You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We started warning users in the 7.10 release when they were running Kibana/ES without security enabled (via #78545). This was especially important because stack security features were opt-in, rather than opt-out.
Another benefit of this warning was to educate users of our OSS distribution that the Default distribution came with free security features. We no longer ship an OSS distribution, so this is no longer needed.
Starting in 8.0, security features are enabled by default, and we require that administrators explicitly opt-out of security by setting xpack.security.enabled: false in Elasticsearch.
Now that security is opt-out instead of opt-in, I think the usefulness of the Insecure Cluster Warning is greatly diminished. I could see some value in keeping it in (e.g., in the case of accidental misconfiguration), but I'm not sure it's worth maintaining that code for this scenario.
@legrego if we look at it from a different angle, which is the main reason to remove?
I'd personally prefer to keep, since insecure clusters may still happen one way or another — and we really need to prevent them — unless it has clear drawbacks.
Do you expect that you need to put relevant engineering work in the future to keep it working? Are there other concerns?
@bytebilly I don't have a strong motivation to remove this - it isn't causing us any pain at the moment. I was grooming the backlog and came across #114049, which got me thinking about the feature in general.
We started warning users in the
7.10
release when they were running Kibana/ES without security enabled (via #78545). This was especially important because stack security features were opt-in, rather than opt-out.Another benefit of this warning was to educate users of our OSS distribution that the Default distribution came with free security features. We no longer ship an OSS distribution, so this is no longer needed.
Starting in 8.0, security features are enabled by default, and we require that administrators explicitly opt-out of security by setting
xpack.security.enabled: false
in Elasticsearch.Now that security is opt-out instead of opt-in, I think the usefulness of the Insecure Cluster Warning is greatly diminished. I could see some value in keeping it in (e.g., in the case of accidental misconfiguration), but I'm not sure it's worth maintaining that code for this scenario.
cc @arisonl @bytebilly
The text was updated successfully, but these errors were encountered: