Merge branch 'master' into resolver/lay-in-submenu-options

.github/CODEOWNERS

@@ -164,7 +164,6 @@
 
 # Pulse
 /packages/kbn-analytics/ @elastic/pulse
-/src/legacy/core_plugins/ui_metric/ @elastic/pulse
 /src/plugins/kibana_usage_collection/ @elastic/pulse
 /src/plugins/newsfeed/ @elastic/pulse
 /src/plugins/telemetry/ @elastic/pulse

docs/apm/metrics.asciidoc

@@ -11,8 +11,12 @@ For example, you might be able to correlate a high number of errors with a long
 [role="screenshot"]
 image::apm/images/apm-metrics.png[Example view of the Metrics overview in APM app in Kibana]
 
-If you're using the Java Agent, the metrics view focuses on JVMs.
-A detailed view of metrics per JVM makes it much easier to analyze the provided metrics:
+If you're using the Java Agent, you can view metrics for each JVM.
+
+[role="screenshot"]
+image::apm/images/jvm-metrics-overview.png[Example view of the Metrics overview for the Java Agent]
+
+Breaking down metrics by JVM makes it much easier to analyze the provided metrics:
 CPU usage, memory usage, heap or non-heap memory,
 thread count, garbage collection rate, and garbage collection time spent per minute.
 

docs/setup/settings.asciidoc

@@ -225,11 +225,11 @@ If you configure a custom index, the name must be lowercase, and conform to the
 {es} {ref}/indices-create-index.html[index name limitations].
 *Default: `".kibana"`*
 
-| `kibana.autocompleteTimeout:`
+| `kibana.autocompleteTimeout:` {ess-icon}
  | Time in milliseconds to wait for autocomplete suggestions from {es}.
 This value must be a whole number greater than zero. *Default: `"1000"`*
 
-| `kibana.autocompleteTerminateAfter:`
+| `kibana.autocompleteTerminateAfter:` {ess-icon}
  | Maximum number of documents loaded by each shard to generate autocomplete
 suggestions. This value must be a whole number greater than zero.
 *Default: `"100000"`*
@@ -300,11 +300,11 @@ suppress all logging output. *Default: `false`*
 (for example, `America/Los_Angeles`) to log events using that timezone. For a
 list of timezones, refer to https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. *Default: `UTC`*
 
-| [[logging-verbose]] `logging.verbose:`
+| [[logging-verbose]] `logging.verbose:` {ece-icon}
  | Set to `true` to log all events, including system usage information and all
-requests. Supported on {ece}. *Default: `false`*
+requests. *Default: `false`*
 
-| `map.includeElasticMapsService:`
+| `map.includeElasticMapsService:` {ess-icon}
  | Set to `false` to disable connections to Elastic Maps Service.
 When `includeElasticMapsService` is turned off, only the vector layers configured by `map.regionmap`
 and the tile layer configured by `map.tilemap.url` are available in <<maps, Maps>>. *Default: `true`*
@@ -313,9 +313,9 @@ and the tile layer configured by `map.tilemap.url` are available in <<maps, Maps
  | Set to `true` to proxy all <<maps, Maps application>> Elastic Maps Service
 requests through the {kib} server. *Default: `false`*
 
-| [[regionmap-settings]] `map.regionmap:`
+| [[regionmap-settings]] `map.regionmap:` {ess-icon} {ece-icon}
  | Specifies additional vector layers for
-use in <<maps, Maps>> visualizations. Supported on {ece}. Each layer
+use in <<maps, Maps>> visualizations. Each layer
 object points to an external vector file that contains a geojson
 FeatureCollection. The file must use the
 https://en.wikipedia.org/wiki/World_Geodetic_System[WGS84 coordinate reference system (ESPG:4326)]
@@ -343,20 +343,19 @@ map.regionmap:
 [cols="2*<"]
 |===
 
-| [[regionmap-ES-map]] `map.includeElasticMapsService:`
+| [[regionmap-ES-map]] `map.includeElasticMapsService:` {ece-icon}
  | Turns on or off whether layers from the Elastic Maps Service should be included in the vector
-layer option list. Supported on {ece}. By turning this off,
+layer option list. By turning this off,
 only the layers that are configured here will be included. The default is `true`.
 This also affects whether tile-service from the Elastic Maps Service will be available.
 
-| [[regionmap-attribution]] `map.regionmap.layers[].attribution:`
+| [[regionmap-attribution]] `map.regionmap.layers[].attribution:` {ess-icon} {ece-icon}
  | Optional. References the originating source of the geojson file.
-Supported on {ece}.
 
