inclusive language - elasticsearch config

config/kibana.yml

@@ -72,10 +72,10 @@
 
 # List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
 # headers, set this value to [] (an empty list).
-#elasticsearch.requestHeadersWhitelist: [ authorization ]
+#elasticsearch.allowedRequestHeaders: [ authorization ]
 
 # Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
-# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
+# by client-side headers, regardless of the elasticsearch.allowedRequestHeaders configuration.
 #elasticsearch.customHeaders: {}
 
 # Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.

docs/development/core/server/kibana-plugin-core-server.elasticsearchconfig.requestheaderswhitelist.md → docs/development/core/server/kibana-plugin-core-server.elasticsearchconfig.allowedrequestheaders.md

@@ -1,13 +1,13 @@
 <!-- Do not edit this file. It is automatically generated by API Documenter. -->
 
-[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [ElasticsearchConfig](./kibana-plugin-core-server.elasticsearchconfig.md) &gt; [requestHeadersWhitelist](./kibana-plugin-core-server.elasticsearchconfig.requestheaderswhitelist.md)
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [ElasticsearchConfig](./kibana-plugin-core-server.elasticsearchconfig.md) &gt; [allowedRequestHeaders](./kibana-plugin-core-server.elasticsearchconfig.allowedrequestheaders.md)
 
-## ElasticsearchConfig.requestHeadersWhitelist property
+## ElasticsearchConfig.allowedRequestHeaders property
 
 List of Kibana client-side headers to send to Elasticsearch when request scoped cluster client is used. If this is an empty array then \*no\* client-side will be sent.
 
 <b>Signature:</b>
 
 ```typescript
-readonly requestHeadersWhitelist: string[];
+readonly allowedRequestHeaders: string[];
 ```

docs/development/core/server/kibana-plugin-core-server.elasticsearchconfig.customheaders.md

@@ -4,7 +4,7 @@
 
 ## ElasticsearchConfig.customHeaders property
 
-Header names and values to send to Elasticsearch with every request. These headers cannot be overwritten by client-side headers and aren't affected by `requestHeadersWhitelist` configuration.
+Header names and values to send to Elasticsearch with every request. These headers cannot be overwritten by client-side headers and aren't affected by `allowedRequestHeaders` configuration.
 
 <b>Signature:</b>
 

docs/development/core/server/kibana-plugin-core-server.elasticsearchconfig.md

@@ -22,15 +22,15 @@ export declare class ElasticsearchConfig
 
 |  Property | Modifiers | Type | Description |
 |  --- | --- | --- | --- |
+|  [allowedRequestHeaders](./kibana-plugin-core-server.elasticsearchconfig.allowedrequestheaders.md) |  | <code>string[]</code> | List of Kibana client-side headers to send to Elasticsearch when request scoped cluster client is used. If this is an empty array then \*no\* client-side will be sent. |
 |  [apiVersion](./kibana-plugin-core-server.elasticsearchconfig.apiversion.md) |  | <code>string</code> | Version of the Elasticsearch (6.7, 7.1 or <code>master</code>) client will be connecting to. |
-|  [customHeaders](./kibana-plugin-core-server.elasticsearchconfig.customheaders.md) |  | <code>ElasticsearchConfigType['customHeaders']</code> | Header names and values to send to Elasticsearch with every request. These headers cannot be overwritten by client-side headers and aren't affected by <code>requestHeadersWhitelist</code> configuration. |
+|  [customHeaders](./kibana-plugin-core-server.elasticsearchconfig.customheaders.md) |  | <code>ElasticsearchConfigType['customHeaders']</code> | Header names and values to send to Elasticsearch with every request. These headers cannot be overwritten by client-side headers and aren't affected by <code>allowedRequestHeaders</code> configuration. |
 |  [healthCheckDelay](./kibana-plugin-core-server.elasticsearchconfig.healthcheckdelay.md) |  | <code>Duration</code> | The interval between health check requests Kibana sends to the Elasticsearch. |
 |  [hosts](./kibana-plugin-core-server.elasticsearchconfig.hosts.md) |  | <code>string[]</code> | Hosts that the client will connect to. If sniffing is enabled, this list will be used as seeds to discover the rest of your cluster. |
 |  [ignoreVersionMismatch](./kibana-plugin-core-server.elasticsearchconfig.ignoreversionmismatch.md) |  | <code>boolean</code> | Whether to allow kibana to connect to a non-compatible elasticsearch node. |
 |  [logQueries](./kibana-plugin-core-server.elasticsearchconfig.logqueries.md) |  | <code>boolean</code> | Specifies whether all queries to the client should be logged (status code, method, query etc.). |
 |  [password](./kibana-plugin-core-server.elasticsearchconfig.password.md) |  | <code>string</code> | If Elasticsearch is protected with basic authentication, this setting provides the password that the Kibana server uses to perform its administrative functions. |
 |  [pingTimeout](./kibana-plugin-core-server.elasticsearchconfig.pingtimeout.md) |  | <code>Duration</code> | Timeout after which PING HTTP request will be aborted and retried. |
-|  [requestHeadersWhitelist](./kibana-plugin-core-server.elasticsearchconfig.requestheaderswhitelist.md) |  | <code>string[]</code> | List of Kibana client-side headers to send to Elasticsearch when request scoped cluster client is used. If this is an empty array then \*no\* client-side will be sent. |
 |  [requestTimeout](./kibana-plugin-core-server.elasticsearchconfig.requesttimeout.md) |  | <code>Duration</code> | Timeout after which HTTP request will be aborted and retried. |
 |  [shardTimeout](./kibana-plugin-core-server.elasticsearchconfig.shardtimeout.md) |  | <code>Duration</code> | Timeout for Elasticsearch to wait for responses from shards. Set to 0 to disable. |
 |  [sniffInterval](./kibana-plugin-core-server.elasticsearchconfig.sniffinterval.md) |  | <code>false &#124; Duration</code> | Interval to perform a sniff operation and make sure the list of nodes is complete. If <code>false</code> then sniffing is disabled. |

