[7.0][DOCS] Adds security content in the Elasticsearch Reference

docs/reference/index.asciidoc

@@ -66,7 +66,7 @@ include::administering.asciidoc[]
 
 include::rest-api/index.asciidoc[]
 
-include::security/index.asciidoc[]
+include::{xes-repo-dir}/security/index.asciidoc[]
 
 include::{xes-repo-dir}/watcher/index.asciidoc[]
 

docs/reference/settings/security-settings.asciidoc

@@ -1309,7 +1309,7 @@ SSL enabled server.
 [[pkcs12-truststore-note]]
 [NOTE]
 Storing trusted certificates in a PKCS#12 file, although supported, is
-uncommon in practice. The {ref}/certutil.html[`elasticsearch-certutil`] tool,
+uncommon in practice. The <<certutil,`elasticsearch-certutil`>> tool,
 as well as Java's `keytool`, are designed to generate PKCS#12 files that
 can be used both as a keystore and as a truststore, but this may not be the
 case for container files that are created using other tools. Usually,

x-pack/docs/en/security/auditing/event-types.asciidoc

@@ -18,7 +18,7 @@ The following is a list of the events that can be generated:
                                           realm type.
 | `access_denied`                   | | | Logged when an authenticated user attempts to execute
                                           an action they do not have the necessary
-                                          <<security-reference, privilege>> to perform.
+                                          <<security-privileges,privilege>> to perform.
 | `access_granted`                  | | | Logged when an authenticated user attempts to execute
                                           an action they have the necessary privilege to perform.
                                           When the `system_access_granted` event is included, all system
@@ -28,7 +28,7 @@ The following is a list of the events that can be generated:
                                           another user that they have the necessary privileges to do.
 | `run_as_denied`                   | | | Logged when an authenticated user attempts to <<run-as-privilege, run as>>
                                           another user action they do not have the necessary
-                                          <<security-reference, privilege>> to do so.
+                                          <<security-privileges,privilege>> to do so.
 | `tampered_request`                | | | Logged when the {security-features} detect that the request has
                                           been tampered with. Typically relates to `search/scroll`
                                           requests when the scroll ID is believed to have been

x-pack/docs/en/security/authentication/index.asciidoc

@@ -12,11 +12,7 @@ include::native-realm.asciidoc[]
 include::pki-realm.asciidoc[]
 include::saml-realm.asciidoc[]
 include::kerberos-realm.asciidoc[]
-
-include::{xes-repo-dir}/security/authentication/custom-realm.asciidoc[]
-
-include::{xes-repo-dir}/security/authentication/anonymous-access.asciidoc[]
-
-include::{xes-repo-dir}/security/authentication/user-cache.asciidoc[]
-
-include::{xes-repo-dir}/security/authentication/saml-guide.asciidoc[]
+include::custom-realm.asciidoc[]
+include::anonymous-access.asciidoc[]
+include::user-cache.asciidoc[]
+include::saml-guide.asciidoc[]

x-pack/docs/en/security/authentication/saml-guide.asciidoc

@@ -492,7 +492,7 @@ You should consult the documentation for your IdP to determine what formats they
 support. Since PEM format is the most commonly supported format, the examples
 below will generate certificates in that format.
 
-Using the {ref}/certutil.html[`elasticsearch-certutil`] tool, you can generate a
+Using the <<certutil,`elasticsearch-certutil`>> tool, you can generate a
 signing certificate with the following command:
 
 [source, sh]

x-pack/docs/en/security/authentication/token-authentication-services.asciidoc

@@ -13,7 +13,7 @@ The {security-features} provide the following built-in token-based authenticatio
 services, which are listed in the order they are consulted:
 
 _token-service_::
-The token service uses the {ref}/security-api-get-token.html[get token API] to
+The token service uses the <<security-api-get-token,get token API>> to
 generate access tokens and refresh tokens based on the OAuth2 specification.
 The access token is a short-lived token. By default, it expires after 20 minutes
 but it can be configured to last a maximum of 1 hour. It can be refreshed by
@@ -32,7 +32,7 @@ curl -H "Authorization: Bearer dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvb
 
