Merge branch 'master' into apm-renaming-backends

.buildkite/scripts/common/env.sh

@@ -70,3 +70,4 @@ export TEST_ES_URL="http://elastic:changeme@localhost:6102"
 export TEST_ES_TRANSPORT_PORT=6301-6309
 export TEST_CORS_SERVER_PORT=6106
 export ALERTING_PROXY_PORT=6105
+export TEST_PROXY_SERVER_PORT=6107

.ci/Jenkinsfile_baseline_trigger

@@ -1,5 +1,7 @@
 #!/bin/groovy
 
+return
+
 def MAXIMUM_COMMITS_TO_CHECK = 10
 def MAXIMUM_COMMITS_TO_BUILD = 5
 

.github/CODEOWNERS

@@ -12,31 +12,34 @@
 # Virtual teams
 /x-pack/plugins/rule_registry/ @elastic/rac
 
-# App
-/x-pack/plugins/discover_enhanced/ @elastic/kibana-app
-/x-pack/plugins/lens/ @elastic/kibana-app
-/x-pack/plugins/graph/ @elastic/kibana-app
-/src/plugins/advanced_settings/ @elastic/kibana-app
-/src/plugins/charts/ @elastic/kibana-app
-/src/plugins/discover/ @elastic/kibana-app
-/src/plugins/management/ @elastic/kibana-app
-/src/plugins/kibana_legacy/ @elastic/kibana-app
-/src/plugins/timelion/ @elastic/kibana-app
-/src/plugins/vis_default_editor/ @elastic/kibana-app
-/src/plugins/vis_type_metric/ @elastic/kibana-app
-/src/plugins/vis_type_table/ @elastic/kibana-app
-/src/plugins/vis_type_tagcloud/ @elastic/kibana-app
-/src/plugins/vis_type_timelion/ @elastic/kibana-app
-/src/plugins/vis_type_timeseries/ @elastic/kibana-app
-/src/plugins/vis_type_vega/ @elastic/kibana-app
-/src/plugins/vis_types/vislib/ @elastic/kibana-app
-/src/plugins/vis_types/xy/ @elastic/kibana-app
-/src/plugins/vis_types/pie/ @elastic/kibana-app
-/src/plugins/visualize/ @elastic/kibana-app
-/src/plugins/visualizations/ @elastic/kibana-app
-/src/plugins/chart_expressions/expression_tagcloud/ @elastic/kibana-app
-/src/plugins/url_forwarding/ @elastic/kibana-app
-/packages/kbn-tinymath/ @elastic/kibana-app
+# Data Discovery
+/src/plugins/discover/ @elastic/kibana-data-discovery
+/x-pack/plugins/discover_enhanced/ @elastic/kibana-data-discovery
+/test/functional/apps/discover/ @elastic/kibana-data-discovery
+
+# Vis Editors
+/x-pack/plugins/lens/ @elastic/kibana-vis-editors
+/x-pack/plugins/graph/ @elastic/kibana-vis-editors
+/src/plugins/advanced_settings/ @elastic/kibana-vis-editors
+/src/plugins/charts/ @elastic/kibana-vis-editors
+/src/plugins/management/ @elastic/kibana-vis-editors
+/src/plugins/kibana_legacy/ @elastic/kibana-vis-editors
+/src/plugins/timelion/ @elastic/kibana-vis-editors
+/src/plugins/vis_default_editor/ @elastic/kibana-vis-editors
+/src/plugins/vis_type_metric/ @elastic/kibana-vis-editors
+/src/plugins/vis_type_table/ @elastic/kibana-vis-editors
+/src/plugins/vis_type_tagcloud/ @elastic/kibana-vis-editors
+/src/plugins/vis_type_timelion/ @elastic/kibana-vis-editors
+/src/plugins/vis_type_timeseries/ @elastic/kibana-vis-editors
+/src/plugins/vis_type_vega/ @elastic/kibana-vis-editors
+/src/plugins/vis_types/vislib/ @elastic/kibana-vis-editors
+/src/plugins/vis_types/xy/ @elastic/kibana-vis-editors
+/src/plugins/vis_types/pie/ @elastic/kibana-vis-editors
+/src/plugins/visualize/ @elastic/kibana-vis-editors
+/src/plugins/visualizations/ @elastic/kibana-vis-editors
+/src/plugins/chart_expressions/expression_tagcloud/ @elastic/kibana-vis-editors
+/src/plugins/url_forwarding/ @elastic/kibana-vis-editors
+/packages/kbn-tinymath/ @elastic/kibana-vis-editors
 