docs/development/core/server/kibana-plugin-core-server.legacyelasticsearchclientconfig.md

@@ -8,7 +8,7 @@
 <b>Signature:</b>
 
 ```typescript
-export declare type LegacyElasticsearchClientConfig = Pick<ConfigOptions, 'keepAlive' | 'log' | 'plugins'> & Pick<ElasticsearchConfig, 'apiVersion' | 'customHeaders' | 'logQueries' | 'requestHeadersWhitelist' | 'sniffOnStart' | 'sniffOnConnectionFault' | 'hosts' | 'username' | 'password'> & {
+export declare type LegacyElasticsearchClientConfig = Pick<ConfigOptions, 'keepAlive' | 'log' | 'plugins'> & Pick<ElasticsearchConfig, 'apiVersion' | 'customHeaders' | 'logQueries' | 'allowedRequestHeaders' | 'sniffOnStart' | 'sniffOnConnectionFault' | 'hosts' | 'username' | 'password'> & {
     pingTimeout?: ElasticsearchConfig['pingTimeout'] | ConfigOptions['pingTimeout'];
     requestTimeout?: ElasticsearchConfig['requestTimeout'] | ConfigOptions['requestTimeout'];
     sniffInterval?: ElasticsearchConfig['sniffInterval'] | ConfigOptions['sniffInterval'];

docs/setup/settings.asciidoc

@@ -49,7 +49,7 @@ configuration is effectively ignored when `csp.strict` is enabled.
 | `elasticsearch.customHeaders:`
  | Header names and values to send to {es}. Any custom headers cannot be
 overwritten by client-side headers, regardless of the
-`elasticsearch.requestHeadersWhitelist` configuration. *Default: `{}`*
+`elasticsearch.allowedRequestHeaders` configuration. *Default: `{}`*
 
 | `elasticsearch.hosts:`
  | The URLs of the {es} instances to use for all your queries. All nodes
@@ -73,7 +73,7 @@ currently do not have an inspector, for example Timelion and Monitoring.
 `server.host` setting. When the value is `false`, {kib} uses
 the hostname of the host that connects to this {kib} instance. *Default: `true`*
 
-| `elasticsearch.requestHeadersWhitelist:`
+| `elasticsearch.allowedRequestHeaders:`
  | List of {kib} client-side headers to send to {es}. To send *no* client-side
 headers, set this value to [] (an empty list). Removing the `authorization`
 header from being whitelisted means that you cannot use

src/core/server/config/__fixtures__/en_var_ref_config.yml

@@ -2,4 +2,4 @@ foo: 1
 bar: "pre-${KBN_ENV_VAR1}-mid-${KBN_ENV_VAR2}-post"
 
 elasticsearch:
-  requestHeadersWhitelist: ["${KBN_ENV_VAR1}", "${KBN_ENV_VAR2}"]
+  allowedRequestHeaders: ["${KBN_ENV_VAR1}", "${KBN_ENV_VAR2}"]

src/core/server/elasticsearch/client/client_config.test.ts

@@ -29,7 +29,7 @@ const createConfig = (
     sniffOnStart: false,
     sniffOnConnectionFault: false,
     sniffInterval: false,
-    requestHeadersWhitelist: ['authorization'],
+    allowedRequestHeaders: ['authorization'],
     hosts: ['http://localhost:80'],
     ...parts,
   };

src/core/server/elasticsearch/client/client_config.ts

@@ -35,7 +35,7 @@ export type ElasticsearchClientConfig = Pick<
   | 'logQueries'
   | 'sniffOnStart'
   | 'sniffOnConnectionFault'
-  | 'requestHeadersWhitelist'
+  | 'allowedRequestHeaders'
   | 'sniffInterval'
   | 'hosts'
   | 'username'

src/core/server/elasticsearch/client/cluster_client.test.ts

@@ -33,7 +33,7 @@ const createConfig = (
     sniffOnStart: false,
     sniffOnConnectionFault: false,
     sniffInterval: false,
-    requestHeadersWhitelist: ['authorization'],
+    allowedRequestHeaders: ['authorization'],
     customHeaders: {},
     hosts: ['http://localhost'],
     ...parts,
@@ -111,7 +111,7 @@ describe('ClusterClient', () => {
 
