Kibana breaking changes
Breaking changes can impact your Elastic applications, potentially disrupting normal operations. Before you upgrade, carefully review the Kibana breaking changes and take the necessary steps to mitigate any issues.
If you are migrating from a version prior to version 9.0, you must first upgrade to the last 8.x version available. To learn how to upgrade, check out Upgrade.
Access to Kibana's internal APIs is blocked
Access to internal Kibana HTTP APIs is restricted from version 9.0.0. This is to ensure that HTTP API integrations with Kibana avoid unexpected breaking changes.
Impact
Any HTTP API calls to internal Kibana endpoints will fail with a 400 status code starting from version 9.0.0.
Action
Do not integrate with internal HTTP APIs. They may change or be removed without notice, and lead to unexpected behaviors. If you would like some capability to be exposed over an HTTP API, create an issue. We would love to discuss your use case.
View #193792.
Alerts and cases
Removed deprecated Alerting endpoints
POST /api/alerts/alert/{id?}has been replaced byPOST /api/alerting/rule/{id?}GET /api/alerts/alert/{{id}}has been replaced byGET /api/alerting/rule/{{id}}PUT /api/alerts/alert/{{id}}has been replaced byPUT /api/alerting/rule/rule/{{id}}DELETE: /api/alerts/alert/{{id}}has been replaced byDELETE /api/alerting/rule/{{id}}POST /api/alerts/alert/{{id}}/_disablehas been replaced byPOST /api/alerting/rule/{{id}}/_disablePOST /api/alerts/alert/{{id}}/_enablehas been replaced byPOST /api/alerting/rule/{{id}}/_enableGET /api/alerts/_findhas been replaced byGET /api/alerting/rules/_findGET /api/alerts/_healthhas been replaced byGET /api/alerting/rule/_healthGET /api/alerts/list_alert_typeshas been replaced byGET /api/alerting/rule_typesPOST /api/alerts/alert/{{alert_id}}/alert_instance/{{alert_instance_id}}/_mutehas been replaced byPOST /api/alerting/rule/{{rule_id}}/alert/{{alert_id}}/_mutePOST /api/alerts/alert/{{alert_id}}/alert_instance/{{alert_instance_id}}/_unmutehas been replaced byPOST /api/alerting/rule/{{rule_id}}/alert/{{alert_id}}/_unmutePOST /api/alerts/alert/{{id}}/_mute_allhas been replaced byPOST /api/alerting/rule/{{id}}/_mute_allPOST /api/alerts/alert/{{id}}/_unmute_allhas been replaced byPOST /api/alerting/rule/{{id}}/_unmute_allPOST /api/alerts/alert/{{id}}/_update_api_keyhas been replaced byPOST /api/alerting/rule/{{id}}/_update_api_keyGET /api/alerts/{{id}}/_instance_summaryhas been deprecated without replacement. Will be removed in v9.0.0GET /api/alerts/{{id}}/statehas been deprecated without replacement. Will be removed in v9.0.0
Impact
Deprecated endpoints will fail with a 404 status code starting from version 9.0.0.
Action
Remove references to GET /api/alerts/{{id}}/_instance_summary endpoint. Remove references to GET /api/alerts/{{id}}/state endpoint. Replace references to endpoints listed as deprecated by it’s replacement. See Details section. The updated APIs can be found in https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting.
Removed deprecated Alerting settings
Details
The following deprecated configuration settings were removed:
xpack.actions.customHostSettings.ssl.rejectUnauthorizedxpack.actions.whitelistedHostsxpack.actions.rejectUnauthorizedxpack.actions.proxyRejectUnauthorizedCertificatesxpack.alerts.healthCheckxpack.alerts.invalidateApiKeysTask.intervalxpack.alerts.invalidateApiKeysTask.removalDelayxpack.alerting.defaultRuleTaskTimeout
View #198435.
Removed deprecated Cases endpoints
Details
The following Cases APIs were removed:
- Get case status
- Get user actions
- Get all comments
GET /api/cases/statusis deleted with no replacementGET /api/cases/{{case_id}}/commentsis replaced byGET /api/cases/{{case_id}}/comments/_find, released in v7.13GET /api/cases/<case_id>/user_actionsis replaced byGET /api/cases/<case_id>/user_actions/_find, released in v8.7includeCommentsparameter inGET /api/cases/{{case_id}}is deprecated. UseGET /api/cases/{{case_id}}/comments/_findinstead, released in v7.13
Impact
Using these endpoints will fail with a 404 status code starting from version 9.0.0.