 # Application Services
 /examples/bfetch_explorer/ @elastic/kibana-app-services
@@ -436,6 +439,9 @@
 /x-pack/test/reporting_api_integration/ @elastic/kibana-reporting-services @elastic/kibana-app-services
 /x-pack/test/reporting_functional/ @elastic/kibana-reporting-services @elastic/kibana-app-services
 /x-pack/test/stack_functional_integration/apps/reporting/ @elastic/kibana-reporting-services @elastic/kibana-app-services
+/docs/user/reporting @elastic/kibana-reporting-services @elastic/kibana-app-services
+/docs/settings/reporting-settings.asciidoc @elastic/kibana-reporting-services @elastic/kibana-app-services
+/docs/setup/configuring-reporting.asciidoc @elastic/kibana-reporting-services @elastic/kibana-app-services
 #CC# /x-pack/plugins/reporting/ @elastic/kibana-reporting-services
 
 

.github/workflows/project-assigner.yml

@@ -14,7 +14,7 @@ jobs:
           issue-mappings: |
             [
               {"label": "Feature:Lens", "projectNumber": 32, "columnName": "Long-term goals"},
-              {"label": "Feature:Discover", "projectNumber": 44, "columnName": "Inbox"},
+              {"label": "Team:DataDiscovery", "projectNumber": 44, "columnName": "Inbox"},
               {"label": "Feature:Canvas", "projectNumber": 38, "columnName": "Inbox"},
               {"label": "Feature:Dashboard", "projectNumber": 68, "columnName": "Inbox"},
               {"label": "Feature:Drilldowns", "projectNumber": 68, "columnName": "Inbox"},

dev_docs/building_blocks.mdx

@@ -62,7 +62,7 @@ Check out the Lens Embeddable if you wish to show users visualizations based on
  and <DocLink id="kibBuildingBlocks" section="ui-actions--triggers" text="UI Actions"/>. Using the same configuration, it's also possible to link to
  a prefilled Lens editor, allowing the user to drill deeper and explore their data.
 
-**Github labels**: `Team:KibanaApp`, `Feature:Lens`
+**Github labels**: `Team:VisEditors`, `Feature:Lens`
 
 ### Map Embeddable
 

docs/api/spaces-management.asciidoc

@@ -20,10 +20,13 @@ The following {kib} spaces APIs are available:
 
 * <<spaces-api-resolve-copy-saved-objects-conflicts, Resolve copy saved objects to space conflicts API>> to overwrite saved objects returned as errors from the copy saved objects to space API
 
+* <<spaces-api-disable-legacy-url-aliases, Disable legacy URL aliases API>> to disable legacy URL aliases if an error is encountered
+
 include::spaces-management/post.asciidoc[]
 include::spaces-management/put.asciidoc[]
 include::spaces-management/get.asciidoc[]
 include::spaces-management/get_all.asciidoc[]
 include::spaces-management/delete.asciidoc[]
 include::spaces-management/copy_saved_objects.asciidoc[]
 include::spaces-management/resolve_copy_saved_objects_conflicts.asciidoc[]
+include::spaces-management/disable_legacy_url_aliases.asciidoc[]