 _api-key-service_::
 The API key service uses the
-{ref}/security-api-create-api-key.html[create API key API] to generate API keys.
+<<security-api-create-api-key,create API key API>> to generate API keys.
 By default, the API keys do not expire. When you make a request to create API
 keys, you can specify an expiration and permissions for the API key. The
 permissions are limited by the authenticated user's permissions. You can use the
@@ -54,5 +54,5 @@ service to use to generate and manage the tokens. Non-expiring API keys may seem
 like the easy option but you must consider the security implications that come
 with non-expiring keys. Both the _token-service_ and _api-key-service_ permit
 you to invalidate the tokens. See
-{ref}/security-api-invalidate-token.html[invalidate token API] and
-{ref}/security-api-invalidate-api-key.html[invalidate API key API].
+<<security-api-invalidate-token,invalidate token API>> and
+<<security-api-invalidate-api-key,invalidate API key API>>.

x-pack/docs/en/security/authorization/index.asciidoc

@@ -3,20 +3,20 @@ include::overview.asciidoc[]
 
 include::built-in-roles.asciidoc[]
 
-include::{xes-repo-dir}/security/authorization/managing-roles.asciidoc[]
+include::managing-roles.asciidoc[]
 
 include::privileges.asciidoc[]
 
 include::document-level-security.asciidoc[]
 
 include::field-level-security.asciidoc[]
 
-include::{xes-repo-dir}/security/authorization/alias-privileges.asciidoc[]
+include::alias-privileges.asciidoc[]
 
-include::{xes-repo-dir}/security/authorization/mapping-roles.asciidoc[]
+include::mapping-roles.asciidoc[]
 
-include::{xes-repo-dir}/security/authorization/field-and-document-access-control.asciidoc[]
+include::field-and-document-access-control.asciidoc[]
 
-include::{xes-repo-dir}/security/authorization/run-as-privilege.asciidoc[]
+include::run-as-privilege.asciidoc[]
 
-include::{xes-repo-dir}/security/authorization/custom-authorization.asciidoc[]
+include::custom-authorization.asciidoc[]

x-pack/docs/en/security/ccs-clients-integrations.asciidoc → x-pack/docs/en/security/ccs-clients-integrations/index.asciidoc

@@ -6,13 +6,13 @@ When using {ref}/modules-cross-cluster-search.html[Cross Cluster Search]
 you need to take extra steps to secure communications with the connected
 clusters.
 
-* <<cross-cluster-configuring, Cross Cluster Search and Security>>
+* <<cross-cluster-configuring,{ccs-cap}>>
 
 You will need to update the configuration for several clients to work with a
 secured cluster:
 
-* <<java-clients, Java Clients>>
-* <<http-clients, HTTP Clients>>
+* <<java-clients,Java clients>>
+* <<http-clients,HTTP clients>>
 
 
 The {es} {security-features} enable you to secure your {es} cluster. But
@@ -32,14 +32,14 @@ be secured as well, or at least communicate with the cluster in a secured way:
 * {kibana-ref}/secure-reporting.html[Reporting]
 * {winlogbeat-ref}/securing-beats.html[Winlogbeat]
 
-include::ccs-clients-integrations/cross-cluster.asciidoc[]
+include::cross-cluster.asciidoc[]
 
-include::ccs-clients-integrations/java.asciidoc[]
+include::java.asciidoc[]
 
-include::ccs-clients-integrations/http.asciidoc[]
+include::http.asciidoc[]
 
-include::ccs-clients-integrations/hadoop.asciidoc[]
+include::hadoop.asciidoc[]
 
-include::ccs-clients-integrations/beats.asciidoc[]
+include::beats.asciidoc[]
 
-include::ccs-clients-integrations/monitoring.asciidoc[]
+include::monitoring.asciidoc[]

x-pack/docs/en/security/ccs-clients-integrations/monitoring.asciidoc

@@ -1,7 +1,7 @@
 [[secure-monitoring]]
 === Monitoring and security
 
-The <<xpack-monitoring,{stack} {monitor-features}>> consist of two components:
+The {stack} {monitor-features} consist of two components:
 an agent that you install on on each {es} and Logstash node, and a Monitoring UI
 in {kib}. The monitoring agent collects and indexes metrics from the nodes
 and you visualize the data through the Monitoring dashboards in {kib}. The agent
@@ -17,7 +17,7 @@ with the monitoring cluster.
 
