Commit Graph

636 Commits

Author SHA1 Message Date
Zachary Tong cf965dca27 [Docs] Mark Rollup as Experimental instead of Beta
Original commit: elastic/x-pack-elasticsearch@bce120daae
2018-04-10 15:51:09 +00:00
Tim Vernum 411f683521 Document ssl.verification_mode (elastic/x-pack-elasticsearch#4253)
It is common for users to wish to adjust the verification_mode in SSL
settings, usually with the intention of skipping hostname
verification. This has been supported for a long time, but the
relevant configuration setting was not clearly documented, which would
sometimes lead users to set `verification_mode` to `none`, and disable
more checks than they intended.

This commit adds clearer documentation regarding the options available
for `verification_mode` and actively discourages the use of `none`.

Original commit: elastic/x-pack-elasticsearch@2fdf53b42f
2018-04-10 20:27:23 +10:00
Lisa Cawley 17543dbc00 [DOCS] Augmented token API description (elastic/x-pack-elasticsearch#4321)
Original commit: elastic/x-pack-elasticsearch@c24713ee43
2018-04-09 11:39:21 -07:00
Lee Hinman 218e9a57bb Correct documentation for number of salt generation rounds (elastic/x-pack-elasticsearch#4322)
For the user cache, the crypt option rounds are actually the log2 of the number
of rounds. This commits updates the documentation to reflect this.

Original commit: elastic/x-pack-elasticsearch@d3cc2b7f29
2018-04-09 10:59:06 -06:00
Alexander Reelsen 6bd5e9ef91 Watcher: Reenable email property settings (elastic/x-pack-elasticsearch#4319)
With the change of requiring to configure account settings properly by
using affix settings, we forgot another special snowflake, namely the
configuration of mail properties, which can be arbitrary in the
configuration. Those properties are used when an email is sent.

This commit adds a few (but not all of those) options back and removes
the link in the documentation to refer to all of those settings.

Some settings are useless, as they only change the execution
expectations when a mail is sent, which the watch has control over.

The following settings are supported

* smtp.{host,port,user,password}
* smtp.auth
* smtp.starttls.{enable,required}
* smtp.{timeout,connection_timeout,write_timeout}
* smtp.{local_address,local_port}
* smtp.send_partial
* smtp.wait_on_quit

relates elastic/x-pack-elasticsearch#4048

Original commit: elastic/x-pack-elasticsearch@39d5624710
2018-04-09 15:42:16 +02:00
Lisa Cawley b6d901f530 [DOCS] Augmented security configuration steps (elastic/x-pack-elasticsearch#4316)
Original commit: elastic/x-pack-elasticsearch@48b47b19ae
2018-04-06 11:48:03 -07:00
Zachary Tong 7810dc6146 [Rollup] Add `value_count` metric (elastic/x-pack-elasticsearch#4315)
Adds `value_count` as one of the accepted metrics.  The caveat is that
it only accepts numeric values for two reasons:

- Job validation at creation makes sure all metrics are numeric fields.
Changing this would require new syntax (or disallowing anything but
value_count on mixed fields)
- when `toBuilders()` is called, we have to supply a ValueSource to
the ValueCountBuilder, and we don't know what the field type is at that
time.

These are both fixable, but relatively more involved.  I think numeric-only
is a reasonable limitation to start with

Original commit: elastic/x-pack-elasticsearch@270f24c8bf
2018-04-06 10:47:33 -07:00
Yogesh Gaikwad ed6a6af64c SAML: Make alias for signing key optional (elastic/x-pack-elasticsearch#4248)
We specify an alias for signing key, but when we just have
a single key in key store this is an additional setting which
is annoying. This PR addresses this issue by making it optional.

- Changes in SamlRealmSettings to make signing/encryption
  key alias optional
- Checks if none of the keys are useful for given operation
  signing or encryption throws an error.
- Checks for no of aliases in key-store, if more than one and alias
  is not specified throws error.
- If an alias is not specified and there is just one alias in
  keystore then use it as the credential.
- Unit Tests

Note: A side effect of this change the above-mentioned behavior is
it's also applicable for encryption keys currently, but it is going
to change when fixing elastic/x-pack-elasticsearch#3980 for supporting multiple encryption keys.