docs/api/spaces-management/disable_legacy_url_aliases.asciidoc

@@ -0,0 +1,59 @@
+[[spaces-api-disable-legacy-url-aliases]]
+=== Disable legacy URL aliases API
+++++
+<titleabbrev>Disable legacy URL aliases</titleabbrev>
+++++
+
+experimental[] Disable a <<legacy-url-aliases,legacy URL alias>> in {kib}.
+
+[[spaces-api-disable-legacy-url-aliases-request]]
+==== {api-request-title}
+
+`POST <kibana host>:<port>/api/spaces/_disable_legacy_url_aliases`
+
+[role="child_attributes"]
+[[spaces-api-disable-legacy-url-aliases-request-body]]
+==== {api-request-body-title}
+
+`aliases`::
+  (Required, object array) The aliases to disable.
++
+.Properties of `aliases`
+[%collapsible%open]
+=====
+  `targetSpace`:::
+    (Required, string) The space where the alias target object exists.
+
+  `targetType`:::
+    (Required, string) The type of the alias target object.
+
+  `sourceId`:::
+    (Required, string) The ID of the alias source object. This is the "legacy" object ID.
+=====
+
+[[spaces-api-disable-legacy-url-aliases-response-codes]]
+==== {api-response-codes-title}
+
+`204`::
+  Indicates a successful call.
+
+[[spaces-api-disable-legacy-url-aliases-example]]
+==== {api-examples-title}
+
+[source,sh]
+--------------------------------------------------
+$ curl -X POST api/spaces/_disable_legacy_url_aliases
+{
+  "aliases": [
+    {
+      "targetSpace": "bills-space",
+      "targetType": "dashboard",
+      "sourceId": "123"
+    }
+  ]
+}
+--------------------------------------------------
+// KIBANA
+
+This example leaves the alias intact, but the legacy URL for this alias, http://localhost:5601/s/bills-space/app/dashboards#/view/123, will
+no longer function. The dashboard still exists, and you can access it with the new URL.

docs/developer/advanced/index.asciidoc

@@ -6,6 +6,7 @@
 * <<development-basepath>>
 * <<upgrading-nodejs>>
 * <<sharing-saved-objects>>
+* <<legacy-url-aliases>>
 
 include::development-es-snapshots.asciidoc[leveloffset=+1]
 
@@ -15,4 +16,6 @@ include::development-basepath.asciidoc[leveloffset=+1]
 
 include::upgrading-nodejs.asciidoc[leveloffset=+1]
 
-include::sharing-saved-objects.asciidoc[leveloffset=+1]
+include::sharing-saved-objects.asciidoc[leveloffset=+1]
+
+include::legacy-url-aliases.asciidoc[leveloffset=+1]

docs/developer/advanced/legacy-url-aliases.asciidoc

@@ -0,0 +1,45 @@
+[[legacy-url-aliases]]
+== Legacy URL Aliases
+
+This page describes legacy URL aliases: what they are, where they come from, and how to disable them.
+
+[[legacy-url-aliases-overview]]
+=== Overview
+
+Many saved object types were converted in {kib} 8.0, so they can eventually be shared across <<xpack-spaces,spaces>>. Before 8.0, you could
+have two objects with the same type and same ID in two different spaces. Part of this conversion is to make sure all object IDs of a given
+type are *globally unique across all spaces*.
+
+{kib} creates a special entity called a **legacy URL alias** for each saved object that requires a new ID. This legacy URL alias allows
+{kib} to preserve any deep link URLs that exist for these objects.
+
+[[legacy-url-aliases-example]]
+=== Example
+
+Consider the following scenario:
+
+You have {kib} 7.16, and you create a new dashboard.The ID of this dashboard is "123". You create a new space called "Bill's space" and
+<<managing-saved-objects-copy-to-space,copy>> your dashboard to the other space. Now you have two different dashboards that can be accessed
+at the following URLs:
+
+* *Default space*: `http://localhost:5601/app/dashboards#/view/123`
+* *Bill's space*: `http://localhost:5601/s/bills-space/app/dashboards#/view/123`
+
+You use these two dashboards frequently, so you bookmark them in your web browser. After some time, you decide to upgrade to {kib} 8.0. When
+these two dashboards go through the conversion process, the one in "Bill's space" will have its ID changed to "456". The URL to access that
+dashboard is different -- not to worry though, there is a legacy URL alias for that dashboard.
+
+If you use your bookmark to access that dashboard using its old URL, {kib} detects that you are using a legacy URL, and finds the new object
+ID. If you navigate to `http://localhost:5601/s/bills-space/app/dashboards#/view/123`, you'll see a message indicating that the dashboard
+has a new URL, and you're automatically redirected to `http://localhost:5601/s/bills-space/app/dashboards#/view/456`.
+
+[[legacy-url-aliases-handling-errors]]
+=== Handling errors
+
+Legacy URL aliases are intended to be fully transparent, but there are rare situations where this can lead to an error. For example, you
+might have a dashboard and one of the visualizations fails to load, directing you to this page. If you encounter an error in this situation,
+you might want to disable the legacy URL alias completely. This leaves the saved object intact, and you will not lose any data -- you just
+won't be able to use the old URL to access that saved object.
+
+To disable a legacy URL alias, you need three pieces of information: the `targetSpace`, the `targetType`, and the `sourceId`. Then use the
+<<spaces-api-disable-legacy-url-aliases,`_disable_legacy_url_aliases`>> API to disable the problematic legacy URL alias.