-| [[regionmap-fields]] `map.regionmap.layers[].fields[]:`
+| [[regionmap-fields]] `map.regionmap.layers[].fields[]:` {ess-icon} {ece-icon}
  | Mandatory. Each layer
 can contain multiple fields to indicate what properties from the geojson
-features you wish to expose. Supported on {ece}. The following shows how to define multiple
+features you wish to expose. The following shows how to define multiple
 properties:
 
 |===
@@ -379,44 +378,44 @@ map.regionmap:
 [cols="2*<"]
 |===
 
-| [[regionmap-field-description]] `map.regionmap.layers[].fields[].description:`
+| [[regionmap-field-description]] `map.regionmap.layers[].fields[].description:` {ess-icon} {ece-icon}
  | Mandatory. The human readable text that is shown under the Options tab when
-building the Region Map visualization. Supported on {ece}.
+building the Region Map visualization.
 
-| [[regionmap-field-name]] `map.regionmap.layers[].fields[].name:`
+| [[regionmap-field-name]] `map.regionmap.layers[].fields[].name:` {ess-icon} {ece-icon}
  | Mandatory.
 This value is used to do an inner-join between the document stored in
 {es} and the geojson file. For example, if the field in the geojson is
 called `Location` and has city names, there must be a field in {es}
 that holds the same values that {kib} can then use to lookup for the geoshape
-data. Supported on {ece}.
+data.
 
-| [[regionmap-name]] `map.regionmap.layers[].name:`
+| [[regionmap-name]] `map.regionmap.layers[].name:` {ess-icon} {ece-icon}
  | Mandatory. A description of
-the map being provided. Supported on {ece}.
+the map being provided.
 
-| [[regionmap-url]] `map.regionmap.layers[].url:`
+| [[regionmap-url]] `map.regionmap.layers[].url:` {ess-icon} {ece-icon}
  | Mandatory. The location of the
-geojson file as provided by a webserver. Supported on {ece}.
+geojson file as provided by a webserver.
 
-| [[tilemap-settings]] `map.tilemap.options.attribution:`
- | The map attribution string. Supported on {ece}.
+| [[tilemap-settings]] `map.tilemap.options.attribution:` {ess-icon} {ece-icon}
+ | The map attribution string.
 *Default: `"© [Elastic Maps Service](https://www.elastic.co/elastic-maps-service)"`*
 
-| [[tilemap-max-zoom]] `map.tilemap.options.maxZoom:`
- | The maximum zoom level. Supported on {ece}. *Default: `10`*
+| [[tilemap-max-zoom]] `map.tilemap.options.maxZoom:` {ess-icon} {ece-icon}
+ | The maximum zoom level. *Default: `10`*
 
-| [[tilemap-min-zoom]] `map.tilemap.options.minZoom:`
- | The minimum zoom level. Supported on {ece}. *Default: `1`*
+| [[tilemap-min-zoom]] `map.tilemap.options.minZoom:` {ess-icon} {ece-icon}
+ | The minimum zoom level. *Default: `1`*
 
-| [[tilemap-subdomains]] `map.tilemap.options.subdomains:`
+| [[tilemap-subdomains]] `map.tilemap.options.subdomains:` {ess-icon} {ece-icon}
  | An array of subdomains
 used by the tile service. Specify the position of the subdomain the URL with
-the token `{s}`. Supported on {ece}.
+the token `{s}`.
 
-| [[tilemap-url]] `map.tilemap.url:`
+| [[tilemap-url]] `map.tilemap.url:` {ess-icon} {ece-icon}
  | The URL to the tileservice that {kib} uses
-to display map tiles in tilemap visualizations. Supported on {ece}. By default,
+to display map tiles in tilemap visualizations. By default,
 {kib} reads this URL from an external metadata service, but users can
 override this parameter to use their own Tile Map Service. For example:
 `"https://tiles.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana"`
@@ -451,7 +450,7 @@ deprecation warning at startup. This setting cannot end in a slash (`/`).
 proxy sitting in front of it. This determines whether HTTP compression may be used for responses, based on the request `Referer` header.
 This setting may not be used when `server.compression.enabled` is set to `false`. *Default: `none`*
 
-| `server.customResponseHeaders:`
+| `server.customResponseHeaders:` {ess-icon}
  | Header names and values to
 send on all responses to the client from the {kib} server. *Default: `{}`*
 