relates elastic/x-pack-elasticsearch#3981

Original commit: elastic/x-pack-elasticsearch@2b5af1d8a8
2018-04-06 10:43:35 +10:00
Lisa Cawley 3b876262e2 [DOCS] Clarify certgen deprecation (elastic/x-pack-elasticsearch#4099)
Original commit: elastic/x-pack-elasticsearch@dfbe38325d
2018-04-05 12:55:38 -07:00
Lisa Cawley bbcb33b519 [DOCS] Security disabled by default (elastic/x-pack-elasticsearch#4288)
Original commit: elastic/x-pack-elasticsearch@110df8a58e
2018-04-05 12:06:43 -07:00
Alexander Reelsen f709fcd083 Watcher: Refactor/Fix TransportWatcherServiceAction (elastic/x-pack-elasticsearch#4240)
This commit fixes several issues with the current implementation of
starting & stopping watcher

1. The WatcherServiceResponse was always returning a message, that the
   request was acknowledged, completely independent from the fact if it was
   or not.
2. A new cluster state instance was always returned, regardless if the
   state had changed or not (which is explicitely mentioned in the
   javadocs to check for this)
3. The AckedClusterStateUpdateTask now returns a proper WatcherServiceResponse
4. A failure now gets logged

Relates elastic/x-pack-elasticsearch#4225 (this is just a hunch for now)

Original commit: elastic/x-pack-elasticsearch@f4c1749f95
2018-04-05 09:33:28 +02:00
Zachary Tong 3852b41330 [Rollup] Validate field mapping before creating Rollup Job (elastic/x-pack-elasticsearch#4274)
This PR adds logic to ensure that the fields (and field types) configured
in the Rollup Job are present in the index/indices specified by the job's
index pattern.  If a field is missing, or is not aggregatable, it
will throw an exception before the job is created.

This is important for user-friendliness, because otherwise the user
only discovers an issue with mapping when the job is started and
fails to rollup correctly (and only really noticeable by looking at logs,
since it's a runtime failure).

Original commit: elastic/x-pack-elasticsearch@686cd03072
2018-04-04 15:32:26 -07:00
Lisa Cawley 3ae8c71f16 [DOCS] Added exporter details (elastic/x-pack-elasticsearch#4171)
Original commit: elastic/x-pack-elasticsearch@791d9d6a45
2018-04-04 15:25:14 -07:00
Lisa Cawley 3e4ceec0c2 [DOCS] Removed X-Pack installation info (elastic/x-pack-elasticsearch#4299)
Original commit: elastic/x-pack-elasticsearch@5af83b7531
2018-04-04 11:59:31 -07:00
lcawley 510f667ea8 [DOCS] Fixed link text
Original commit: elastic/x-pack-elasticsearch@4f42744ee1
2018-04-04 10:39:13 -07:00
Alexander Reelsen 2da6d14859 Watcher: Prevent watch acknowledgement while watch is executing (elastic/x-pack-elasticsearch#4224)
When a watch is acknowledged, while it is also being executed, the
acknowledgment information can get lost. The reason for this is the
fact, that the execution writes the watch status inside of the watch
regardless, if other writes happened inbetween to make sure the
execution state is caught.

This commit checks the current executions in the execution service and
aborts the API call, if the specified watch ID can be found in those.

Note, this does not prevent this issue fully, as a watch could be
triggered, while the acknowledgement update is running, but it does
reduce the surface area of this problem. In order to properly solve
this, indexing the watch status as part of a watch would need to be
changed.

relates elastic/x-pack-elasticsearch#4003

Original commit: elastic/x-pack-elasticsearch@d7e218b2ac
2018-04-04 10:15:20 +02:00
Dimitris Athanasiou 3d8c438403 [ML][DOCS] Correct path for get-stats for all jobs/datafeeds (elastic/x-pack-elasticsearch#4280)
Original commit: elastic/x-pack-elasticsearch@dfb7166f95
2018-04-03 18:00:34 +01:00
Zachary Tong b91640877a [Docs] Fix bad doc test
Typo, needed to use a test setup instead of a continuation

Original commit: elastic/x-pack-elasticsearch@cfbc1202c6
2018-03-30 21:07:19 +00:00
Zachary Tong 574ce84885 [Docs] Add quickstart and limitation documentation for Rollups
Original commit: elastic/x-pack-elasticsearch@cb4aaa0992
2018-03-30 20:43:33 +00:00
Tim Vernum e69c5d4d48 Add secure_bind_password to LDAP realm (elastic/x-pack-elasticsearch#4192)
Adds a SecureSetting option for the "bind_password" in LDAP/AD realms
and deprecates the non-secure version.

LDAP bind passwords should now be configured with the setting
`xpack.security.authc.realms.REALM_NAME.secure_bind_password`
in the elasticsearch keystore.