Action
Remove references to the GET /api/cases/status endpoint. Replace references to other endpoints with the replacements listed in the breaking change details.
Removed ephemeral tasks from task manager, action, and alerting plugins.
Details
Ephemeral tasks are now removed. The following settings will no longer have any effect and are now deprecated:
xpack.task_manager.ephemeral_tasks.enabledxpack.task_manager.ephemeral_tasks.request_capacityxpack.alerting.maxEphemeralActionsPerAlert
No action is required on the user's end.
Discover and dashboards
Search sessions disabled by default
Details
Starting from version 9.0.0, search sessions are disabled by default. To view, manage, and restore search sessions, the feature needs to be explicitly re-enabled.
Impact
Search sessions will be disabled unless they are explicitly enabled in config.yml.
Action
If you would like to continue using, managing, and restoring search sessions in 9.0, you’ll need to re-enable the feature in your kibana.yml configuration file. If not, no action is necessary.
To re-enable search sessions, add the following in your config.yml:
data.search.sessions.enabled: true
View #203927.
Saved query privileges have been reworked
Details
Saved query privileges have been reworked to rely solely on a single global savedQueryManagement privilege, and eliminate app-specific overrides (e.g. implicit access with all privilege for Discover, Dashboard, Maps, and Visualize apps). This change simplifies the security model and ensures consistency in the saved query management UI across Kibana, but results in different handling of saved query privileges for new user roles, and minor breaking changes to the existing management UX.
Impact
The savedQueryManagement feature privilege now globally controls access to saved query management for all new user roles. Regardless of privileges for Discover, Dashboard, Maps, or Visualize, new user roles follow this behaviour:
- If
savedQueryManagementisnone, the user cannot see or access the saved query management UI or APIs. - If
savedQueryManagementisread, the user can load queries from the UI and access read APIs, but cannot save queries from the UI or make changes to queries through APIs. - If
savedQueryManagementisall, the user can both load and save queries from the UI and through APIs.
Action
Existing user roles that were previously implicitly granted access to saved queries through the dashboard, discover, visualize, or maps feature privileges will retain that access to prevent breaking changes. While no action is required for existing roles, it’s still advisable to audit relevant roles and re-save them to migrate to the latest privileges model. For new roles, ensure that the savedQueryManagement privilege is set as needed.
View #202863.
Removed `discover:searchFieldsFromSource` setting
The discover:searchFieldsFromSource advanced setting has been removed.
Details
Users can no longer configure Discover to load fields from _source. This is an internal optimization and should have little impact on users. View #202679.
Removed the legacy table in Discover
Details
It's no longer possible to use the legacy documents table in Discover. To that effect, the doc_table:legacy and truncate:maxHeight deprecated advanced settings have been removed. View #201254.
Impact
This is primarily a UX change and should have little impact on Discover users.
Scripted field creation has been disabled in the Data Views management page
Details
The ability to create new scripted fields has been removed from the Data Views management page in 9.0. Existing scripted fields can still be edited or deleted, and the creation UI can be accessed by navigating directly to /app/management/kibana/dataViews/dataView/{dataViewId}/create-field, but we recommend migrating to runtime fields or ES|QL queries instead to prepare for removal.
Impact
It will no longer be possible to create new scripted fields directly from the Data Views management page.
Action
Migrate to runtime fields or ES|QL instead of creating new scripted fields. Existing scripted fields can still be edited or deleted.
Removed `visualization:colorMapping` advanced setting
Details
The visualization:colorMapping advanced setting for TSVB and Visualize charts has been removed. You can switch to Lens charts, which offer a more advanced, per-chart color mapping feature with enhanced configuration options. View #162389.
Elastic Observability solution
Profiling now defaults to 19Hz sampling frequency
Details
View #202278.
Disabled log stream and settings pages
Details
Logs Stream and the logs settings page in Observability are removed. Use the Discover application, which now offers a contextual experience for logs, to explore your logs. The logs stream panel in dashboards is removed, use Discover sessions instead.
View #203996.
Removed Logs Explorer
Details
Logs Explorer has been removed. Instead, you can use Discover, that was improved to provide an optimal logs exploration experience. View #203685.
Elastic Security solution
For the Elastic Security 9.0.0 release information, refer to Elastic Security Solution Release Notes.
Data ingestion and Fleet
Removed deprecated settings API endpoints in Fleet
Details
GET/DELETE/POST enrollment-api-keys: removed in favor ofGET/DELETE/POST enrollment_api_keys- Removed
listproperty fromGET enrollment_api_keysresponse in favor ofitems GET/POST /settings:fleet_server_hostswas removed from the response and body
View #198799.