     it('creates a scoped client with filtered request headers', () => {
       const config = createConfig({
-        requestHeadersWhitelist: ['foo'],
+        allowedRequestHeaders: ['foo'],
       });
       getAuthHeaders.mockReturnValue({});
 
@@ -133,7 +133,7 @@ describe('ClusterClient', () => {
 
     it('creates a scoped facade with filtered auth headers', () => {
       const config = createConfig({
-        requestHeadersWhitelist: ['authorization'],
+        allowedRequestHeaders: ['authorization'],
       });
       getAuthHeaders.mockReturnValue({
         authorization: 'auth',
@@ -153,7 +153,7 @@ describe('ClusterClient', () => {
 
     it('respects auth headers precedence', () => {
       const config = createConfig({
-        requestHeadersWhitelist: ['authorization'],
+        allowedRequestHeaders: ['authorization'],
       });
       getAuthHeaders.mockReturnValue({
         authorization: 'auth',
@@ -181,7 +181,7 @@ describe('ClusterClient', () => {
           foo: 'bar',
           hello: 'dolly',
         },
-        requestHeadersWhitelist: ['authorization'],
+        allowedRequestHeaders: ['authorization'],
       });
       getAuthHeaders.mockReturnValue({});
 
@@ -205,7 +205,7 @@ describe('ClusterClient', () => {
           foo: 'config',
           hello: 'dolly',
         },
-        requestHeadersWhitelist: ['foo'],
+        allowedRequestHeaders: ['foo'],
       });
       getAuthHeaders.mockReturnValue({
         foo: 'auth',
@@ -231,7 +231,7 @@ describe('ClusterClient', () => {
           foo: 'config',
           hello: 'dolly',
         },
-        requestHeadersWhitelist: ['foo'],
+        allowedRequestHeaders: ['foo'],
       });
       getAuthHeaders.mockReturnValue({});
 
@@ -253,7 +253,7 @@ describe('ClusterClient', () => {
 
     it('filter headers when called with a `FakeRequest`', () => {
       const config = createConfig({
-        requestHeadersWhitelist: ['authorization'],
+        allowedRequestHeaders: ['authorization'],
       });
       getAuthHeaders.mockReturnValue({});
 
@@ -275,7 +275,7 @@ describe('ClusterClient', () => {
 
     it('does not add auth headers when called with a `FakeRequest`', () => {
       const config = createConfig({
-        requestHeadersWhitelist: ['authorization', 'foo'],
+        allowedRequestHeaders: ['authorization', 'foo'],
       });
       getAuthHeaders.mockReturnValue({
         authorization: 'auth',

src/core/server/elasticsearch/client/cluster_client.ts

@@ -99,10 +99,10 @@ export class ClusterClient implements ICustomClusterClient {
       const requestHeaders = ensureRawRequest(request).headers;
       scopedHeaders = filterHeaders(
         { ...requestHeaders, ...authHeaders },
-        this.config.requestHeadersWhitelist
+        this.config.allowedRequestHeaders
       );
     } else {
-      scopedHeaders = filterHeaders(request?.headers ?? {}, this.config.requestHeadersWhitelist);
+      scopedHeaders = filterHeaders(request?.headers ?? {}, this.config.allowedRequestHeaders);
     }
 
     return {

src/core/server/elasticsearch/elasticsearch_config.test.ts

@@ -51,6 +51,9 @@ test('set correct defaults', () => {
   const configValue = new ElasticsearchConfig(config.schema.validate({}));
   expect(configValue).toMatchInlineSnapshot(`
     ElasticsearchConfig {
+      "allowedRequestHeaders": Array [
+        "authorization",
+      ],