Original commit: elastic/x-pack-elasticsearch@1a0cebd77e
2018-03-29 16:31:45 +10:00
Zachary Tong 9cc33f4e29 [Rollup] Select best jobs then execute msearch-per-job (elastic/x-pack-elasticsearch#4152)
If there are multiple jobs that are all the "best" (e.g. share the
best interval) we have no way of knowing which is actually the best.
Unfortunately, we cannot just filter for all the jobs in a single
search because their doc_counts can potentially overlap.

To solve this, we execute an msearch-per-job so that the results
stay isolated.  When rewriting the response, we iteratively
unroll and reduce the independent msearch responses into a single
"working tree".  This allows us to intervene if there are
overlapping buckets and manually choose a doc_count.

Job selection is found by recursively descending through the aggregation
tree and independently pruning the list of valid job caps in each branch.
When a leaf node is reached in the branch, the remaining jobs are
sorted by "best'ness" (see comparator in RollupJobIdentifierUtils for the
implementation) and added to a global set of "best jobs". Once
all branches have been evaluated, the final set is returned to the
calling code.

Job "best'ness" is, briefly, the job(s) that have
 - The largest compatible date interval
 - Fewer and larger interval histograms
 - Fewer terms groups

Note: the final set of "best" jobs is not guaranteed to be minimal,
there may be redundant effort due to independent branches choosing
jobs that are subsets of other branches.

Related changes:
- We have to include the job's ID in the rollup doc's
hash, so that different jobs don't overwrite the same summary
document.
- Now that we iteratively reduce the agg tree, the agg framework
injects empty buckets while we're working.  In most cases this
is harmless, but for `avg` aggs the empty bucket is a SumAgg while
any unrolled versions are converted into AvgAggs... causing a cast
exception.  To get around this, avg's are renamed to
`{source_name}.value` to prevent a conflict
- The job filtering has been pushed up into a query filter, since it
applies to the entire msearch rather than just individual agg components
- We no longer add a filter agg clause about the date_histo's interval, because 
that is handled by the job validation and pruning.

Original commit: elastic/x-pack-elasticsearch@995be2a039
2018-03-27 10:33:59 -07:00
Alexander Reelsen 67badaadb0 Docs: Fix secure settings link
Original commit: elastic/x-pack-elasticsearch@f98a8dabc6
2018-03-26 15:32:27 +02:00
Alexander Reelsen c2764cef98 Docs: Fix deprecation notices and typo to build docs
Original commit: elastic/x-pack-elasticsearch@6e5504efd9
2018-03-26 14:25:42 +02:00
Alexander Reelsen 6eeacf339c Build: Use environment variables for credentials (elastic/x-pack-elasticsearch#4058)
The credentials now get injected via environment variables, so that
external services can pull those.

As soon as the specified environment variables are set, the tests are run. No need to check for the @Network annotation

This also introduces new secret store settings for the secure settings in order to be sure to not leak them in the configuration files, that get dumped.

Relates elastic/x-pack-elasticsearch#3800

Original commit: elastic/x-pack-elasticsearch@a2cfb9cb86
2018-03-26 09:10:04 +02:00
Dimitris Athanasiou 5f219bd70f [ML][DOCS] Remove empty rules from docs
Original commit: elastic/x-pack-elasticsearch@dee88e1161
2018-03-23 12:31:36 +00:00
Alexander Reelsen 23b4368fe4 Docs: Fix encrypt watcher sensitive data documentation (elastic/x-pack-elasticsearch#4198)
The documentation mentions that the xpack.watcher.encrypt_sensitive_data
setting needs to be set in the keystore. This is wrong however, it needs
to be set in the standard elasticsearch yaml file.

relates elastic/x-pack-elasticsearch#4195


Original commit: elastic/x-pack-elasticsearch@613d63da85
2018-03-22 18:57:31 +01:00
Jay Modi b0cc5afe8b Disable security for trial licenses by default (elastic/x-pack-elasticsearch#4120)
This change disables security for trial licenses unless security is
explicitly enabled in the settings. This is done to facilitate users
getting started and not having to deal with some of the complexities
involved in getting security configured. In order to do this and avoid
disabling security for existing users that have gold or platinum
licenses, we have to disable security after cluster formation so that
the license can be retrieved.