 For more information, see:
 
-* {ref}/configuring-monitoring.html[Configuring monitoring in {es}]
+* <<configuring-monitoring>>
 * {kibana-ref}/monitoring-xpack-kibana.html[Configuring monitoring in {kib}]
 * {logstash-ref}/configuring-logstash.html[Configuring monitoring for Logstash nodes]
 

x-pack/docs/en/security/configuring-es.asciidoc

@@ -8,8 +8,7 @@
 The {es} {security-features} enable you to easily secure a cluster. You can
 password-protect your data as well as implement more advanced security measures
 such as encrypting communications, role-based access control, IP filtering, and
-auditing. For more information, see
-{stack-ov}/elasticsearch-security.html[Securing the {stack}].
+auditing.
 
 To use {es} {security-features}:
 
@@ -25,7 +24,7 @@ https://www.elastic.co/subscriptions and
 
 . Verify that the `xpack.security.enabled` setting is `true` on each node in
 your cluster. If you are using a trial license, the default value is `false`.
-For more information, see {ref}/security-settings.html[Security Settings in {es}].
+For more information, see <<security-settings>>.
 
 . If you plan to run {es} in a Federal Information Processing Standard (FIPS) 
 140-2 enabled JVM, see <<fips-140-compliance>>. 
@@ -37,7 +36,7 @@ NOTE: This requirement applies to clusters with more than one node and to
 clusters with a single node that listens on an external interface. Single-node
 clusters that use a loopback interface do not have this requirement.  For more
 information, see
-{stack-ov}/encrypting-communications.html[Encrypting Communications].
+<<encrypting-communications>>.
 
 --
 .. <<node-certificates,Generate node certificates for each of your {es} nodes>>.
@@ -50,7 +49,7 @@ information, see
 +
 --
 The {es} {security-features} provide
-{stack-ov}/built-in-users.html[built-in users] to
+<<built-in-users,built-in users>> to
 help you get up and running. The +elasticsearch-setup-passwords+ command is the
 simplest method to set the built-in users' passwords for the first time.
 
@@ -125,7 +124,7 @@ curl -XPOST -u elastic 'localhost:9200/_security/user/johndoe' -H "Content-Type:
 xpack.security.audit.enabled: true
 ----------------------------
 +
-For more information, see {stack-ov}/auditing.html[Auditing Security Events] 
+For more information, see <<auditing>> 
 and <<auditing-settings>>. 
 
 .. Restart {es}.
@@ -134,23 +133,17 @@ Events are logged to a dedicated `<clustername>_audit.json` file in
 `ES_HOME/logs`, on each cluster node.
 --
 
-include::{es-repo-dir}/security/securing-communications/securing-elasticsearch.asciidoc[]
-
-include::{es-repo-dir}/security/securing-communications/configuring-tls-docker.asciidoc[]
-
-include::{es-repo-dir}/security/securing-communications/enabling-cipher-suites.asciidoc[]
-
-include::{es-repo-dir}/security/securing-communications/separating-node-client-traffic.asciidoc[]
-
+include::securing-communications/securing-elasticsearch.asciidoc[]
+include::securing-communications/configuring-tls-docker.asciidoc[]
+include::securing-communications/enabling-cipher-suites.asciidoc[]
+include::securing-communications/separating-node-client-traffic.asciidoc[]
 include::authentication/configuring-active-directory-realm.asciidoc[]
 include::authentication/configuring-file-realm.asciidoc[]
 include::authentication/configuring-ldap-realm.asciidoc[]
 include::authentication/configuring-native-realm.asciidoc[]
 include::authentication/configuring-pki-realm.asciidoc[]
 include::authentication/configuring-saml-realm.asciidoc[]
-
 include::authentication/configuring-kerberos-realm.asciidoc[]
-
 include::fips-140-compliance.asciidoc[]
-include::{es-repo-dir}/security/reference/files.asciidoc[]
+include::reference/files.asciidoc[]
 

x-pack/docs/en/security/fips-140-compliance.asciidoc

@@ -114,7 +114,7 @@ features are not available while running in fips mode. The list is as follows:
 
