Merge branch '6.x' into 6.x-21 [noindex]

* 6.x:
  7x-35 is latest [noindex]
  Rework index page and version matrix
  New EOL
  Replcae .url by .hosts in all files. Plus fix English typos.
  Elasticsearch .url config option was deprecated. Use .hosts instead. Ref: elastic/kibana#21928
  Add note about "elasticsearch.ssl.alwaysPresentCertificate: true"  for Kibana client cert authentication

# Conflicts:
#	_config.yml

_config.yml

@@ -19,11 +19,12 @@ elasticsearch:
 searchguard:
   esmajorversion: 6
   majorversion: 6.x-20
-  fullversion: 6.2.4-20.1
-  nextminorversion: 6.2.4-20.2
-  nextmajorversion: 6.2.4-21.0
+  fullversion: 6.2.2-20.1
+  nextminorversion: 6.2.2-20.2
+  nextmajorversion: 6.2.2-21.0
   islatestversion: false
   allversions:
+    - 7x-35
     - 6x-25
     - 6x-24
     - 6x-23
@@ -34,7 +35,8 @@ searchguard:
     - v2
 
 docroots: 
-  6x-25: latest
+  7x-35: latest
+  6x-25: 6.x-25
   6x-24: 6.x-24
   6x-23: 6.x-23
   6x-22: 6.x-22
@@ -68,6 +70,7 @@ labels:
     troubleshooting: Troubleshooting
     changelogs: Changelogs
     resources: Resources
+    7x-35: Search Guard 7.x-35-rc1
     6x-25: Search Guard 6.x-25
     6x-24: Search Guard 6.x-24
     6x-23: Search Guard 6.x-23
@@ -82,6 +85,7 @@ labels:
     changelogs: Changelogs
     resources: Resources
 
+
 relative_links:
   enabled:     true
   collections: true
@@ -169,57 +173,40 @@ algolia:
       - ignorePlurals
       - singleWordSynonym
 
+eol:
+  features:
+    - 5.6.16
+    - 6.6.2
+    - 6.7.1
+  updates:
+    - 6.4.3
+    - 6.5.4
+
 sgversions:
   enterprise:
-    - 6.7.1|25.0|18.3|yes
-    - 6.7.0|24.3|18.3|yes
-    - 6.6.2|25.0|18.3|yes
-    - 6.6.1|24.3|18.3|yes
-    - 6.6.0|24.3|18.3|yes
-    - 6.5.4|25.0|18.3|yes
-    - 6.5.3|24.3|18.3|yes
-    - 6.5.2|24.3|18.3|yes
-    - 6.5.1|24.3|18.3|yes
-    - 6.4.3|25.0|17|yes
-    - 6.4.2|24.3|17|yes
-    - 6.4.1|24.3|17|yes
-    - 6.4.0|24.3|17|yes
-    - 6.3.2|24.0|17|yes
-    - 6.3.1|24.0|17|yes
-    - 6.3.0|24.0|17|yes
-    - 6.2.4|23.0|14|yes
-    - 6.2.3|23.0|14|yes
-    - 6.2.2|23.0|14|yes
-    - 6.2.1|23.0|14|yes
-    - 6.1.4|22.3|12|yes
-    - 6.1.3|22.3|12|yes
-    - 6.1.2|22.3|12|yes
-    - 6.1.1|22.3|12|yes
-    - 6.1.0|22.3|12|yes
-  sgssl:
-    - 6.7.1|25.6|false|no
-    - 6.7.0|25.6|false|no
-    - 6.6.2|25.6|false|no
-    - 6.6.1|25.6|false|no
-    - 6.6.0|25.6|false|no
-    - 6.5.4|25.6|false|no
-    - 6.5.3|25.6|false|no
-    - 6.5.2|25.6|false|no
-    - 6.5.1|25.6|false|no
-    - 6.4.3|25.6|false|no
-    - 6.4.2|25.6|false|no
-    - 6.4.1|25.6|false|no
-    - 6.4.0|25.6|false|no
-    - 6.3.2|25.4|false|no
-    - 6.3.1|25.4|false|no
-    - 6.3.0|25.4|false|no
-    - 6.2.4|25.4|true|yes
-    - 6.2.3|25.4|true|yes
-    - 6.2.2|25.4|true|yes
-    - 6.2.1|25.4|true|yes
-    - 6.1.4|25.4|true|yes
-    - 6.1.3|25.4|true|yes
-    - 6.1.2|25.4|true|yes
-    - 6.1.1|25.4|true|yes
-    - 6.1.0|25.4|true|yes
-    - 6.0.1|25.4|true|yes
+      #esv |sgv |kbv |feat|upd|eol
+    - 6.7.1|25.0|18.3|yes|yes|no
+    - 6.7.0|24.3|18.3|no|no|yes
+    - 6.6.2|25.0|18.3|yes|yes|no
+    - 6.6.1|24.3|18.3|no|no|yes
+    - 6.6.0|24.3|18.3|no|no|yes
+    - 6.5.4|25.0|18.3|no|yes|no
+    - 6.5.3|24.3|18.3|no|no|yes
+    - 6.5.2|24.3|18.3|no|no|yes
+    - 6.5.1|24.3|18.3|no|no|yes
+    - 6.4.3|25.0|17|no|yes|no
+    - 6.4.2|24.3|17|no|no|yes
+    - 6.4.1|24.3|17|no|no|yes
+    - 6.4.0|24.3|17|no|no|yes
+    - 6.3.2|24.0|17|no|no|yes
+    - 6.3.1|24.0|17|no|no|yes
+    - 6.3.0|24.0|17|no|no|yes
+    - 6.2.4|23.0|14|no|no|yes
+    - 6.2.3|23.0|14|no|no|yes
+    - 6.2.2|23.0|14|no|no|yes
+    - 6.2.1|23.0|14|no|no|yes
+    - 6.1.4|22.3|12|no|no|yes
+    - 6.1.3|22.3|12|no|no|yes
+    - 6.1.2|22.3|12|no|no|yes
+    - 6.1.1|22.3|12|no|no|yes
+    - 6.1.0|22.3|12|no|no|yes