Removed deprecated Fleet APIs for agents endpoints
Details
Removed API endpoints:
POST /service-tokensin favor ofPOST /service_tokensGET /agent-statusin favorGET /agent_statusPUT /agents/:agentid/reassignin favor ofPOST /agents/:agentid/reassign
Removed deprecated parameters or responses:
- Removed
totalfromGET /agent_statusresponse - Removed
listfromGET /agentsresponse
View #198313.
Removed deprecated `epm` Fleet APIs
Details
- Removed
GET/POST/DELETE /epm/packages/:pkgkeyAPIs in favor ofGET/POST/DELETE /epm/packages/:pkgName/:pkgVersion - Removed
experimentalquery parameter inGET /epm/packagesandGET /epm/categories - Removed
responsein response in* /epm/packages*andGET /epm/categories - Removed
savedObjectin/epm/packagesresponse in favor ofinstallationInfo
View #198434.
Removed deprecated `topics` property for kafka output in favor of the `topic` property
Details
Removed deprecated property topics from output APIs in response and requests ((GET|POST|PUT) /api/fleet/outputs) in favor of the topic property. View #199226.
Limit pagination size to 100 when retrieving full policy or `withAgentCount` in Fleet
Details
In addition to the new pagination limit size of 100, retrieving agent policies without agent count is now the new default behavior, and a new query parameter withAgentCount was added to retrieve the agent count.
View #196887.
Reporting
Reporting uses Kibana feature privileges only to control access to reporting features
In 8.x, the default access control model was based on a built-in role called reporting_user, which granted access to reporting features. Since 7.13, the preferred model for controlling access to reporting features has been Kibana feature privileges, enabled by setting xpack.reporting.roles.enabled: false in kibana.yml.
In 9.0.0, the xpack.reporting.roles.* settings will be ignored.
Impact
The built-in reporting_user role is no longer deprecated and provides access to reporting features using Kibana feature privileges. This means that users that do not have privileges to use reporting will not see reporting features in the Kibana UI.
Action
Use Kibana feature privileges to control access to reporting features.
- The
reporting_userrole is still supported, but gives full access to all reporting features. We recommend creating custom roles with minimal privileges in Stack Management > Roles. - The
xpack.reporting.roles.allowsetting is no longer supported. If you have axpack.reporting.roles.allowvalue in yourkibana.yml, you should remove this setting and assign privileges to reporting features using Kibana feature privileges.
View #200834.
Removed the "Download CSV" export type functionality
Details
The functionality that allowed to download a CSV export from a dashboard's saved search panel without creating a report has been removed. To export CSV data from a dashboard panel, you may use the action menu of a saved search panel in a dashboard to generate a CSV report, and download the report from a toast popup when the report has finished generating.
View #199033.
Kibana management
Upgrade Assistant's reindexing and batch reindexing APIs are now internal
Upgrade Assistant public APIs for reindexing and batch reindexing have been made internal. You should instead use Elasticsearch’s native reindexing APIs for programmatic reindexing.
View #214051.
Kibana security
Removed v1 Security endpoints
All v1 Kibana security HTTP endpoints have been removed.
GET /api/security/v1/logout has been replaced by GET /api/security/logout GET /api/security/v1/oidc/implicit has been replaced by GET /api/security/oidc/implicit GET /api/security/v1/oidc has been replaced by GET /api/security/oidc/callback POST /api/security/v1/oidc has been replaced by POST /api/security/oidc/initiate_login POST /api/security/v1/saml has been replaced by POST /api/security/saml/callback GET /api/security/v1/me has been removed with no replacement.
Impact
Any HTTP API calls to the v1 Kibana security endpoints will fail with a 404 status code starting from version 9.0.0. Third party OIDC and SAML identity providers configured with v1 endpoints will no longer work.
Action
Update any OIDC and SAML identity providers to reference the corresponding replacement endpoint listed above. Remove references to the /api/security/v1/me endpoint from any automations, applications, tooling, and scripts.
View #199656.
Removed default `--openssl-legacy-provider`
Details
Legacy OpenSSL algorithms have been disabled by default. Further information on which algorithms can be found at https://docs.openssl.org/3.0/man7/OSSL_PROVIDER-legacy. These can be re-enabled by adding --openssl-legacy-provider to $KBN_PATH_CONF/node.options. View #213123.
Removed `TLSv1.1` from the default set of supported protocols
Details
View #203856.