@@ -610,7 +609,7 @@ us improve your user experience. Your data is never shared with anyone. Set to
 `false` to disable telemetry capabilities entirely. You can alternatively opt
 out through *Advanced Settings*. *Default: `true`*
 
-| `vis_type_vega.enableExternalUrls:`
+| `vis_type_vega.enableExternalUrls:` {ess-icon}
  | Set this value to true to allow Vega to use any URL to access external data
 sources and images. When false, Vega can only get data from {es}. *Default: `false`*
 
@@ -622,7 +621,7 @@ disable the License Management UI. *Default: `true`*
  | Set this value to false to disable the
 Rollup UI. *Default: true*
 
-| `i18n.locale`
+| `i18n.locale` {ess-icon}
  | Set this value to change the {kib} interface language.
 Valid locales are: `en`, `zh-CN`, `ja-JP`. *Default: `en`*
 

docs/user/getting-started.asciidoc

@@ -8,18 +8,9 @@ Ready to try out {kib} and see what it can do? To quickest way to get started wi
 
 [float]
 [[cloud-set-up]]
-== Set up on Cloud
+== Set up on cloud
 
-To access {kib} in a single click, run our hosted Elasticsearch Service on Elastic Cloud.
-
-. Log into the link:https://cloud.elastic.co/[Elasticsearch Service Console].
-If you need an account, register for a link:https://www.elastic.co/cloud/elasticsearch-service/signup[free 14-day trial].
-
-. Click *Create deployment*, then give your deployment a name.
-
-. To use the default options, click *Create deployment*. You can modify the other deployment options, but the default options are great to get started.
-
-Be sure to copy down the password for the `elastic` user and Cloud ID information. You'll need that later.
+include::{docs-root}/shared/cloud/ess-getting-started.asciidoc[]
 
 [float]
 [[get-data-in]]

docs/user/security/api-keys/index.asciidoc

@@ -3,18 +3,18 @@
 === API Keys
 
 
-API keys enable you to create secondary credentials so that you can send 
-requests on behalf of the user. Secondary credentials have 
-the same or lower access rights.  
+API keys enable you to create secondary credentials so that you can send
+requests on behalf of the user. Secondary credentials have
+the same or lower access rights.
 
 For example, if you extract data from an {es} cluster on a daily
-basis, you might create an API key tied to your credentials, 
-configure it with minimum access, 
+basis, you might create an API key tied to your credentials,
+configure it with minimum access,
 and then put the API credentials into a cron job.
-Or, you might create API keys to automate ingestion of new data from 
-remote sources, without a live user interaction. 
+Or, you might create API keys to automate ingestion of new data from
+remote sources, without a live user interaction.
 
-You can create API keys from the {kib} Console. To view and invalidate 
+You can create API keys from the {kib} Console. To view and invalidate
 API keys, use *Management > Security > API Keys*.
 
 [role="screenshot"]
@@ -24,63 +24,80 @@ image:user/security/api-keys/images/api-keys.png["API Keys UI"]
 [[api-keys-service]]
 === {es} API key service
 
-The {es} API key service is automatically enabled when you configure 
-{ref}/configuring-tls.html#tls-http[TLS on the HTTP interface]. 
+The {es} API key service is automatically enabled when you configure
+{ref}/configuring-tls.html#tls-http[TLS on the HTTP interface].
 This ensures that clients are unable to send API keys in clear-text.
 
-When HTTPS connections are not enabled between {kib} and {es}, 
+When HTTPS connections are not enabled between {kib} and {es},
 you cannot create or manage API keys, and you get an error message.
-For more information, see the 
-{ref}/security-api-create-api-key.html[{es} API key documentation], 
+For more information, see the
+{ref}/security-api-create-api-key.html[{es} API key documentation],
 or contact your system administrator.
 
 [float]
 [[api-keys-security-privileges]]
 === Security privileges
 
-You must have the `manage_security`, `manage_api_key`, or the `manage_own_api_key` 
-cluster privileges to use API keys in {kib}. You can manage roles in 
-*Management > Security > Roles*, or use the <<role-management-api, {kib} Role Management API>>. 
+You must have the `manage_security`, `manage_api_key`, or the `manage_own_api_key`
+cluster privileges to use API keys in {kib}. You can manage roles in
+*Management > Security > Roles*, or use the <<role-management-api, {kib} Role Management API>>.
 
 
 [float]
 [[create-api-key]]
 === Create an API key
-You can {ref}/security-api-create-api-key.html[create an API key] from 
-the Kibana Console. For example:
+You can {ref}/security-api-create-api-key.html[create an API key] from
+the {kib} Console. This example shows how to create an API key
+to authenticate to a <<api, Kibana API>>.
 