_docs/eol.md

@@ -17,116 +17,77 @@ description: Search Guard End Of Life policy.
 
 The Search Guard End of Life policy defines 
 
-* how long a release is in active development
-* how long a release is supported and maintained
-* how long a release receives critical security updates
+* which Elasticsearch versions receive new Search Guard features and bugfixes
+* which Elasticsearch version receive critical bugfixes for Search Guard (but no new features)
+* which Elasticsearch version is End of Life (EOL) and will not receive any Search Guard updates
 
-The Search Guard end of life policy closely relates to the [Elasticsearch end of life policy](https://www.elastic.co/de/support/eol). 
-
-Search Guard releases that **have not reached end of life** are called **active releases**.  
-
-Search Guard releases that **have reached end of life** are called **inactive releases**.  
+Please also refer to [Elasticsearch end of life policy](https://www.elastic.co/de/support/eol) to check whether your Elasticsearch version
+has reached End of Life in general. 
 
 ## Versioning schema
 
 The Search Guard versioning scheme is: 
 
-* e1.e2.e3-sgv (for 5.x and later)
-* e1.e2.e3.sgv (for 2.x)
+* e1.e2.e3-s1.s2.s3
+* Example: 6.7.1-25.0.0
 
 where 
 
 * e1: Elasticsearch Major Version
 * e2: Elasticsearch Minor Version
-* e2: Elasticsearch Fix Version
-* sgv: Search Guard Version
-
-## Active releases
-
-For active releases, we will provide Search Guard updates and maintenance for 
-
-* All releases of the current minor version of the current major version
-  * 6.6.0, 6.6.1, 6.6.2 at the time of writing
-* Current release of the previous minor version of the current major version
-  * 6.5.4 at the time of writing
-* Last release of the previous major version (not all features will be backported)
-  * 5.6.15 at the time of writing
-
-## Inactive releases
-
-If a Search Guard version reaches EOL, the corresponding Elasticsearch version has reached EOL already, and customers are strongly advised to upgrade. We will not release updates for these versions, and ask customers to upgrade Search Guard alongside Elasticsearch. 
-
-## Critical Security Fixes
-
-Critical security fixes will be backported to all active releases, including all major, minor and bugfix releases.
-
-## EOL dates
-
-| Search Guard Version | End of life date |
-|---|---|
-6.6.x-y	| 2020-07-29 |
-6.5.x-y	| 2020-05-14 |
-6.4.x-y	| 2020-02-23 |
-6.3.x-y	| 2019-12-13 |
-6.2.x-y	| 2019-08-06 |
-6.1.x-y	| 2019-06-13 |
-6.0.x-y	| 2019-05-14 |
-5.6.x-y	| 2019-03-11 |
-5.5.x-y	| 2019-01-06 |
-5.4.x-y	| 2018-11-04 |
-5.3.x-y	| 2018-09-28 |
-5.2.x-y	| 2018-07-31 |
-5.1.x-y	| 2018-06-08 |
-5.0.x-y	| 2018-04-26 |
-2.4.x.y	| 2018-02-28 |
-2.3.x.y	| 2017-09-30 |
-2.2.x.y	| 2017-08-02 |
-
-## Maintenance and support overview as of 20.12.2018
-
-### Search Guard 6
+* e3: Elasticsearch Fix Version
+* s1: Search Guard Major Version (Incremented when new features are added)
+* s2: Search Guard Minor Version (Incremented when bugfixes are applied)
+* s3: Search Guard Fix Version (Incremented when trivial changes, like fixing typos, are applied
 
