Merge branch 'master' into precommit-sequential

NOTICE.txt

@@ -261,33 +261,6 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
----
-This product bundles childnode-remove which is available under a
-"MIT" license.
-
-The MIT License (MIT)
-
-Copyright (c) 2016-present, jszhou
-https://github.com/jserz/js_piece
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
-
 ---
 This product bundles code based on probot-metadata@1.0.0 which is
 available under a "MIT" license.

docs/developer/advanced/upgrading-nodejs.asciidoc

@@ -14,10 +14,14 @@ Theses files must be updated when upgrading Node.js:
   - {kib-repo}blob/{branch}/.node-version[`.node-version`]
   - {kib-repo}blob/{branch}/.nvmrc[`.nvmrc`]
   - {kib-repo}blob/{branch}/package.json[`package.json`] - The version is specified in the `engines.node` field.
+  - {kib-repo}blob/{branch}/WORKSPACE.bazel[`WORKSPACE.bazel`] - The version is specified in the `node_version` property.
+    Besides this property, the list of files under `node_repositories` must be updated along with their respective SHA256 hashes.
+    These can be found on the https://nodejs.org[nodejs.org] website.
+    Example for Node.js v14.16.1: https://nodejs.org/dist/v14.16.1/SHASUMS256.txt.asc
 
-See PR {kib-repo}pull/86593[#86593] for an example of how the Node.js version has been upgraded previously.
+See PR {kib-repo}pull/96382[#96382] for an example of how the Node.js version has been upgraded previously.
 
-In the 6.8 branch, the `.ci/Dockerfile` file does not exist, so when upgrading Node.js in that branch, just skip that file.
+In the 6.8 branch, neither the `.ci/Dockerfile` file nor the `WORKSPACE.bazel` file exists, so when upgrading Node.js in that branch, just skip those files.
 
 === Backporting
 

docs/development/plugins/data/public/kibana-plugin-plugins-data-public.kbn_field_types.md

@@ -27,6 +27,7 @@ export declare enum KBN_FIELD_TYPES
 |  HISTOGRAM | <code>&quot;histogram&quot;</code> |  |
 |  IP | <code>&quot;ip&quot;</code> |  |
 |  IP\_RANGE | <code>&quot;ip_range&quot;</code> |  |
+|  MISSING | <code>&quot;missing&quot;</code> |  |
 |  MURMUR3 | <code>&quot;murmur3&quot;</code> |  |
 |  NESTED | <code>&quot;nested&quot;</code> |  |
 |  NUMBER | <code>&quot;number&quot;</code> |  |

docs/development/plugins/data/server/kibana-plugin-plugins-data-server.kbn_field_types.md

@@ -27,6 +27,7 @@ export declare enum KBN_FIELD_TYPES
 |  HISTOGRAM | <code>&quot;histogram&quot;</code> |  |
 |  IP | <code>&quot;ip&quot;</code> |  |
 |  IP\_RANGE | <code>&quot;ip_range&quot;</code> |  |
+|  MISSING | <code>&quot;missing&quot;</code> |  |
 |  MURMUR3 | <code>&quot;murmur3&quot;</code> |  |
 |  NESTED | <code>&quot;nested&quot;</code> |  |
 |  NUMBER | <code>&quot;number&quot;</code> |  |

docs/development/plugins/embeddable/public/kibana-plugin-plugins-embeddable-public.embeddable.getupdated_.md

@@ -9,9 +9,9 @@ Merges input$ and output$ streams and debounces emit till next macro-task. Could
 <b>Signature:</b>
 
 ```typescript
-getUpdated$(): Readonly<Rx.Observable<void>>;
+getUpdated$(): Readonly<Rx.Observable<TEmbeddableInput | TEmbeddableOutput>>;
 ```
 <b>Returns:</b>
 
-`Readonly<Rx.Observable<void>>`
+`Readonly<Rx.Observable<TEmbeddableInput | TEmbeddableOutput>>`
 

docs/getting-started/quick-start-guide.asciidoc

@@ -12,7 +12,7 @@ When you've finished, you'll know how to:
 [float]
 === Required privileges
 When security is enabled, you must have `read`, `write`, and `manage` privileges on the `kibana_sample_data_*` indices. 
-For more information, refer to {ref}/security-privileges.html[Security privileges].
+Learn how to <<tutorial-secure-access-to-kibana, secure access to {kib}>>, or refer to {ref}/security-privileges.html[Security privileges] for more information.
 
