Require scripts to be enabled in Elasticsearch

[kobelb]

Currently, Kibana doesn't require that scripts are enabled in Elaticsearch. If a user sets script.allowed_types: none, Kibana should continue to "generally work". However, there are features in 7.x that do require that scripts are enabled. If scripting is not enabled, these features have been designed to fail gracefully.

Starting in 8.0, we have the opportunity to enforce that scripts are enabled in Elasticsearch and no longer support these graceful fallbacks. We should document this requirement as a breaking change, and make Kibana fail in an obvious way when an Elasticsearch node has scripting disabled.

We currently ensure that Kibana is connected to an instance of Elasticsearch that is running a compatible version. Would it be possible to augment this logic to also ensure that the Elasticsearch node has scripting enabled?

[elasticmachine]

Pinging @elastic/kibana-core (Team:Core)

[pgayvallet]

Added to #84380

[kobelb]

Thanks @pgayvallet

[joshdover]

In addition to adding this to the healthcheck in 8.0, we should add an Upgrade Assistant deprecation warning in 7.x that executes the same test.

[lukeelmers]

Created a separate task to track adding the deprecations: #110566

We will continue to use this issue to track the actual breaking change for 8.0

[pgayvallet]

If a user sets script.allowed_types: none, Kibana should continue to "generally work"

From the doc, the possible value are both, inline, stored and none. As Kibana relies on inline scripts, we should make sure that the value is either inline or both.

Now, this is a configuration option, so I'm not sure there is an API to retrieve this info from ES (who could helps us here)

If not, we'll have to fallback to detecting it 'manually' by executing a dummy request using inline scripting to check if it succeeds or fails due to disabled inline scripting.

Also, Is there doing to be subtle edge cases with multi-node ES clusters? Like one node has scripting enabled, but not the other one? Do we want to handle that and, if so, how?

[joshdover]

Now, this is a configuration option, so I'm not sure there is an API to retrieve this info from ES (who could helps us here)

GET _cluster/settings?include_defaults=true will return this setting. Not sure how this behaves on multi-node clusters though.

[pgayvallet]

Not sure how this behaves on multi-node clusters though.

I'm not sure we really have any way to retrieve the info from each individual node, do we?

From the doc:

It’s best to set all cluster-wide settings with the settings API and use the elasticsearch.yml file only for local configurations. This way you can be sure that the setting is the same on all nodes. If, on the other hand, you define different settings on different nodes by accident using the configuration file, it is very difficult to notice these discrepancies.

And I guess it should be safe to assume that in a multi-node cluster configuration, all node should have this script.allowed_types set to the same value?

[kobelb]

And I guess it should be safe to assume that in a multi-node cluster configuration, all node should have this script.allowed_types set to the same value?

Given the current limitations, I think that's fine.