-| Search Guard Version | Active release | Search Guard Updates | Critical Security Updates |
-|---|---|---|---|
-6.6.x-y | yes | yes | yes |
-6.5.x-y | yes | yes | yes |
-6.4.x-y | yes | yes | yes |
-6.3.x-y | no | no | yes |
-6.2.x-y | no | no | yes |
-6.1.x-y | no | no | yes |
+## Which Elasticsearch versions receive new Search Guard features and bugfixes
 
-### Search Guard 5
+* Current release of the current minor version of the current Elasticsearch major version
+* Current release of the previous minor version of the current Elasticsearch major version
+* Current release of the previous Elasticsearch major version (but not all features will be backported)
 
-| Search Guard Version | Active release | Search Guard Updates | Critical Security Updates |
-|---|---|---|---|
-5.6.15-y | yes | yes (partly) | yes |
-5.6.x-y | no | no | no |
-5.5.x-y	| no | no | no |
-5.4.x-y	| no | no | no |
-5.3.x-y	| no | no | no |
-5.2.x-y	| no | no | no |
-5.1.x-y	| no | no | no |
-5.0.x-y	| no | no | no |
 
-### Search Guard 2
+At the time of writing this is: {% for version in site.eol.features %}
+* {{ version }}{% endfor %}
+{: .note .js-note}
 
-| Search Guard Version | Active release | Search Guard Updates | Critical Security Updates |
-|---|---|---|---|
-2.4.x.y	| no | no | no |
-2.3.x.y	| no | no | no |
-2.2.x.y	| no | no | no |
+## Which Elasticsearch versions receive critical bugfixes only (but no new features)
 
+* Current releases of the third and fourth from last Elasticsearch minor version of the current Elasticsearch major version
 
 
+At the time of writing this is: {% for version in site.eol.updates %}
+* {{ version }}{% endfor %}
+{: .note .js-note}
 
+## Which Elasticsearch versions receive no updates at all any longer
 
+* All other Elasticsearch versions not mentioned above
+* All Elasticsearch versions which are EOL according to [Elasticsearch end of life policy](https://www.elastic.co/de/support/eol)
 
+## Recommended upgrade Strategy
 
+* Upgrade Elasticsearch always to the latest fix version or your Elasticsearch minor version
+* Make sure your Elasticsearch minor version is not older than six month 
+* When the first beta version of a new Elasticsearch major version is released prepare to upgrade to the latest release of the current major version of Elasticsearch.
 
+## EOL Examples
 
+### Assume 7.0.0 is the current Elasticsearch Version 
 
+* Which Elasticsearch versions receive new Search Guard features and bugfixes: 6.7.1, 7.0.0
+* Which Elasticsearch versions receive critical bugfixes (but no new features): n/a
+* Which Elasticsearch versions receive no updates at all any longer: all other (1.x.x-6.7.0)
 
 
+### Assume 6.7.1 is the current Elasticsearch Version
 
+* Which Elasticsearch versions receive new Search Guard features and bugfixes: 5.6.16, 6.6.2, 6.7.1
+* Which Elasticsearch versions receive critical bugfixes (but no new features): 6.4.3, 6.5.4
+* Which Elasticsearch versions receive no updates at all any longer: all other (1.x.x-5.6.15, 6.0.x-6.4.2, 6.5.0-6.5.3, 6.6.0-6.6.1, 6.7.0)
 
+### Assume 6.5.4 is the current Elasticsearch Version
 
+* Which Elasticsearch versions receive new Search Guard features and bugfixes: 5.6.16, 6.4.3, 6.5.4
+* Which Elasticsearch versions receive critical bugfixes (but no new features): 6.2.4, 6.3.2
+* Which Elasticsearch versions receive no updates at all any longer: all other (1.x.x-5.6.15, 6.0.x-6.2.3, 6.3.0-6.3.1, 6.4.0-6.4.2, 6.5.0-6.5.3)

_docs/installation_versionmatrix.md

@@ -15,3 +15,6 @@ All Search Guard releases, past and present, are available on Maven Central. You
 
 If you are upgrading from Elasticsearch < 6.5.0 to Elasticsearch >= 6.5.0, please read the [upgrade instructions to Elasticsearch 6.5.x](upgrading_6_5_0.md). 
 {: .note .js-note .note-warning}
+
+Please also refer to [Search Guard End of Life policy](eol.md) to make sure that you are not running an outdated Search Guard version.  
+{: .note .js-note .note-warning}