 [float]
 [[set-up-on-cloud]]
@@ -141,3 +141,5 @@ For more information, refer to <<dashboard,Dashboard>>.
 If you are you ready to add your own data, refer to <<connect-to-elasticsearch,Add data to {kib}>>.
 
 If you want to ingest your data, refer to {fleet-guide}/fleet-quick-start.html[Quick start: Get logs and metrics into the Elastic Stack].
+
+If you want to secure access to your data, refer to our guide on <<tutorial-secure-access-to-kibana, securing {kib}>>

docs/redirects.asciidoc

@@ -286,3 +286,9 @@ This content has moved. See {ref}/ingest.html[Ingest pipelines].
 == Timelion
 
 This content has moved. refer to <<timelion>>.
+
+
+[role="exclude",id="space-rbac-tutorial"]
+== Tutorial: Use role-based access control to customize Kibana spaces
+
+This content has moved. refer to <<tutorial-secure-access-to-kibana>>.

docs/setup/settings.asciidoc

@@ -429,6 +429,15 @@ to display map tiles in tilemap visualizations. By default,
 override this parameter to use their own Tile Map Service. For example:
 `"https://tiles.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana"`
 
+| `migrations.batchSize:`
+ | Defines the number of documents migrated at a time. The higher the value, the faster the Saved Objects migration process performs at the cost of higher memory consumption. If the migration fails due to a `circuit_breaking_exception`, set a smaller `batchSize` value. *Default: `1000`*
+
+| `migrations.enableV2:`
+ | experimental[]. Enables the new Saved Objects migration algorithm. For information about the migration algorithm, refer to <<upgrade-migrations>>. When `migrations v2` is stable, the setting will be removed in an upcoming release without any further notice. Setting the value to `false` causes {kib} to use the legacy migration algorithm, which shipped in 7.11 and earlier versions. *Default: `true`*
+
+| `migrations.retryAttempts:`
+ | The number of times migrations retry temporary failures, such as a network timeout, 503 status code, or `snapshot_in_progress_exception`. When upgrade migrations frequently fail after exhausting all retry attempts with a message such as `Unable to complete the [...] step after 15 attempts, terminating.`, increase the setting value. *Default: `15`*
+
 | `newsfeed.enabled:`
  | Controls whether to enable the newsfeed
 system for the {kib} UI notification center. Set to `false` to disable the

docs/user/security/index.asciidoc

@@ -47,4 +47,3 @@ include::authorization/kibana-privileges.asciidoc[]
 include::api-keys/index.asciidoc[]
 include::encryption-keys/index.asciidoc[]
 include::role-mappings/index.asciidoc[]
-include::rbac_tutorial.asciidoc[]

