 +1,61 @@
+---
+id: kibDevTutorialDebugging
+slug: /kibana-dev-docs/tutorial/debugging
+title: Debugging in development
+summary: Learn how to debug Kibana while running from source
+date: 2021-04-26
+tags: ['kibana', 'onboarding', 'dev', 'tutorials', 'debugging']
+---
+
+There are multiple ways to go about debugging Kibana when running from source.
+
+## Debugging using Chrome DevTools
+
+You will need to run Node using `--inspect` or `--inspect-brk` in order to enable the inspector. Additional information can be found in the [Node.js docs](https://nodejs.org/en/docs/guides/debugging-getting-started/).
+
+Once Node is running with the inspector enabled, you can open `chrome://inspect` in your Chrome browser. You should see a remote target for the inspector running. Click "inspect". You can now begin using the debugger.
+
+Next we will go over how to exactly enable the inspector for different aspects of the codebase.
+
+### Jest Unit Tests
+
+You will need to run Jest directly from the Node script:
+
+`node --inspect-brk scripts/jest [TestPathPattern]`
+
+### Functional Test Runner
+
+`node --inspect-brk scripts/functional_test_runner`
+
+### Development Server 
+
+`node --inspect-brk scripts/kibana`
+
+## Debugging using logging
+
+When running Kibana, it's sometimes helpful to enable verbose logging.
+
+`yarn start --verbose`
+
+Using verbose logging usually results in much more information than you're interested in. The [logging documentation](https://www.elastic.co/guide/en/kibana/current/logging-settings.html) covers ways to change the log level of certain types.
+
+In the following example of a configuration stored in `config/kibana.dev.yml` we are logging all Elasticsearch queries and any logs created by the Management plugin.
+
+```
+logging:
+  appenders:
+    console:
+      type: console
+      layout:
+        type: pattern
+        highlight: true
+  root:
+    appenders: [default, console]
+    level: info
+
+  loggers:
+    - name: plugins.management
+      level: debug
+    - name: elasticsearch.query
+      level: debug
+```
diff --git a/docs/developer/plugin-list.asciidoc b/docs/developer/plugin-list.asciidoc
@@ -393,7 +393,7 @@ security and spaces filtering as well as performing audit logging.
 
 
 |{kib-repo}blob/{branch}/x-pack/plugins/enterprise_search/README.md[enterpriseSearch]
-|This plugin's goal is to provide a Kibana user interface to the Enterprise Search solution's products (App Search and Workplace Search). In it's current MVP state, the plugin provides the following with the goal of gathering user feedback and raising product awareness:
+|This plugin provides beta Kibana user interfaces for managing the Enterprise Search solution and its products, App Search and Workplace Search.
 
 
 |{kib-repo}blob/{branch}/x-pack/plugins/event_log/README.md[eventLog]