_docs/kibana_authentication_basicauth.md

@@ -79,7 +79,7 @@ searchguard.auth.type: "basicauth"
 searchguard.cookie.password: <encryption key, min. 32 characters>
 
 # Use HTTPS instead of HTTP
-elasticsearch.url: "https://<hostname>.com:<http port>"
+elasticsearch.hosts: ["https://<hostname>.com:<http port>"]
 
 # Configure the Kibana internal server user
 elasticsearch.username: "kibanaserver"
@@ -92,4 +92,4 @@ elasticsearch.ssl.verificationMode: none
 elasticsearch.requestHeadersWhitelist: ["Authorization", "sgtenant"]
 </code>
 </pre>
-</div>
+</div>

_docs/kibana_authentication_jwt.md

@@ -81,7 +81,7 @@ searchguard.jwt.header: 'Authorization'
 searchguard.jwt.url_param: 'jwtparam'
 
 # Use HTTPS instead of HTTP
-elasticsearch.url: "https://<hostname>.com:<http port>"
+elasticsearch.hosts: ["https://<hostname>.com:<http port>"]
 
 # Configure the Kibana internal server user
 elasticsearch.username: "kibanaserver"
@@ -115,4 +115,4 @@ basic_internal_auth_domain:
     type: basic
     challenge: false
     ...
-```
+```

_docs/kibana_authentication_proxy.md

@@ -55,7 +55,7 @@ searchguard.basicauth.enabled: false
 searchguard.auth.type: "proxy"
 
 # Use HTTPS instead of HTTP
-elasticsearch.url: "https://<hostname>.com:<http port>"
+elasticsearch.hosts: ["https://<hostname>.com:<http port>"]
 
 # Configure the Kibana internal server user
 elasticsearch.username: "kibanaserver"
@@ -93,4 +93,4 @@ basic_internal_auth_domain:
     type: basic
     challenge: false
     ...
-```
+```

_docs/kibana_authentication_types.md

@@ -36,13 +36,13 @@ This is the default. If the user tries to access Kibana and has no active sessio
 
 In this mode, the user is authenticated by a third party system, like an identity provider that issues JSON web tokens, a Kerberos realm or an authenticating proxy. The Kibana plugin will forward any HTTP headers containing user crendentials to Search Guard. As with Basic Authentication, Search Guard uses these credentials for assigning roles and permissions.
 
-*Hint: You cannot the Basic Authentication login page and SSO authentication together.*
+*Hint: You cannot have the Basic Authentication login page and SSO authentication together.*
 
 ### Whitelisting HTTP headers
 
 By default, Kibana does not pass any HTTP header other than `Authorization` to Elasticsearch. If you try to transmit any other header, it is silently discarded.
 
-In order for SSO to work, make sure that any HTTP header that is required for yur configured authentication type is added to the `elasticsearch.requestHeadersWhitelist` configuration entry in `kibana.yml`. 
+In order for SSO to work, make sure that any HTTP header that is required for your configured authentication type is added to the `elasticsearch.requestHeadersWhitelist` configuration entry in `kibana.yml`.
 
 Example:
 
@@ -66,4 +66,4 @@ This does not mean that you need to enable Basic Authentication for regular user
 
 ## About certificate based authentication
 
-We do not yet provide support for certificate-based (two-way SSL) authentication against Kibana due to technical limitations of the Kibana architecture.
+We do not yet provide support for certificate-based (two-way SSL) authentication against Kibana due to technical limitations of the Kibana architecture.

_docs/kibana_installation.md

@@ -76,10 +76,10 @@ elasticsearch.password: "kibanaserver"
 
 ## Setting up SSL/TLS
 
-If you use TLS on the Elasticsearch REST layer, you need to configure Kibana accordingly. Set the protocol on the entry `elasticsearch.url` to `https`:
+If you use TLS on the Elasticsearch REST layer, you need to configure Kibana accordingly. Set the protocol on the entry `elasticsearch.hosts` to `https`:
 
 ```yaml
-elasticsearch.url: "https://localhost:9200"
+elasticsearch.hosts: ["https://localhost:9200"]
 ```
 
 All requests that Kibana makes to Elasticsearch will now use HTTPS instead of HTTP.
@@ -210,6 +210,9 @@ You can override this behaviour explicitly by using the following option in your
 ```
 # Allow using a client certificate defined in elasticsearch.ssl.certificate
 searchguard.allow_client_certificates: true
+# If you are on Kibana >= 6.5.0 you might want to also set
+#elasticsearch.ssl.alwaysPresentCertificate: true
+# see https://github.com/elastic/kibana/pull/24304
 ```
 
 ## Where to go next