Merge branch 'master' of github.com:elastic/kibana into fix-agent-act…

…ion-polling

.github/CODEOWNERS

@@ -169,6 +169,7 @@
 /x-pack/plugins/encrypted_saved_objects/  @elastic/kibana-security
 /x-pack/plugins/security/  @elastic/kibana-security
 /x-pack/test/api_integration/apis/security/ @elastic/kibana-security
+/x-pack/test/ui_capabilities/ @elastic/kibana-security
 /x-pack/test/encrypted_saved_objects_api_integration/ @elastic/kibana-security
 /x-pack/test/functional/apps/security/ @elastic/kibana-security
 /x-pack/test/kerberos_api_integration/ @elastic/kibana-security

docs/developer/architecture/security/feature-registration.asciidoc

@@ -9,13 +9,12 @@ Registering features also gives your plugin access to “UI Capabilities”. The
 
 === Registering a feature
 
-Feature registration is controlled via the built-in `xpack_main` plugin. To register a feature, call `xpack_main`'s `registerFeature` function from your plugin's `init` function, and provide the appropriate details:
+Feature registration is controlled via the built-in `features` plugin. To register a feature, call `features`'s `registerKibanaFeature` function from your plugin's `setup` lifecycle function, and provide the appropriate details:
 
 ["source","javascript"]
 -----------
-init(server) {
-  const xpackMainPlugin = server.plugins.xpack_main;
-  xpackMainPlugin.registerFeature({
+setup(core, { features }) {
+  features.registerKibanaFeature({
     // feature details here.
   });
 }
@@ -45,12 +44,12 @@ Registering a feature consists of the following fields. For more information, co
 |An array of applications this feature enables. Typically, all of your plugin's apps (from `uiExports`) will be included here.
 
 |`privileges` (required)
-|{kib-repo}blob/{branch}/x-pack/plugins/features/common/feature.ts[`FeatureConfig`].
+|{kib-repo}blob/{branch}/x-pack/plugins/features/common/feature.ts[`KibanaFeatureConfig`].
 |See <<example-1-canvas,Example 1>> and <<example-2-dev-tools,Example 2>>
 |The set of privileges this feature requires to function.
 
 |`subFeatures` (optional)
-|{kib-repo}blob/{branch}/x-pack/plugins/features/common/feature.ts[`FeatureConfig`].
+|{kib-repo}blob/{branch}/x-pack/plugins/features/common/feature.ts[`KibanaFeatureConfig`].
 |See <<example-3-discover,Example 3>>
 |The set of subfeatures that enables finer access control than the `all` and `read` feature privileges. These options are only available in the Gold subscription level and higher.
 
@@ -73,25 +72,26 @@ For a full explanation of fields and options, consult the {kib-repo}blob/{branch
 === Using UI Capabilities
 
 UI Capabilities are available to your public (client) plugin code. These capabilities are read-only, and are used to inform the UI. This object is namespaced by feature id. For example, if your feature id is “foo”, then your UI Capabilities are stored at `uiCapabilities.foo`.
-To access capabilities, import them from `ui/capabilities`:
+Capabilities can be accessed from your plugin's `start` lifecycle from the `core.application` service:
 
 ["source","javascript"]
 -----------
-import { uiCapabilities } from 'ui/capabilities';
+public start(core) {
+  const { capabilities } = core.application;
 
-const canUserSave = uiCapabilities.foo.save;
-if (canUserSave) {
-  // show save button
+  const canUserSave = capabilities.foo.save;
+  if (canUserSave) {
+    // show save button
+  }
 }
 -----------
 
 [[example-1-canvas]]
 === Example 1: Canvas Application
 ["source","javascript"]
 -----------
-init(server) {
-  const xpackMainPlugin = server.plugins.xpack_main;
-  xpackMainPlugin.registerFeature({
+public setup(core, { features }) {
+  features.registerKibanaFeature({
     id: 'canvas',
     name: 'Canvas',
     icon: 'canvasApp',
@@ -130,11 +130,13 @@ The `all` privilege defines a single “save” UI Capability. To access this in
 
 ["source","javascript"]
 -----------
-import { uiCapabilities } from 'ui/capabilities';
+public start(core) {
+  const { capabilities } = core.application;
 
-const canUserSave = uiCapabilities.canvas.save;
-if (canUserSave) {
-  // show save button
+  const canUserSave = capabilities.canvas.save;
+  if (canUserSave) {
+    // show save button
+  }
 }
 -----------
 
@@ -145,9 +147,8 @@ Because the `read` privilege does not define the `save` capability, users with r
 
 ["source","javascript"]
 -----------
-init(server) {
-  const xpackMainPlugin = server.plugins.xpack_main;
-  xpackMainPlugin.registerFeature({
+public setup(core, { features }) {
+  features.registerKibanaFeature({
     id: 'dev_tools',
     name: i18n.translate('xpack.features.devToolsFeatureName', {
       defaultMessage: 'Dev Tools',
@@ -206,9 +207,8 @@ a single "Create Short URLs" subfeature privilege is defined, which allows users
 
 ["source","javascript"]
 -----------
-init(server) {
-  const xpackMainPlugin = server.plugins.xpack_main;
-  xpackMainPlugin.registerFeature({
+public setup(core, { features }) {
+  features.registerKibanaFeature({
     {
       id: 'discover',
       name: i18n.translate('xpack.features.discoverFeatureName', {

docs/management/index-lifecycle-policies/manage-policy.asciidoc

@@ -25,4 +25,10 @@ created index. For more information, see {ref}/indices-templates.html[Index temp
 * *Delete a policy.* You can’t delete a policy that is currently in use or 
 recover a deleted index.
 