diff --git a/.../development/core/server/kibana-plugin-core-server.elasticsearchclientconfig.md b/.../development/core/server/kibana-plugin-core-server.elasticsearchclientconfig.md
@@ -9,7 +9,7 @@ Configuration options to be used to create a [cluster client](./kibana-plugin-co
 <b>Signature:</b>
 
 ```typescript
-export declare type ElasticsearchClientConfig = Pick<ElasticsearchConfig, 'customHeaders' | 'sniffOnStart' | 'sniffOnConnectionFault' | 'requestHeadersWhitelist' | 'sniffInterval' | 'hosts' | 'username' | 'password'> & {
+export declare type ElasticsearchClientConfig = Pick<ElasticsearchConfig, 'customHeaders' | 'sniffOnStart' | 'sniffOnConnectionFault' | 'requestHeadersWhitelist' | 'sniffInterval' | 'hosts' | 'username' | 'password' | 'serviceAccountToken'> & {
     pingTimeout?: ElasticsearchConfig['pingTimeout'] | ClientOptions['pingTimeout'];
     requestTimeout?: ElasticsearchConfig['requestTimeout'] | ClientOptions['requestTimeout'];
     ssl?: Partial<ElasticsearchConfig['ssl']>;

diff --git a/docs/development/core/server/kibana-plugin-core-server.elasticsearchconfig.md b/docs/development/core/server/kibana-plugin-core-server.elasticsearchconfig.md
@@ -31,10 +31,11 @@ export declare class ElasticsearchConfig
 |  [pingTimeout](./kibana-plugin-core-server.elasticsearchconfig.pingtimeout.md) |  | <code>Duration</code> | Timeout after which PING HTTP request will be aborted and retried. |
 |  [requestHeadersWhitelist](./kibana-plugin-core-server.elasticsearchconfig.requestheaderswhitelist.md) |  | <code>string[]</code> | List of Kibana client-side headers to send to Elasticsearch when request scoped cluster client is used. If this is an empty array then \*no\* client-side will be sent. |
 |  [requestTimeout](./kibana-plugin-core-server.elasticsearchconfig.requesttimeout.md) |  | <code>Duration</code> | Timeout after which HTTP request will be aborted and retried. |
+|  [serviceAccountToken](./kibana-plugin-core-server.elasticsearchconfig.serviceaccounttoken.md) |  | <code>string</code> | If Elasticsearch security features are enabled, this setting provides the service account token that the Kibana server users to perform its administrative functions.<!-- -->This is an alternative to specifying a username and password. |
 |  [shardTimeout](./kibana-plugin-core-server.elasticsearchconfig.shardtimeout.md) |  | <code>Duration</code> | Timeout for Elasticsearch to wait for responses from shards. Set to 0 to disable. |
 |  [sniffInterval](./kibana-plugin-core-server.elasticsearchconfig.sniffinterval.md) |  | <code>false &#124; Duration</code> | Interval to perform a sniff operation and make sure the list of nodes is complete. If <code>false</code> then sniffing is disabled. |
 |  [sniffOnConnectionFault](./kibana-plugin-core-server.elasticsearchconfig.sniffonconnectionfault.md) |  | <code>boolean</code> | Specifies whether the client should immediately sniff for a more current list of nodes when a connection dies. |
 |  [sniffOnStart](./kibana-plugin-core-server.elasticsearchconfig.sniffonstart.md) |  | <code>boolean</code> | Specifies whether the client should attempt to detect the rest of the cluster when it is first instantiated. |
 |  [ssl](./kibana-plugin-core-server.elasticsearchconfig.ssl.md) |  | <code>Pick&lt;SslConfigSchema, Exclude&lt;keyof SslConfigSchema, 'certificateAuthorities' &#124; 'keystore' &#124; 'truststore'&gt;&gt; &amp; {</code><br/><code>        certificateAuthorities?: string[];</code><br/><code>    }</code> | Set of settings configure SSL connection between Kibana and Elasticsearch that are required when <code>xpack.ssl.verification_mode</code> in Elasticsearch is set to either <code>certificate</code> or <code>full</code>. |
-|  [username](./kibana-plugin-core-server.elasticsearchconfig.username.md) |  | <code>string</code> | If Elasticsearch is protected with basic authentication, this setting provides the username that the Kibana server uses to perform its administrative functions. |
+|  [username](./kibana-plugin-core-server.elasticsearchconfig.username.md) |  | <code>string</code> | If Elasticsearch is protected with basic authentication, this setting provides the username that the Kibana server uses to perform its administrative functions. Cannot be used in conjunction with serviceAccountToken. |
 
diff --git a/...ore/server/kibana-plugin-core-server.elasticsearchconfig.serviceaccounttoken.md b/...ore/server/kibana-plugin-core-server.elasticsearchconfig.serviceaccounttoken.md
@@ -0,0 +1,15 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [ElasticsearchConfig](./kibana-plugin-core-server.elasticsearchconfig.md) &gt; [serviceAccountToken](./kibana-plugin-core-server.elasticsearchconfig.serviceaccounttoken.md)
+
+## ElasticsearchConfig.serviceAccountToken property
+
+If Elasticsearch security features are enabled, this setting provides the service account token that the Kibana server users to perform its administrative functions.
+
+This is an alternative to specifying a username and password.
+
+<b>Signature:</b>
+
+```typescript
+readonly serviceAccountToken?: string;
+```
diff --git a/...velopment/core/server/kibana-plugin-core-server.elasticsearchconfig.username.md b/...velopment/core/server/kibana-plugin-core-server.elasticsearchconfig.username.md
@@ -4,7 +4,7 @@
 
 ## ElasticsearchConfig.username property
 
-If Elasticsearch is protected with basic authentication, this setting provides the username that the Kibana server uses to perform its administrative functions.
+If Elasticsearch is protected with basic authentication, this setting provides the username that the Kibana server uses to perform its administrative functions. Cannot be used in conjunction with serviceAccountToken.
 
 <b>Signature:</b>
 

diff --git a/...opment/core/server/kibana-plugin-core-server.legacyelasticsearchclientconfig.md b/...opment/core/server/kibana-plugin-core-server.legacyelasticsearchclientconfig.md
@@ -11,7 +11,7 @@
 <b>Signature:</b>
 