docs/management/advanced-options.asciidoc

@@ -186,7 +186,7 @@ Set to `true` to enable a dark mode for the {kib} UI. You must refresh the page
 to apply the setting.
 
 [[theme-version]]`theme:version`::
-Specifies the {kib} theme. If you change the setting, refresh the page to apply the setting. 
+Specifies the {kib} theme. If you change the setting, refresh the page to apply the setting.
 
 [[timepicker-quickranges]]`timepicker:quickRanges`::
 The list of ranges to show in the Quick section of the time filter. This should
@@ -214,7 +214,7 @@ truncation.
 When enabled, provides access to the experimental *Labs* features for *Canvas*.
 
 [[labs-dashboard-defer-below-fold]]`labs:dashboard:deferBelowFold`::
-When enabled, the panels that appear below the fold are loaded when they become visible on the dashboard. 
+When enabled, the panels that appear below the fold are loaded when they become visible on the dashboard.
 _Below the fold_ refers to panels that are not immediately visible when you open a dashboard, but become visible as you scroll. For additional information, refer to <<defer-loading-panels-below-the-fold,Improve dashboard loading time>>.
 
 [[labs-dashboard-enable-ui]]`labs:dashboard:enable_ui`::
@@ -240,7 +240,7 @@ Banners are a https://www.elastic.co/subscriptions[subscription feature].
 
 [horizontal]
 [[banners-placement]]`banners:placement`::
-Set to `Top` to display a banner above the Elastic header for this space. Defaults to the value of 
+Set to `Top` to display a banner above the Elastic header for this space. Defaults to the value of
 the `xpack.banners.placement` configuration property.
 
 [[banners-textcontent]]`banners:textContent`::
@@ -443,6 +443,9 @@ The threshold above which {ml} job anomalies are displayed in the {security-app}
 A comma-delimited list of {es} indices from which the {security-app} collects
 events.
 
+[[securitysolution-threatindices]]`securitySolution:defaultThreatIndex`::
+A comma-delimited list of Threat Intelligence indices from which the {security-app} collects indicators.
+
 [[securitysolution-enablenewsfeed]]`securitySolution:enableNewsFeed`:: Enables
 the security news feed on the Security *Overview* page.
 
@@ -544,4 +547,4 @@ only production-ready visualizations are available to users.
 [horizontal]
 [[telemetry-enabled-advanced-setting]]`telemetry:enabled`::
 When enabled, helps improve the Elastic Stack by providing usage statistics for
-basic features. This data will not be shared outside of Elastic.
+basic features. This data will not be shared outside of Elastic.

docs/settings/reporting-settings.asciidoc

@@ -281,16 +281,15 @@ NOTE: This setting exists for backwards compatibility, but is unused and hardcod
 [[reporting-advanced-settings]]
 ==== Security settings
 
-[[xpack-reporting-roles-enabled]] `xpack.reporting.roles.enabled`::
-deprecated:[7.14.0,This setting must be set to `false` in 8.0.] When `true`, grants users access to the {report-features} by assigning reporting roles, specified by `xpack.reporting.roles.allow`. Granting access to users this way is deprecated. Set to `false` and use {kibana-ref}/kibana-privileges.html[{kib} privileges] instead. Defaults to `true`.
+With Security enabled, Reporting has two forms of access control: each user can only access their own reports, and custom roles determine who has privilege to generate reports. When Reporting is configured with <<kibana-privileges, {kib} application privileges>>, you can control the spaces and applications where users are allowed to generate reports.
 