relates elastic/x-pack-elasticsearch#4078

Original commit: elastic/x-pack-elasticsearch@96bdb889fc
2018-03-21 21:09:44 -06:00
Lisa Cawley 9cfc759cfc [DOCS] Removed xpack installation comments (elastic/x-pack-elasticsearch#4153)
Original commit: elastic/x-pack-elasticsearch@1cd7982061
2018-03-20 11:26:34 -07:00
Yogesh Gaikwad 0de6376452 [DOCS] `xpack.ssl.client_authentication` setting does not apply to HTTP (elastic/x-pack-elasticsearch#4113)
Fix the documentation to mention the global setting does not apply to HTTP.

relates elastic/x-pack-elasticsearch#3413

Original commit: elastic/x-pack-elasticsearch@f9dc545b4a
2018-03-20 18:45:36 +11:00
Tim Vernum bc95ad80ce Add beats_system user to security (elastic/x-pack-elasticsearch#4103)
This creates a new "beats_system" user and role with the same
privileges as the existing "logstash_system" user/role.

The "beat_system" user is also added as a managed user within
the "setup-passwords" command.

Users who upgrade from an earlier version of Elasticsearch/X-Pack
will need to manually set a password for the beats_system user via
the change password API (or Kibana UI)

Original commit: elastic/x-pack-elasticsearch@6087d3a18e
2018-03-20 17:01:53 +10:00
Yogesh Gaikwad 10bb78c3d6 X-Pack-Security: Correct attribute_patterns regex in saml guide (elastic/x-pack-elasticsearch#4159)
X-Pack-Security: Correct attribute_patterns regex in saml guide

relates elastic/x-pack-elasticsearch#4157

Original commit: elastic/x-pack-elasticsearch@546d408e5a
2018-03-20 17:37:05 +11:00
Lisa Cawley 9d697f3c8b [DOCS] Add monitoring overview (elastic/x-pack-elasticsearch#4148)
Original commit: elastic/x-pack-elasticsearch@750ca4abc1
2018-03-19 16:48:07 -07:00
Lisa Cawley b6f16a6b0d [DOCS] Add aggregation limitation details (elastic/x-pack-elasticsearch#4143)
Original commit: elastic/x-pack-elasticsearch@953103bcd7
2018-03-19 07:55:14 -07:00
Alexander Reelsen ff725afe01 Documentation: Fix watcher script condition using params
Original commit: elastic/x-pack-elasticsearch@fe6d819d64
2018-03-16 09:57:29 -07:00
Lisa Cawley 4c78ede9c1 [DOCS] Update X-Pack installation instructions (elastic/x-pack-elasticsearch#4110)
Original commit: elastic/x-pack-elasticsearch@b3c21b82f3
2018-03-16 09:06:21 -07:00
Alexander Reelsen 132ac6ef52 Docs: Clarify outlook email action setup
relates elastic/x-pack-elasticsearch#1815

Original commit: elastic/x-pack-elasticsearch@998fe8fe5e
2018-03-15 15:05:07 -07:00
Alexander Reelsen 7712ab37d1 Documentation: Add username/password parameters for basic auth (elastic/x-pack-elasticsearch#4126)
relates elastic/x-pack-elasticsearch#4070

Original commit: elastic/x-pack-elasticsearch@19d7002d3c
2018-03-15 11:59:15 -07:00
Dimitris Athanasiou c10b2ea631 [ML] Ensure job is not assigned to node that cannot read model_snapshot (elastic/x-pack-elasticsearch#4091)
This adds a minimum compatible version to the model snapshot.
Nodes with a version earlier than that version cannot read
that model snapshot. Thus, such jobs are not assigned to
incompatible nodes.

relates elastic/x-pack-elasticsearch#4077

Original commit: elastic/x-pack-elasticsearch@2ffa6adce0
2018-03-15 17:38:52 +00:00
David Roberts 783cabbd2f [DOCS] Reflect recent improvements in notes on watch/datafeed privileges (elastic/x-pack-elasticsearch#4116)
Following elastic/x-pack-elasticsearch#3254 security for ML datafeeds has been improved.  The same goes
for watches since elastic/x-pack-elasticsearch#2808.

This change updates a section of the docs that was missed in those changes.
(The majority of the docs changes were made at the appropriate time.)

Original commit: elastic/x-pack-elasticsearch@b3b24ca483
2018-03-15 10:26:56 +00:00
Lisa Cawley 76e141d390 [DOCS] Split out X-Pack installation substeps (elastic/x-pack-elasticsearch#4125)
Original commit: elastic/x-pack-elasticsearch@df3a4ff045
2018-03-14 14:52:48 -07:00
Tim Brooks 7f7ac08447 Add api to start basic license (elastic/x-pack-elasticsearch#4083)
This is related to elastic/x-pack-elasticsearch#3877. This commit adds a route /start_basic that
will self generate a basic license. The only validation that is
performed is to check that you do not already have a basic license
installed. Additionally, if you lose features from switching to a basic
license, you must acknowledge the changes.