+[float]
+=== Required permissions
+
+The `manage_ilm` cluster privilege is required to access *Index lifecycle policies*.
+
+You can add these privileges in *Stack Management > Security > Roles*.
 

docs/management/managing-ccr.asciidoc

@@ -20,6 +20,13 @@ image::images/cross-cluster-replication-list-view.png[][Cross-cluster replicatio
 * The Elasticsearch version of the local cluster must be the same as or newer than the remote cluster.
 Refer to {ref}/ccr-overview.html[this document] for more information.
 
+[float]
+=== Required permissions
+
+The `manage` and `manage_ccr` cluster privileges are required to access *Cross-Cluster Replication*.
+
+You can add these privileges in *Stack Management > Security > Roles*.
+
 [float]
 [[configure-replication]]
 === Configure replication

docs/management/managing-licenses.asciidoc

@@ -29,6 +29,13 @@ See {ref}/encrypting-communications.html[Encrypting communications].
 {kib} and the {ref}/start-basic.html[start basic API] provide a list of all of
 the features that will no longer be supported if you revert to a basic license.
 
+[float]
+=== Required permissions
+
+The `manage` cluster privilege is required to access *License Management*.
+
+You can add this privilege in *Stack Management > Security > Roles*.
+
 [discrete]
 [[update-license]]
 === Update your license

docs/management/managing-remote-clusters.asciidoc

@@ -11,6 +11,13 @@ To get started, open the menu, then go to *Stack Management > Data > Remote Clus
 [role="screenshot"]
 image::images/remote-clusters-list-view.png[Remote Clusters list view, including Add a remote cluster button]
 
+[float]
+=== Required permissions
+
+The `manage` cluster privilege is required to access *Remote Clusters*.
+
+You can add this privilege in *Stack Management > Security > Roles*.
+
 [float]
 [[managing-remote-clusters]]
 === Add a remote cluster

docs/management/rollups/create_and_manage_rollups.asciidoc

@@ -20,6 +20,13 @@ image::images/management_rollup_list.png[][List of currently active rollup jobs]
 Before using this feature, you should be familiar with how rollups work.
 {ref}/xpack-rollup.html[Rolling up historical data] is a good source for more detailed information.
 
+[float]
+=== Required permissions
+
+The `manage_rollup` cluster privilege is required to access *Rollup jobs*.
+
+You can add this privilege in *Stack Management > Security > Roles*.
+
 [float]
 [[create-and-manage-rollup-job]]
 === Create a rollup job

docs/management/upgrade-assistant/index.asciidoc

@@ -13,6 +13,14 @@ Before you upgrade, make sure that you are using the latest released minor
 version of {es} to see the most up-to-date deprecation issues.
 For example, if you want to upgrade to to 7.0, make sure that you are using 6.8.
 
+[float]
+=== Required permissions
+
+The `manage` cluster privilege is required to access the *Upgrade assistant*.
+Additional privileges may be needed to perform certain actions.
+
+You can add this privilege in *Stack Management > Security > Roles*.
+
 [float]
 === Reindexing
 

docs/migration/migrate_8_0.asciidoc

@@ -115,7 +115,7 @@ URL that it derived from the actual server address and `xpack.security.public` s
 
 *Impact:* Any workflow that involved manually clearing generated bundles will have to be updated with the new path.
 
-[float]]
+[float]
 === kibana.keystore has moved from the `data` folder to the `config` folder
 *Details:* By default, kibana.keystore has moved from the configured `path.data` folder to `<root>/config` for archive distributions
 and `/etc/kibana` for package distributions.  If a pre-existing keystore exists in the data directory that path will continue to be used.
@@ -136,6 +136,18 @@ custom roles with {kibana-ref}/kibana-privileges.html[{kib} privileges].
 instead be assigned the `kibana_admin` role to maintain their current
 access level.
 
+[float]
+=== `kibana_dashboard_only_user` role has been removed.
+
+*Details:* The `kibana_dashboard_only_user` role has been removed.
+If you wish to restrict access to just the Dashboard feature, create
+custom roles with {kibana-ref}/kibana-privileges.html[{kib} privileges].
+
+*Impact:* Any users currently assigned the `kibana_dashboard_only_user` role will need to be assigned a custom role which only grants access to the Dashboard feature.
+
+Granting additional cluster or index privileges may enable certain
+**Stack Monitoring** features.
+
 [float]
 [[breaking_80_reporting_changes]]
 === Reporting changes

examples/alerting_example/server/plugin.ts

@@ -38,7 +38,7 @@ export class AlertingExamplePlugin implements Plugin<void, void, AlertingExample
     alerts.registerType(alwaysFiringAlert);
     alerts.registerType(peopleInSpaceAlert);
 
-    features.registerFeature({
+    features.registerKibanaFeature({
       id: ALERTING_EXAMPLE_APP_ID,
       name: i18n.translate('alertsExample.featureRegistry.alertsExampleFeatureName', {
         defaultMessage: 'Alerts Example',