       "apiVersion": "master",
       "customHeaders": Object {},
       "healthCheckDelay": "PT2.5S",
@@ -61,9 +64,6 @@ test('set correct defaults', () => {
       "logQueries": false,
       "password": undefined,
       "pingTimeout": "PT30S",
-      "requestHeadersWhitelist": Array [
-        "authorization",
-      ],
       "requestTimeout": "PT30S",
       "shardTimeout": "PT30S",
       "sniffInterval": false,
@@ -101,23 +101,23 @@ test('#hosts accepts both string and array of strings', () => {
   expect(configValue.hosts).toEqual(['http://some.host:1234', 'https://some.another.host']);
 });
 
-test('#requestHeadersWhitelist accepts both string and array of strings', () => {
+test('#allowedRequestHeaders accepts both string and array of strings', () => {
   let configValue = new ElasticsearchConfig(
-    config.schema.validate({ requestHeadersWhitelist: 'token' })
+    config.schema.validate({ allowedRequestHeaders: 'token' })
   );
-  expect(configValue.requestHeadersWhitelist).toEqual(['token']);
+  expect(configValue.allowedRequestHeaders).toEqual(['token']);
 
   configValue = new ElasticsearchConfig(
-    config.schema.validate({ requestHeadersWhitelist: ['token'] })
+    config.schema.validate({ allowedRequestHeaders: ['token'] })
   );
-  expect(configValue.requestHeadersWhitelist).toEqual(['token']);
+  expect(configValue.allowedRequestHeaders).toEqual(['token']);
 
   configValue = new ElasticsearchConfig(
     config.schema.validate({
-      requestHeadersWhitelist: ['token', 'X-Forwarded-Proto'],
+      allowedRequestHeaders: ['token', 'X-Forwarded-Proto'],
     })
   );
-  expect(configValue.requestHeadersWhitelist).toEqual(['token', 'X-Forwarded-Proto']);
+  expect(configValue.allowedRequestHeaders).toEqual(['token', 'X-Forwarded-Proto']);
 });
 
 describe('reads files', () => {
@@ -311,11 +311,25 @@ describe('throws when config is invalid', () => {
 });
 
 describe('deprecations', () => {
+  it('logs a warning and rename `requestHeadersWhitelist` to `allowedRequestHeaders`', () => {
+    const { messages, migrated } = applyElasticsearchDeprecations({
+      requestHeadersWhitelist: ['foo', 'bar'],
+    });
+    expect(messages).toMatchInlineSnapshot(`
+      Array [
+        "\\"elasticsearch.requestHeadersWhitelist\\" is deprecated and has been replaced by \\"elasticsearch.allowedRequestHeaders\\"",
+      ]
+    `);
+    expect(migrated.elasticsearch).toEqual({
+      allowedRequestHeaders: ['foo', 'bar'],
+    });
+  });
+
   it('logs a warning if elasticsearch.username is set to "elastic"', () => {
     const { messages } = applyElasticsearchDeprecations({ username: 'elastic' });
     expect(messages).toMatchInlineSnapshot(`
       Array [
-        "Setting [${CONFIG_PATH}.username] to \\"elastic\\" is deprecated. You should use the \\"kibana_system\\" user instead.",
+        "Setting [elasticsearch.username] to \\"elastic\\" is deprecated. You should use the \\"kibana_system\\" user instead.",
       ]
     `);
   });
@@ -324,7 +338,7 @@ describe('deprecations', () => {
     const { messages } = applyElasticsearchDeprecations({ username: 'kibana' });
     expect(messages).toMatchInlineSnapshot(`
       Array [
-        "Setting [${CONFIG_PATH}.username] to \\"kibana\\" is deprecated. You should use the \\"kibana_system\\" user instead.",
+        "Setting [elasticsearch.username] to \\"kibana\\" is deprecated. You should use the \\"kibana_system\\" user instead.",