Original commit: elastic/x-pack-elasticsearch@7b8eeb50b1
2018-03-12 14:39:58 -06:00
Lisa Cawley 58d6c79c00 [DOCS] Added ML limitation (elastic/x-pack-elasticsearch#4081)
Original commit: elastic/x-pack-elasticsearch@378bf49b1d
2018-03-09 09:22:12 -08:00
Ioannis Kakavas 1cc20c4c59 [DOCS] Explain possible values for IDP EntityID (elastic/x-pack-elasticsearch#3875)
Resolves elastic/x-pack-elasticsearch#3865

Original commit: elastic/x-pack-elasticsearch@9102bc1a61
2018-03-09 14:07:51 +02:00
Lisa Cawley 277bd59e4f [DOCS] Remove ML CCS limitation (elastic/x-pack-elasticsearch#4082)
Original commit: elastic/x-pack-elasticsearch@8a44962435
2018-03-08 11:12:58 -08:00
Dimitris Athanasiou 1ed31af2c6 [ML] Allow model_memory_limit to be reduced (elastic/x-pack-elasticsearch#3998)
Up to now a job update that reduces the model memory limit
was not allowed. However, there could definitely be cases
where reducing the limit is necessary and reasonable.

This commit makes it possible to decrease the limit as long
as it does not go below the current memory usage. We obtain
the latter from the model size stats.

The conditions under which updating the model_memory_limit
is not allowed are now:

 - when the job is open
 - latest model_size_stats.model_bytes < new value

relates elastic/x-pack-elasticsearch#2461

Original commit: elastic/x-pack-elasticsearch@5b35923590
2018-03-08 06:14:18 -08:00
Lisa Cawley 095d6d466c [DOCS] Update types in datafeed resource (elastic/x-pack-elasticsearch#4011)
Original commit: elastic/x-pack-elasticsearch@6692b97c5e
2018-03-07 13:53:49 -08:00
lcawley 39c1dd085a [DOCS] Added link to security commands
Original commit: elastic/x-pack-elasticsearch@168167517b
2018-03-07 13:11:32 -08:00
Lisa Cawley 6e87d95f9b [DOCS] Added licensing APIs (elastic/x-pack-elasticsearch#4026)
Original commit: elastic/x-pack-elasticsearch@0e50cc0d64
2018-03-06 09:47:04 -08:00
Alexander Reelsen 918f62f97a Docs: Remove mentions of file based script in watcher
relates elastic/x-pack-elasticsearch#3755

Original commit: elastic/x-pack-elasticsearch@cfc023543d
2018-03-04 11:49:42 -08:00
Dimitris Athanasiou 79d46d1d17 [ML] Set explicit defaults to AnalysisLimits (elastic/x-pack-elasticsearch#4015)
Analysis limits contain settings that affect the resources
used by ML jobs. Those limits always take place. However,
explictly setting them is not required as they have reasonable
defaults. For a long time those defaults lived on the c++ side.
The job could just not have any explicit limits and that meant
defaults would be used at the c++ side. This has the disadvantage
that it is not obvious to the users what these settings are set to.
Additionally, users might not be aware of the settings existence.

On top of that, since 6.1, the default model_memory_limit was lowered
from 4GB to 1GB. For BWC, this meant that jobs where model_memory_limit
is null, the default of 4GB applies. Jobs that were created from 6.1
onwards, contain an explicit setting for model_memory_limit, which is
1GB unless the user sets it differently. This adds additional confusion.

This commit makes analysis limits an always explicit setting on the job.
Regardless of whether the user sets custom limits or not, the job object
(and response) will contain the full analysis limits values.

The possibilities for interpretation of missing values are:

  - the entire analysis_limits is null: this may only happen for jobs
  created prior to 6.1. Thus we set the model_memory_limit to 4GB.
  - analysis_limits are non-null but model_memory_limit is: this also
  may only happen for jobs prior to 6.1. Again, we set memory limit to
  4GB.
  - model_memory_limit is non-null: this either means the user set an
  explicit value or the job was created from 6.1 onwards and it has
  the explicit default of 1GB. We simply keep the given value.

For categorization_examples_limit the default has always been 4, so
we fill that in when it's missing.

Finally, note that we still need to handle potential null values
for the situation of a mixed cluster.

Original commit: elastic/x-pack-elasticsearch@5b6994ef75
2018-02-27 17:49:05 +00:00