 [NOTE]
 ============================================================================
-In 7.x, the default value of `xpack.reporting.roles.enabled` is `true`. To migrate users to the
-new method of securing access to *Reporting*, you must set `xpack.reporting.roles.enabled: false`. In the next major version of {kib}, `false` will be the only valid configuration.
+The `xpack.reporting.roles` settings are for a deprecated system of access control in Reporting. It does not allow API Keys to generate reports, and it doesn't allow {kib} application privileges. We recommend you explicitly turn off reporting's deprecated access control feature by adding `xpack.reporting.roles.enabled: false` in kibana.yml. This will enable application privileges for reporting, as described in <<grant-user-access, granting users access to reporting>>.
 ============================================================================
 
-`xpack.reporting.roles.allow`::
-deprecated:[7.14.0,This setting will be removed in 8.0.] Specifies the roles, in addition to superusers, that can generate reports, using the {ref}/security-api.html#security-role-apis[{es} role management APIs]. Requires `xpack.reporting.roles.enabled` to be `true`. Granting access to users this way is deprecated. Use {kibana-ref}/kibana-privileges.html[{kib} privileges] instead. Defaults to `[ "reporting_user" ]`.
+[[xpack-reporting-roles-enabled]] `xpack.reporting.roles.enabled`::
+deprecated:[7.14.0,The default for this setting will be `false` in an upcoming version of {kib}.] Sets access control to a set of assigned reporting roles, specified by `xpack.reporting.roles.allow`. Defaults to `true`.
 
-NOTE: Each user has access to only their own reports.
+`xpack.reporting.roles.allow`::
+deprecated:[7.14.0] In addition to superusers, specifies the roles that can generate reports using the {ref}/security-api.html#security-role-apis[{es} role management APIs]. Requires `xpack.reporting.roles.enabled` to be `true`. Defaults to `[ "reporting_user" ]`.

docs/setup/configuring-reporting.asciidoc

@@ -41,11 +41,16 @@ To troubleshoot the problem, start the {kib} server with environment variables t
 [float]
 [[grant-user-access]]
 === Grant users access to reporting
+When security is enabled, you grant users access to generate reports with <<kibana-privileges, {kib} application privileges>>, which allow you to create custom roles that control the spaces and applications where users generate reports.
 
-When security is enabled, access to the {report-features} is controlled by roles and <<kibana-privileges, privileges>>. With privileges, you can define custom roles that grant *Reporting* privileges as sub-features of {kib} applications. To grant users permission to generate reports and view their reports in *Reporting*, create and assign the reporting role.
-
-[[reporting-app-users]]
-NOTE: In 7.12.0 and earlier, you grant access to the {report-features} by assigning users the `reporting_user` role in {es}. 
+. Enable application privileges in Reporting. To enable, turn off the default user access control features in `kibana.yml`:
++
+[source,yaml]
+------------------------------------
+xpack.reporting.roles.enabled: false
+------------------------------------
++
+NOTE: If you use the default settings, you can still create a custom role that grants reporting privileges. The default role is `reporting_user`. This behavior is being deprecated and does not allow application-level access controls for {report-features}, and does not allow API keys or authentication tokens to authorize report generation. Refer to <<reporting-advanced-settings, reporting security settings>> for information and caveats about the deprecated access control features.
 
 . Create the reporting role. 
 
@@ -90,10 +95,12 @@ If the *Reporting* option is unavailable, contact your administrator, or <<repor
 
 .. Click *Update user*.
 
+Granting the privilege to generate reports also grants the user the privilege to view their reports in *Stack Management > Reporting*. Users can only access their own reports.
+
 [float]
 [[reporting-roles-user-api]]
 ==== Grant access with the role API
-You can also use the {ref}/security-api-put-role.html[role API] to grant access to the reporting features. Grant the reporting role to users in combination with other roles that grant read access to the data in {es}, and at least read access in the applications where users can generate reports.
+With <<grant-user-access, {kib} application privileges>> enabled in Reporting, you can also use the {ref}/security-api-put-role.html[role API] to grant access to the {report-features}. Grant custom reporting roles to users in combination with other roles that grant read access to the data in {es}, and at least read access in the applications where users can generate reports.
 
 [source, sh]
 ---------------------------------------------------------------