       ]
     `);
   });
@@ -343,7 +357,7 @@ describe('deprecations', () => {
     const { messages } = applyElasticsearchDeprecations({ ssl: { key: '' } });
     expect(messages).toMatchInlineSnapshot(`
       Array [
-        "Setting [${CONFIG_PATH}.ssl.key] without [${CONFIG_PATH}.ssl.certificate] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.",
+        "Setting [elasticsearch.ssl.key] without [elasticsearch.ssl.certificate] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.",
       ]
     `);
   });
@@ -352,7 +366,7 @@ describe('deprecations', () => {
     const { messages } = applyElasticsearchDeprecations({ ssl: { certificate: '' } });
     expect(messages).toMatchInlineSnapshot(`
       Array [
-        "Setting [${CONFIG_PATH}.ssl.certificate] without [${CONFIG_PATH}.ssl.key] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.",
+        "Setting [elasticsearch.ssl.certificate] without [elasticsearch.ssl.key] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.",
       ]
     `);
   });

src/core/server/elasticsearch/elasticsearch_config.ts

@@ -64,7 +64,7 @@ export const configSchema = schema.object({
     )
   ),
   password: schema.maybe(schema.string()),
-  requestHeadersWhitelist: schema.oneOf([schema.string(), schema.arrayOf(schema.string())], {
+  allowedRequestHeaders: schema.oneOf([schema.string(), schema.arrayOf(schema.string())], {
     defaultValue: ['authorization'],
   }),
   customHeaders: schema.recordOf(schema.string(), schema.string(), { defaultValue: {} }),
@@ -123,7 +123,8 @@ export const configSchema = schema.object({
   ),
 });
 
-const deprecations: ConfigDeprecationProvider = () => [
+const deprecations: ConfigDeprecationProvider = ({ rename }) => [
+  rename('requestHeadersWhitelist', 'allowedRequestHeaders'),
   (settings, fromPath, log) => {
     const es = settings[fromPath];
     if (!es) {
@@ -194,7 +195,7 @@ export class ElasticsearchConfig {
    * scoped cluster client is used. If this is an empty array then *no* client-side
    * will be sent.
    */
-  public readonly requestHeadersWhitelist: string[];
+  public readonly allowedRequestHeaders: string[];
 
   /**
    * Timeout after which PING HTTP request will be aborted and retried.
@@ -254,7 +255,7 @@ export class ElasticsearchConfig {
   /**
    * Header names and values to send to Elasticsearch with every request. These
    * headers cannot be overwritten by client-side headers and aren't affected by
-   * `requestHeadersWhitelist` configuration.
+   * `allowedRequestHeaders` configuration.
    */
   public readonly customHeaders: ElasticsearchConfigType['customHeaders'];
 
@@ -263,9 +264,9 @@ export class ElasticsearchConfig {
     this.apiVersion = rawConfig.apiVersion;
     this.logQueries = rawConfig.logQueries;
     this.hosts = Array.isArray(rawConfig.hosts) ? rawConfig.hosts : [rawConfig.hosts];
-    this.requestHeadersWhitelist = Array.isArray(rawConfig.requestHeadersWhitelist)
-      ? rawConfig.requestHeadersWhitelist
-      : [rawConfig.requestHeadersWhitelist];
+    this.allowedRequestHeaders = Array.isArray(rawConfig.allowedRequestHeaders)
+      ? rawConfig.allowedRequestHeaders
+      : [rawConfig.allowedRequestHeaders];
     this.pingTimeout = rawConfig.pingTimeout;
     this.requestTimeout = rawConfig.requestTimeout;
     this.shardTimeout = rawConfig.shardTimeout;