 ```typescript
-export declare type LegacyElasticsearchClientConfig = Pick<ConfigOptions, 'keepAlive' | 'log' | 'plugins'> & Pick<ElasticsearchConfig, 'apiVersion' | 'customHeaders' | 'requestHeadersWhitelist' | 'sniffOnStart' | 'sniffOnConnectionFault' | 'hosts' | 'username' | 'password'> & {
+export declare type LegacyElasticsearchClientConfig = Pick<ConfigOptions, 'keepAlive' | 'log' | 'plugins'> & Pick<ElasticsearchConfig, 'apiVersion' | 'customHeaders' | 'requestHeadersWhitelist' | 'sniffOnStart' | 'sniffOnConnectionFault' | 'hosts' | 'username' | 'password' | 'serviceAccountToken'> & {
     pingTimeout?: ElasticsearchConfig['pingTimeout'] | ConfigOptions['pingTimeout'];
     requestTimeout?: ElasticsearchConfig['requestTimeout'] | ConfigOptions['requestTimeout'];
     sniffInterval?: ElasticsearchConfig['sniffInterval'] | ConfigOptions['sniffInterval'];

diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
@@ -284,6 +284,11 @@ the username and password that the {kib} server uses to perform maintenance
 on the {kib} index at startup. {kib} users still need to authenticate with
 {es}, which is proxied through the {kib} server.
 
+|[[elasticsearch-service-account-token]] `elasticsearch.serviceAccountToken:`
+ | beta[]. If your {es} is protected with basic authentication, this token provides the credentials
+that the {kib} server uses to perform maintenance on the {kib} index at startup. This setting
+is an alternative to `elasticsearch.username` and `elasticsearch.password`.
+
 | `enterpriseSearch.host`
   | The URL of your Enterprise Search instance
 

diff --git a/docs/user/dashboard/tsvb.asciidoc b/docs/user/dashboard/tsvb.asciidoc
@@ -148,6 +148,27 @@ The *Markdown* visualization supports Markdown with Handlebar (mustache) syntax
 
 For answers to frequently asked *TSVB* question, review the following. 
 
+[float]
+===== How do I create dashboard drilldowns for Top N and Table visualizations?
+
+You can create dashboard drilldowns that include the specified time range for *Top N* and *Table* visualizations.
+
+. Open the dashboard that you want to link to, then copy the URL.
+
+. Open the dashboard with the *Top N* and *Table* visualization panel, then click *Edit* in the toolbar. 
+
+. Open the *Top N* or *Table* panel menu, then select *Edit visualization*.
+
+. Click *Panel options*. 
+
+. In the *Item URL* field, enter the URL. 
++
+For example `dashboards#/view/f193ca90-c9f4-11eb-b038-dd3270053a27`.
+
+. Click *Save and return*.
+
+. In the toolbar, cick *Save as*, then make sure *Store time with dashboard* is deselected. 
+
 [float]
 ===== Why is my TSVB visualization missing data?
 

