[float] [[breaking_70_settings_changes]] === Settings changes //NOTE: The notable-breaking-changes tagged regions are re-used in the //Installation and Upgrade Guide //tag::notable-breaking-changes[] // end::notable-breaking-changes[] [float] [[default-node-name-now-hostname]] ==== The default for `node.name` is now the hostname `node.name` now defaults to the hostname at the time when Elasticsearch is started. Previously the default node name was the first eight characters of the node id. It can still be configured explicitly in `elasticsearch.yml`. [float] ==== Percolator * The deprecated `index.percolator.map_unmapped_fields_as_string` setting has been removed in favour of the `index.percolator.map_unmapped_fields_as_text` setting. [float] ==== Index thread pool * Internally, single-document index/delete/update requests are executed as bulk requests with a single-document payload. This means that these requests are executed on the bulk thread pool. As such, the indexing thread pool is no longer needed and has been removed. As such, the settings `thread_pool.index.size` and `thread_pool.index.queue_size` have been removed. [float] [[write-thread-pool-fallback]] ==== Write thread pool fallback * The bulk thread pool was replaced by the write thread pool in 6.3.0. However, for backwards compatibility reasons the name `bulk` was still usable as fallback settings `thread_pool.bulk.size` and `thread_pool.bulk.queue_size` for `thread_pool.write.size` and `thread_pool.write.queue_size`, respectively, and the system property `es.thread_pool.write.use_bulk_as_display_name` was available to keep the display output in APIs as `bulk` instead of `write`. These fallback settings and this system property have been removed. [float] ==== Disabling memory-mapping * The setting `node.store.allow_mmapfs` has been renamed to `node.store.allow_mmap`. [float] [[remove-http-enabled]] ==== Http enabled setting removed * The setting `http.enabled` previously allowed disabling binding to HTTP, only allowing use of the transport client. This setting has been removed, as the transport client will be removed in the future, thus requiring HTTP to always be enabled. [float] [[remove-http-pipelining-setting]] ==== Http pipelining setting removed * The setting `http.pipelining` previously allowed disabling HTTP pipelining support. This setting has been removed, as disabling http pipelining support on the server provided little value. The setting `http.pipelining.max_events` can still be used to limit the number of pipelined requests in-flight. [float] ==== Cross-cluster search settings renamed The cross-cluster search remote cluster connection infrastructure is also used in cross-cluster replication. This means that the setting names `search.remote.*` used for configuring cross-cluster search belie the fact that they also apply to other situations where a connection to a remote cluster as used. Therefore, these settings have been renamed from `search.remote.*` to `cluster.remote.*`. For backwards compatibility purposes, we will fallback to `search.remote.*` if `cluster.remote.*` is not set. For any such settings stored in the cluster state, or set on dynamic settings updates, we will automatically upgrade the setting from `search.remote.*` to `cluster.remote.*`. The fallback settings will be removed in 8.0.0. [float] [[audit-logfile-local-node-info]] ==== Audit logfile local node info The following settings have been removed: - `xpack.security.audit.logfile.prefix.emit_node_host_address`, instead use `xpack.security.audit.logfile.emit_node_host_address` - `xpack.security.audit.logfile.prefix.emit_node_host_name`, instead use `xpack.security.audit.logfile.emit_node_host_name` - `xpack.security.audit.logfile.prefix.emit_node_name`, instead use `xpack.security.audit.logfile.emit_node_name` The new settings have the same meaning as the removed ones, but the `prefix` name component is no longer meaningful as logfile audit entries are structured JSON documents and are not prefixed by anything. Moreover, `xpack.security.audit.logfile.emit_node_name` has changed its default from `true` to `false`. All other settings mentioned before, have kept their default value of `false`. [float] [[include-realm-type-in-setting]] ==== Security realms settings The settings for all security realms must now include the realm type as part of the setting name, and the explicit `type` setting has been removed. A realm that was previous configured as: [source,yaml] -------------------------------------------------- xpack.security.authc.realms: ldap1: type: ldap order: 1 url: "ldaps://ldap.example.com/" -------------------------------------------------- Must be migrated to: [source,yaml] -------------------------------------------------- xpack.security.authc.realms: ldap.ldap1: order: 1 url: "ldaps://ldap.example.com/" -------------------------------------------------- Any realm specific secure settings that have been stored in the elasticsearch keystore (such as ldap bind passwords, or passwords for ssl keys) must be updated in a similar way. [float] [[tls-setting-fallback]] ==== TLS/SSL settings The default TLS/SSL settings, which were prefixed by `xpack.ssl`, have been removed. The removal of these default settings also removes the ability for a component to fallback to a default configuration when using TLS. Each component (realm, transport, http, http client, etc) must now be configured with their own settings for TLS if it is being used. [float] [[tls-v1-removed]] ==== TLS v1.0 disabled TLS version 1.0 is now disabled by default as it suffers from https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Protocols[known security issues]. The default protocols are now TLSv1.3 (if supported), TLSv1.2 and TLSv1.1. You can enable TLS v1.0 by configuring the relevant `ssl.supported_protocols` setting to include `"TLSv1"`. Depending on your local configuration and the TLS protocols that are in use on your network, you may need to enable TLS v1.0 support in any or all of the following places: `xpack.security.http.ssl.supported_protocols`:: For incoming HTTP connections to Elasticsearch's HTTP (Rest) interface. If there are clients that connect to {es} and do not support newer TLS versions, you must update this setting. `xpack.http.ssl.supported_protocols`:: For outgoing HTTP connections from {watcher}. If you have watches that connect to external HTTP servers and do not support newer TLS versions, you must update this setting. `xpack.security.authc.realms.ldap.