docs/user/security/tutorials/how-to-secure-access-to-kibana.asciidoc

@@ -0,0 +1,136 @@
+[[tutorial-secure-access-to-kibana]]
+== Securing access to {kib}
+
+
+{kib} is home to an ever-growing suite of powerful features, which help you get the most out of your data. Your data is important, and should be protected. {kib} allows you to secure access to your data and control how users are able to interact with your data.
+
+For example, some users might only need to view your stunning dashboards, while others might need to manage your fleet of Elastic agents and run machine learning jobs to detect anomalous behavior in your network.
+
+This guide introduces you to three of {kib}'s security features: spaces, roles, and users. By the end of this tutorial, you will learn how to manage these entities, and how you can leverage them to secure access to both {kib} and your data.
+
+[float]
+=== Spaces
+
+Do you have multiple teams using {kib}? Do you want a “playground” to experiment with new visualizations or alerts? If so, then <<xpack-spaces,{kib} Spaces>> can help.
+
+Think of a space as another instance of {kib}. A space allows you to organize your <<dashboard, dashboards>>, <<alerting-getting-started, alerts>>, <<xpack-ml, machine learning jobs>>, and much more into their own categories. For example, you might have a Marketing space for your marketeers to track the results of their campaigns, and an Engineering space for your developers to {apm-get-started-ref}/overview.html[monitor application performance].
+
+The assets you create in one space are isolated from other spaces, so when you enter a space, you only see the assets that belong to that space.
+
+Refer to the <<xpack-spaces, Spaces documentation>> for more information.
+
+[float]
+=== Roles
+
+Once your spaces are setup, the next step to securing access is to provision your roles. Roles are a collection of privileges that allow you to perform actions in {kib} and Elasticsearch. Roles are assigned to users, and to {ref}/built-in-users.html[system accounts] that power the Elastic Stack.
+
+You can create your own roles, or use any of the {ref}/built-in-roles.html[built-in roles]. Some built-in roles are intended for Elastic Stack components and should not be assigned to end users directly.
+
+One of the more useful built-in roles is `kibana_admin`. Assigning this role to your users will grant access to all of {kib}'s features. This includes the ability to manage Spaces.
+
+The built-in roles are great for getting started with the Elastic Stack, and for system administrators who do not need more restrictive access. With so many features, it’s not possible to ship more granular roles to accommodate everyone’s needs. This is where custom roles come in.
+
+As an administrator, you have the ability to create your own roles to describe exactly the kind of access your users should have. For example, you might create a `marketing_user` role, which you then assign to all users in your marketing department. This role would grant access to all of the necessary data and features for this team to be successful, without granting them access they don’t require.
+
+
+[float]
+=== Users
+
+Once your roles are setup, the next step to securing access is to create your users, and assign them one or more roles. {kib}'s user management allows you to provision accounts for each of your users.
+
+TIP: Want Single Sign-on? {kib} supports a wide range of SSO implementations, including SAML, OIDC, LDAP/AD, and Kerberos. <<kibana-authentication, Learn more about {kib}'s SSO features>>.
+
+
+[float]
+[[tutorial-secure-kibana-dashboards-only]]
+=== Example: Create a user with access only to dashboards
+
+Let’s work through an example together. Consider a marketing analyst who wants to monitor the effectiveness of their campaigns. They should be able to see their team’s dashboards, but not be allowed to view or manage anything else in {kib}. All of the team’s dashboards are located in the Marketing space.
+
+[float]
+==== Create a space
+
+Create a Marketing space for your marketing analysts to use.
+
+. Open the main menu, and select **Stack Management**.
+. Under **{kib}**, select **Spaces**.
+. Click **Create a space**.
+. Give this space a unique name. For example: `Marketing`.
+. Click **Create space**.
++
+If you’ve followed the example above, you should end up with a space that looks like this:
++
+[role="screenshot"]
+image::user/security/images/tutorial-secure-access-example-1-space.png[Create space UI]
+
+
+[float]
+==== Create a role
+
+To effectively use dashboards, create a role that describes the privileges you want to grant.
+In this example, a marketing analyst will need:
+
+* Access to **read** the data that powers the dashboards
+* Access to **read** the dashboards within the `Marketing` space
+
+To create the role:
+
+. Open the main menu, and select **Stack Management**.
+. Under **Security**, select **Roles**.
+. Click **Create role**.
+. Give this role a unique name. For example: `marketing_dashboards_role`.
+. For this example, you want to store all marketing data in the `acme-marketing-*` set of indices. To grant this access, locate the **Index privileges** section and enter:
+.. `acme-marketing-*` in the **Indices** field.
+.. `read` and `view_index_metadata` in the **Privileges** field.
++
+TIP: You can add multiple patterns of indices, and grant different access levels to each. Click **Add index privilege** to grant additional access.
+. To grant access to dashboards in the `Marketing` space, locate the {kib} section, and click **Add {kib} privilege**:
+.. From the **Spaces** dropdown, select the `Marketing` space.
+.. Expand the **Analytics** section, and select the **Read** privilege for **Dashboard**.
+.. Click **Add Kibana privilege**.
+. Click **Create role**.
++
+If you’ve followed the example above, you should end up with a role that looks like this:
++
+[role="screenshot"]
+image::user/security/images/tutorial-secure-access-example-1-role.png[Create role UI]
+
+
+[float]
+==== Create a user
+
+Now that you created a role, create a user account.
+
+. Navigate to *Stack Management*, and under *Security*, select *Users*.
+. Click *Create user*.
+. Give this user a descriptive username, and choose a secure password.
+. Assign the *marketing_dashboards_role* that you previously created to this new user.
+. Click *Create user*.
+
+[role="screenshot"]
+image::user/security/images/tutorial-secure-access-example-1-user.png[Create user UI]
+
+[float]
+==== Verify
+
+Verify that the user and role are working correctly.
+
+. Logout of {kib} if you are already logged in.
+. In the login screen, enter the username and password for the account you created.
++
+You’re taken into the `Marketing` space, and the main navigation shows only the *Dashboard* application.
++
+[role="screenshot"]
+image::user/security/images/tutorial-secure-access-example-1-test.png[Verifying access to dashboards]
+
+
+[float]
+=== What's next?
+
+This guide is an introduction to {kib}'s security features. Check out these additional resources to learn more about authenticating and authorizing your users.
+
+* View the <<kibana-authentication, authentication guide>> to learn more about single-sign on and other login features.
+
+* View the <<xpack-kibana-role-management, authorization guide>> to learn more about authorizing access to {kib}'s features.
+
+Still have questions? Ask  on our https://discuss.elastic.co/c/kibana[Kibana discuss forum] and a fellow community member or Elastic engineer will help out.