diff --git a/src/cli/serve/serve.js b/src/cli/serve/serve.js
@@ -68,12 +68,14 @@ function applyConfigOverrides(rawConfig, opts, extraCliOptions) {
   delete extraCliOptions.env;
 
   if (opts.dev) {
-    if (!has('elasticsearch.username')) {
-      set('elasticsearch.username', 'kibana_system');
-    }
+    if (!has('elasticsearch.serviceAccountToken')) {
+      if (!has('elasticsearch.username')) {
+        set('elasticsearch.username', 'kibana_system');
+      }
 
-    if (!has('elasticsearch.password')) {
-      set('elasticsearch.password', 'changeme');
+      if (!has('elasticsearch.password')) {
+        set('elasticsearch.password', 'changeme');
+      }
     }
 
     if (opts.ssl) {

diff --git a/src/core/public/chrome/ui/header/header_help_menu.tsx b/src/core/public/chrome/ui/header/header_help_menu.tsx
@@ -211,7 +211,7 @@ export class HeaderHelpMenu extends Component<Props, State> {
 
     return (
       <Fragment>
-        <EuiButtonEmpty href={kibanaDocLink} target="_blank" size="xs" flush="left">
+        <EuiButtonEmpty href={kibanaDocLink} target="_blank" size="s" flush="left">
           <FormattedMessage
             id="core.ui.chrome.headerGlobalNav.helpMenuKibanaDocumentationTitle"
             defaultMessage="Kibana documentation"
@@ -220,7 +220,7 @@ export class HeaderHelpMenu extends Component<Props, State> {
 
         <EuiSpacer size="xs" />
 
-        <EuiButtonEmpty href={helpSupportUrl} target="_blank" size="xs" flush="left">
+        <EuiButtonEmpty href={helpSupportUrl} target="_blank" size="s" flush="left">
           <FormattedMessage
             id="core.ui.chrome.headerGlobalNav.helpMenuAskElasticTitle"
             defaultMessage="Ask Elastic"
@@ -229,7 +229,7 @@ export class HeaderHelpMenu extends Component<Props, State> {
 
         <EuiSpacer size="xs" />
 
-        <EuiButtonEmpty href={KIBANA_FEEDBACK_LINK} target="_blank" size="xs" flush="left">
+        <EuiButtonEmpty href={KIBANA_FEEDBACK_LINK} target="_blank" size="s" flush="left">
           <FormattedMessage
             id="core.ui.chrome.headerGlobalNav.helpMenuGiveFeedbackTitle"
             defaultMessage="Give feedback"
@@ -241,7 +241,7 @@ export class HeaderHelpMenu extends Component<Props, State> {
         <EuiButtonEmpty
           href={GITHUB_CREATE_ISSUE_LINK}
           target="_blank"
-          size="xs"
+          size="s"
           iconType="logoGithub"
           flush="left"
         >
@@ -330,7 +330,7 @@ export class HeaderHelpMenu extends Component<Props, State> {
         {customLinks}
         {content && (
           <>
-            {customLinks && <EuiSpacer size="s" />}
+            {customLinks && <EuiSpacer size="xs" />}
             <HeaderExtension extension={content} />
           </>
         )}
@@ -383,7 +383,7 @@ const createCustomLink = (
 ) => {
   return (
     <Fragment key={`helpButton${index}`}>
-      <EuiButtonEmpty {...buttonProps} size="xs" flush="left">
+      <EuiButtonEmpty {...buttonProps} size="s" flush="left">
         {text}
       </EuiButtonEmpty>
       {addSpacer && <EuiSpacer size="xs" />}

diff --git a/src/core/server/elasticsearch/client/client_config.test.ts b/src/core/server/elasticsearch/client/client_config.test.ts
@@ -204,11 +204,27 @@ describe('parseClientOptions', () => {
         );
       });
 