{name}.ssl.supported_protocols`:: For outgoing LDAP connections from {es} {security-features}. If you have an LDAP realm enabled and the LDAP directory to which that realm connects does not support newer TLS versions, you must update this setting. `xpack.security.authc.realms.active_directory.{name}.ssl.supported_protocols`:: For outgoing Active Directory (LDAP) connections from {es} {security-features}. If you have an AD realm enabled and the directory server to which that realm connects does not support newer TLS versions, you must update this setting. `xpack.security.authc.realms.saml.{name}.ssl.supported_protocols`:: For outgoing HTTP connections to retrieve SAML metadata. If you have a SAML realm enabled and the realm is configured to retrieve metadata over HTTPS (that is, `idp.metadata.path` is a URL starting with `https://`) and the web server which hosts the metadata does not support newer TLS versions, you must update this setting. `xpack.security.authc.realms.oidc.{name}.ssl.supported_protocols`:: For outgoing HTTP connections to an OpenId Connect Provider. If you have an OpenId Connect ("oidc") realm enabled and the realm is configured to connect to a remote OpenID Connect Provider which does not support newer TLS versions, you must update this setting. `xpack.monitoring.exporters.{name}.ssl.supported_protocols`:: For remote monitoring data. If your monitoring data is exported to a remote monitoring cluster and that cluster is configured to only support TLSv1, you must update this setting. `reindex.ssl.supported_protocols`:: For reindex from remote. If you reindex data from a remote {es} cluster which has SSL enabled on the `http` interface and that cluster is configured to only support TLSv1, you must update this setting. `xpack.security.transport.ssl.supported_protocols`:: For incoming connections between {es} nodes. If you have specialized network equipment which inspects TLS packets between your nodes, and that equipment enforces TLSv1 you must update this setting. The following is an example that enables TLS v1.0 for incoming HTTP connections: [source,yaml] -------------------------------------------------- xpack.security.http.ssl.supported_protocols: [ "TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1" ] -------------------------------------------------- [float] [[trial-explicit-security]] ==== Security on Trial Licenses On trial licenses, `xpack.security.enabled` defaults to `false`. In prior versions, a trial license would automatically enable security if either * `xpack.security.transport.enabled` was `true`; _or_ * the trial license was generated on a version of X-Pack from 6.2 or earlier. This behaviour has been now removed, so security is only enabled if: * `xpack.security.enabled` is `true`; _or_ * `xpack.security.enabled` is not set, and a gold or platinum license is installed. [float] [[watcher-notifications-account-settings]] ==== Watcher notifications account settings The following settings have been removed in favor of the secure variants. The <> have to be defined inside each cluster node's keystore, i.e., they are not to be specified via the cluster settings API. - `xpack.notification.email.account..smtp.password`, instead use `xpack.notification.email.account..smtp.secure_password` - `xpack.notification.hipchat.account..auth_token`, instead use `xpack.notification.hipchat.account..secure_auth_token` - `xpack.notification.jira.account..url`, instead use `xpack.notification.jira.account..secure_url` - `xpack.notification.jira.account..user`, instead use `xpack.notification.jira.account..secure_user` - `xpack.notification.jira.account..password`, instead use `xpack.notification.jira.account..secure_password` - `xpack.notification.pagerduty.account..service_api_key`, instead use `xpack.notification.pagerduty.account..secure_service_api_key` - `xpack.notification.slack.account..url`, instead use `xpack.notification.slack.account..secure_url` [float] [[remove-audit-index-output]] ==== Audit index output type removed All the settings under the `xpack.security.audit.index` namespace have been removed. In addition, the `xpack.security.audit.outputs` setting has been removed as well. These settings enabled and configured the audit index output type. This output type has been removed because it was unreliable in certain scenarios and this could have lead to dropping audit events while the operations on the system were allowed to continue as usual. The recommended replacement is the use of the `logfile` audit output type and using other components from the Elastic Stack to handle the indexing part. [float] [[ingest-user-agent-ecs-always]] ==== Ingest User Agent processor defaults uses `ecs` output format https://github.com/elastic/ecs[ECS] format is now the default. The `ecs` setting for the user agent ingest processor now defaults to true. [float] [[remove-action-master-force_local]] ==== Remove `action.master.force_local` The `action.master.force_local` setting was an undocumented setting, used internally by the tribe node to force reads to local cluster state (instead of forwarding to a master, which tribe nodes did not have). Since the tribe node was removed, this setting was removed too. [float] ==== Enforce cluster-wide shard limit The cluster-wide shard limit is now enforced and not optional. The limit can still be adjusted as desired using the cluster settings API. [float] ==== HTTP Max content length setting is no longer parsed leniently Previously, `http.max_content_length` would reset to `100mb` if the setting was `Integer.MAX_VALUE`. This leniency has been removed.