docs/user/setup.asciidoc

@@ -54,6 +54,8 @@ include::{kib-repo-dir}/setup/start-stop.asciidoc[]
 
 include::{kib-repo-dir}/setup/access.asciidoc[]
 
+include::security/tutorials/how-to-secure-access-to-kibana.asciidoc[]
+
 include::{kib-repo-dir}/setup/connect-to-elasticsearch.asciidoc[]
 
 include::{kib-repo-dir}/setup/upgrade.asciidoc[]

package.json

@@ -131,10 +131,12 @@
     "@kbn/crypto": "link:packages/kbn-crypto",
     "@kbn/i18n": "link:packages/kbn-i18n",
     "@kbn/interpreter": "link:packages/kbn-interpreter",
+    "@kbn/io-ts-utils": "link:packages/kbn-io-ts-utils",
     "@kbn/legacy-logging": "link:packages/kbn-legacy-logging",
     "@kbn/logging": "link:packages/kbn-logging",
     "@kbn/monaco": "link:packages/kbn-monaco",
     "@kbn/server-http-tools": "link:packages/kbn-server-http-tools",
+    "@kbn/server-route-repository": "link:packages/kbn-server-route-repository",
     "@kbn/std": "link:packages/kbn-std",
     "@kbn/tinymath": "link:packages/kbn-tinymath",
     "@kbn/ui-framework": "link:packages/kbn-ui-framework",
@@ -206,7 +208,6 @@
     "content-disposition": "0.5.3",
     "copy-to-clipboard": "^3.0.8",
     "core-js": "^3.6.5",
-    "custom-event-polyfill": "^0.3.0",
     "cytoscape": "^3.10.0",
     "cytoscape-dagre": "^2.2.2",
     "d3": "3.5.17",