 * Azure Classic Discovery Plugin
 * Ingest Attachment Plugin
-* The {ref}/certutil.html[`elasticsearch-certutil`] tool. However,
+* The <<certutil,`elasticsearch-certutil`>> tool. However,
  `elasticsearch-certutil` can very well be used in a non FIPS 140-2
   enabled JVM (pointing `JAVA_HOME` environment variable to a different java
   installation) in order to generate the keys and certificates that

x-pack/docs/en/security/get-started-builtin-users.asciidoc

@@ -13,7 +13,7 @@ the following command from the {es} directory:
 ./bin/elasticsearch
 ----------------------------------------------------------------------
 
-See {ref}/starting-elasticsearch.html[Starting {es}].
+See <<starting-elasticsearch>>.
 --
 
 . Set the built-in users' passwords. Run the following command from the {es} 

x-pack/docs/en/security/get-started-enable-security.asciidoc

@@ -8,7 +8,7 @@ line. See {kibana-ref}/start-stop.html[Starting and stopping {kib}].
 
 . Stop {es}. For example, if you installed {es} from an archive distribution, 
 enter `Ctrl-C` on the command line. See 
-{ref}/stopping-elasticsearch.html[Stopping {es}].
+<<stopping-elasticsearch>>.
 
 . Add the `xpack.security.enabled` setting to the 
 `ES_PATH_CONF/elasticsearch.yml` file. 
@@ -18,7 +18,7 @@ TIP: The `ES_PATH_CONF` environment variable contains the path for the {es}
 configuration files. If you installed {es} using archive distributions (`zip` or 
 `tar.gz`), it defaults to `ES_HOME/config`. If you used package distributions 
 (Debian or RPM), it defaults to `/etc/elasticsearch`. For more information, see 
-{ref}/settings.html[Configuring {es}].  
+<<settings>>.  
 
 For example, add the following setting:
 

x-pack/docs/en/security/get-started-security.asciidoc

@@ -27,7 +27,7 @@ example, http://127.0.0.1:5601[http://127.0.0.1:5601].
 [[get-started-license]]
 === Install a trial license
 
-include::{docdir}/get-started-trial.asciidoc[]
+include::get-started-trial.asciidoc[]
 
 [role="xpack"]
 [[get-started-enable-security]]
@@ -328,15 +328,15 @@ using the native realm. You learned how to create user IDs and roles that
 prevent unauthorized access to the {stack}. 
 
 Next, you'll want to try other features that are unlocked by your trial license, 
-such as {ml}. See <<ml-getting-started,Getting started with {ml}>>. 
+such as {ml}. See {stack-ov}/ml-getting-started.html[Getting started with {ml}]. 
 
 Later, when you're ready to increase the number of nodes in your cluster or set 
 up an production environment, you'll want to encrypt communications across the 
 {stack}. To learn how, read <<encrypting-communications>>. 
 
 For more detailed information about securing the {stack}, see:
 
-* {ref}/configuring-security.html[Configuring security in {es}]. Encrypt 
+* <<configuring-security,Configuring security in {es}>>. Encrypt 
 inter-node communications, set passwords for the built-in users, and manage your 
 users and roles.  
 

x-pack/docs/en/security/get-started-trial.asciidoc

@@ -0,0 +1,21 @@
+By default, when you install {stack} products, they apply basic licenses with no 
+expiration dates. To view your license in {kib}, go to **Management** and click 
+**License Management**.
+
+[role="screenshot"]
+image::images/management-license.png["The License Management page in {kib}"]
+
+For more information about Elastic license levels, see 
+https://www.elastic.co/subscriptions.
+
+You can start a 30-day trial to try out all of the platinum features, including 
+{security-features} and {ml-features}. Click **Start trial** on the 
+**License Management** page in {kib}.
+
+IMPORTANT: If your cluster has already activated a trial license for the current 
+major version, you cannot start a new trial. For example, if you have already 
+activated a trial for v6.0, you cannot start a new trial until v7.0.
+
+At the end of the trial period, the platinum features operate in a 
+{stack-ov}/license-expiration.html[degraded mode]. You can revert to a basic license, extend 
+the trial, or purchase a subscription.