+      it('adds an authorization header if `serviceAccountToken` is set', () => {
+        expect(
+          parseClientOptions(
+            createConfig({
+              serviceAccountToken: 'ABC123',
+            }),
+            false
+          )
+        ).toEqual(
+          expect.objectContaining({
+            headers: expect.objectContaining({
+              authorization: `Bearer ABC123`,
+            }),
+          })
+        );
+      });
+
       it('does not add auth to the nodes', () => {
         const options = parseClientOptions(
           createConfig({
-            username: 'user',
-            password: 'pass',
+            serviceAccountToken: 'ABC123',
             hosts: ['http://node-A:9200'],
           }),
           true
@@ -252,6 +268,34 @@ describe('parseClientOptions', () => {
                   ]
               `);
       });
+
+      it('does not add the authorization header even if `serviceAccountToken` is set', () => {
+        expect(
+          parseClientOptions(
+            createConfig({
+              serviceAccountToken: 'ABC123',
+            }),
+            true
+          ).headers
+        ).not.toHaveProperty('authorization');
+      });
+
+      it('does not add auth to the nodes even if `serviceAccountToken` is set', () => {
+        const options = parseClientOptions(
+          createConfig({
+            serviceAccountToken: 'ABC123',
+            hosts: ['http://node-A:9200'],
+          }),
+          true
+        );
+        expect(options.nodes).toMatchInlineSnapshot(`
+                  Array [
+                    Object {
+                      "url": "http://node-a:9200/",
+                    },
+                  ]
+              `);
+      });
     });
   });
 

diff --git a/src/core/server/elasticsearch/client/client_config.ts b/src/core/server/elasticsearch/client/client_config.ts
@@ -29,6 +29,7 @@ export type ElasticsearchClientConfig = Pick<
   | 'hosts'
   | 'username'
   | 'password'
+  | 'serviceAccountToken'
 > & {
   pingTimeout?: ElasticsearchConfig['pingTimeout'] | ClientOptions['pingTimeout'];
   requestTimeout?: ElasticsearchConfig['requestTimeout'] | ClientOptions['requestTimeout'];
@@ -74,11 +75,16 @@ export function parseClientOptions(
     };
   }
 
-  if (config.username && config.password && !scoped) {
-    clientOptions.auth = {
-      username: config.username,
-      password: config.password,
-    };
+  if (!scoped) {
+    if (config.username && config.password) {
+      clientOptions.auth = {
+        username: config.username,
+        password: config.password,
+      };
+    } else if (config.serviceAccountToken) {
+      // TODO: change once ES client has native support for service account tokens: https://github.com/elastic/elasticsearch-js/issues/1477
+      clientOptions.headers!.authorization = `Bearer ${config.serviceAccountToken}`;
+    }
   }
 
   clientOptions.nodes = config.hosts.map((host) => convertHost(host));

diff --git a/src/core/server/elasticsearch/elasticsearch_config.test.ts b/src/core/server/elasticsearch/elasticsearch_config.test.ts
@@ -41,6 +41,7 @@ test('set correct defaults', () => {
         "authorization",
       ],
       "requestTimeout": "PT30S",
+      "serviceAccountToken": undefined,
       "shardTimeout": "PT30S",
       "sniffInterval": false,
       "sniffOnConnectionFault": false,
@@ -377,3 +378,22 @@ test('#username throws if equal to "elastic", only while running from source', (
   );
   expect(() => config.schema.validate(obj, { dist: true })).not.toThrow();
 });
+
+test('serviceAccountToken throws if username is also set', () => {
+  const obj = {
+    username: 'elastic',
+    serviceAccountToken: 'abc123',
+  };
+
+  expect(() => config.schema.validate(obj)).toThrowErrorMatchingInlineSnapshot(
+    `"[serviceAccountToken]: serviceAccountToken cannot be specified when \\"username\\" is also set."`
+  );
+});
+
+test('serviceAccountToken does not throw if username is not set', () => {
+  const obj = {
+    serviceAccountToken: 'abc123',
+  };
+
+  expect(() => config.schema.validate(obj)).not.toThrow();
+});