 [source,js]
 POST /_security/api_key
 {
-  "name": "my_api_key",
-  "expiration": "1d"
+  "name": "kibana_api_key",
 }
 
-This creates an API key with the name `my_api_key` that 
-expires after one day. API key names must be globally unique. 
-An expiration date is optional and follows {ref}/common-options.html#time-units[{es} time unit format]. 
+This creates an API key with the
+name `kibana_api_key`. API key
+names must be globally unique.
+An expiration date is optional and follows
+{ref}/common-options.html#time-units[{es} time unit format].
 When an expiration is not provided, the API key does not expire.
 
+The response should look something like this:
+
+[source,js]
+{
+  "id" : "XFcbCnIBnbwqt2o79G4q",
+  "name" : "kibana_api_key",
+  "api_key" : "FD6P5UA4QCWlZZQhYF3YGw"
+}
+
+Now, you can use the API key to request {kib} roles. You will need
+to base64-encode the `id` and `api_key` provided in the response
+and add it to your request as an authorization header. For example:
+
+[source,js]
+curl --location --request GET 'http://localhost:5601/api/security/role' \
+--header 'Content-Type: application/json;charset=UTF-8' \
+--header 'kbn-xsrf: true' \
+--header 'Authorization: ApiKey aVZlLUMzSUJuYndxdDJvN0k1bU46aGxlYUpNS2lTa2FKeVZua1FnY1VEdw==' \
+
 [float]
 [[view-api-keys]]
 === View and invalidate API keys
-The *API Keys* UI lists your API keys, including the name, date created, 
+The *API Keys* feature in Kibana lists your API keys, including the name, date created,
 and expiration date. If an API key expires, its status changes from `Active` to `Expired`.
 
-If you have `manage_security` or `manage_api_key` permissions, 
-you can view the API keys of all users, and see which API key was 
+If you have `manage_security` or `manage_api_key` permissions,
+you can view the API keys of all users, and see which API key was
 created by which user in which realm.
 If you have only the `manage_own_api_key` permission, you see only a list of your own keys.
 
-You can invalidate API keys individually or in bulk. 
+You can invalidate API keys individually or in bulk.
 Invalidated keys are deleted in batch after seven days.
 
 [role="screenshot"]
 image:user/security/api-keys/images/api-key-invalidate.png["API Keys invalidate"]
 
-You cannot modify an API key. If you need additional privileges, 
+You cannot modify an API key. If you need additional privileges,
 you must create a new key with the desired configuration and invalidate the old key.
-
-
-
-

packages/kbn-es/src/utils/native_realm.js

@@ -76,10 +76,6 @@ exports.NativeRealm = class NativeRealm {
     }
 
     const reservedUsers = await this.getReservedUsers();
-    if (!reservedUsers || reservedUsers.length < 1) {
-      throw new Error('no reserved users found, unable to set native realm passwords');
-    }
-
     await Promise.all(
       reservedUsers.map(async user => {
         await this.setPassword(user, options[`password.${user}`]);
@@ -88,16 +84,18 @@ exports.NativeRealm = class NativeRealm {
   }
 
   async getReservedUsers() {
-    const users = await this._autoRetry(async () => {
-      return await this._client.security.getUser();
-    });
+    return await this._autoRetry(async () => {
+      const resp = await this._client.security.getUser();
+      const usernames = Object.keys(resp.body).filter(
+        user => resp.body[user].metadata._reserved === true
+      );
 
-    return Object.keys(users.body).reduce((acc, user) => {
-      if (users.body[user].metadata._reserved === true) {
-        acc.push(user);
+      if (!usernames?.length) {
+        throw new Error('no reserved users found, unable to set native realm passwords');
       }
-      return acc;
-    }, []);
+
+      return usernames;
+    });
   }
 
   async isSecurityEnabled() {
@@ -125,10 +123,9 @@ exports.NativeRealm = class NativeRealm {
         throw error;
       }
 
-      this._log.warning(
-        'assuming [elastic] user not available yet, waiting 1.5 seconds and trying again'
-      );
-      await new Promise(resolve => setTimeout(resolve, 1500));
+      const sec = 1.5 * attempt;
+      this._log.warning(`assuming ES isn't initialized completely, trying again in ${sec} seconds`);
+      await new Promise(resolve => setTimeout(resolve, sec * 1000));
       return await this._autoRetry(fn, attempt + 1);
     }
   }