[DOCS] Add more detail to the license expiration documentation

[mbarretta]

The current License Expiration documentation has very few details on the consequences of expiration to the product security features.

In the case of Transforms, it's not clear if the documentation is correct: it says no new transforms can be created, but transforms are listed as a Basic feature.

I think the docs should explain the impact to each of the gold+ features. This is the list of product security features:

• Kibana sub-feature privileges
• Prelogin access agreement
• Elasticsearch audit logging
• Kibana audit logging
• IP filtering
• LDAP, PKI3, Active Directory authentication
• Elasticsearch Token Service
• Single sign-on (SAML, OpenID Connect, Kerberos)
• Attribute-based access control
• Field- and document-level security
• Custom authentication & authorization realms
• Encryption at rest support
• FIPS 140-2 mode

One example of improved detail is around [DF]LS. A brief conversation with @bytebilly confirmed that roles w/ [DF]LS settings will be disabled upon expiration. I'd also expect you wouldn't be able to create new roles with those settings. But could you modify those roles to remove the [DF]LS settings?

Impact of license expiration is a common customer ask.

[elasticmachine]

Pinging @elastic/kibana-docs (Team:Docs)

[jportner]

Related: we have an open issue to research the impact of license expiration and ensure that Kibana Security features behave "as expected" (#74646).

Some of the things you've outlined are Elasticsearch Security features that might be accessed through Kibana (such as "Field- and document-level security" and "FIPS 140-2 mode"), do you think those should be covered in the Kibana documentation? FWIW, it looks like the ES docs link back to the Kibana docs page for license expiration, but I don't really like that: https://www.elastic.co/guide/en/elasticsearch/reference/current/update-license.html

[mbarretta]

do you think those should be covered in the Kibana documentation?

Yeah, it seemed that the Kibana docs were the most comprehensive; didn't know the ES ones explicitly linked to them. We don't really have "platform" documentation that deals with these pan-product issues, so figure we should at least make this page more complete.

And thanks for linking that other expiration issue!

[jrodewig]

We don't really have "platform" documentation that deals with these pan-product issues, so figure we should at least make this page more complete.

In the long term, we want to create these type of docs. In the meantime, would there be any issues with moving this documentation to the Elasticsearch Guide and using that page as a "one-stop shop" for license management?

I think there are a few compelling reasons for this:

• We're using the Elasticsearch Guide to host more pan-documentation. For example, Secure the Elastic Stack.
• The Elasticsearch Guide tends to rank higher from an SEO perspective.
• Most other information regarding license management are in the Elasticsearch Guide.

Regardless of where we host it, I think keeping this information for every Elastic product on a single page provides the best experience for users.

I'm unlikely to have the bandwidth to handle this work right now, but I can work with @gchaps and other tech writers to migrate and update these docs at a later point.

[mbarretta]

In the meantime, would there be any issues with moving this documentation to the Elasticsearch Guide and using that page as a "one-stop shop" for license management?

Not to me, but certainly not my decision. Maybe @sajjadwahmed and/or @VijayDoshi or PMs from their team?

[bytebilly]

Impact of license expiration is a common customer ask.

I'm curious about the reason to make license expiration behavior a common ask. I would expect customers to renew their license in time, or to revert permanently to Basic in case they don't want to renew.

"Temporary" expiration sounds like something that should not happen often. Is that a way to leverage previously paid features, leveraging the lenient approach we had in the past? Is there another reason?

I'm not opposed to documentation, I'm just trying to figure out which problem are we addressing.

[mbarretta]

There are a few reasons why prospects/customers would want to know what happens when a license expires. The two most common I see are:

1. As general due diligence to understand what level of "lock-in" there might be should they decide the subscription is ultimately not in their interest. Are indices from Transforms or Alerts deleted? Are users/roles deleted and the cluster left open? If it reverts to Basic, what specifically happens to each higher licensed feature so I know what I'd need to do to prepare should I stop my subscription.
2. Procurement isn't always timely, and licenses can expire even when the users don't want it to. It often happens in government (and might in commercial too, though I don't know) where the folks who pay the bills are a different organization than the ones using it. Due either to oversight (renewal paperwork was missed), unclear responsibilities (is this something I pay or they pay?), budgeting battles (is this still approved? Is there a cheaper alternative?), or any other myriad of reasons, a renewal is delayed. Sometimes for months.

Is that a way to leverage previously paid features, leveraging the lenient approach we had in the past? Is there another reason?

I'm not sure what this means. When the license expires, there are code-level implications that bypass any attempt at leniency.

The problem this solves is two-fold:

• lack of an accurate description of system behavior that impacts hundreds (more?) of features in the stack
• uncertainty in field teams and product teams as to the specifics, which are necessary when talking with users per at least two reasons I listed above

[mbarretta]

Looks like ECE license docs point here too: https://www.elastic.co/guide/en/cloud-enterprise/current/ece-add-license.html#ece_licenses_expiration

[stacydrumm]

When negotiating renewals, customers often come right up to the deadline and sometimes over it. Being able to warn customer that a feature they use will shut down upon license expiration is powerful incentive to renew on time. Recently a customer's license expired. 2 days later they let us know that ILM had stopped working and their indices had ballooned. Halt of ILM upon license expiration wasn't documented. If it had been, it would have been very powerful incentive for them to renew on time.

[woodywalton]

+1-ing on the need for clearer docs around license fallback. Had a prospect (whom we are positioning for Enterprise and Searchable Snapshots due to their multi-year retention needs) ask yesterday what happens to our data if we don't/can't renew the subscription. It took some internal investigations to find out that the Searchable Snaphots essentially unmount and become plain old unsearchable snapshots.

[mbarretta]

I'm going to reopen this as I don't see anything in https://github.com/elastic/kibana/pull/131474 or https://github.com/elastic/elasticsearch/pull/79671 that describes what happens when a license expires: what features are disabled and what state those features (e.g. document level security) are left in as a result

[smgduncan]

Would like to upvote this one - the ANZ Sales Team has asked for some clarity around this, as an incentive to encourage customers to renew promptly.

I note as of 8.2 the information on the documentation has been reduced even further. 8.1: https://www.elastic.co/guide/en/kibana/8.1/managing-licenses.html#license-expiration provided some breakdown (albeit it did not look complete) - 8.2 and later simply states :

License expiration

Licenses are valid for a specific time period. 30 days before the license expiration date, Elasticsearch starts logging expiration warnings. If monitoring is enabled, expiration warnings are displayed prominently in Kibana.

If your license expires, your subscription level reverts to Basic and you will no longer be able to use Platinum or Enterprise features.

https://www.elastic.co/guide/en/kibana/8.2/managing-licenses.html#license-expiration

In addition to the security features Mike has listed above, I've been unable to find any documentation around what happens to features such as Searchable Snapshot / Frozen and CCR?

Also a bit concerned about @stacydrumm comment above that ILM stopped working - the Subscriptions page lists ILM as basic - perhaps that policy included use of searchable snapshots or similar?

So I'd definitely like to 'upvote' getting the docs improved in this area!

[tris325]

Just wanted to mention that we have heard this request from the federal agencies I support as well, something simple but clear cut that spells out exactly what happens when license expires.

[lukeelmers]

I agree it would be helpful to clearly spell out the impact of an expired license. However, getting a comprehensive list together is going to involve a bit of coordination across teams.

From a customer perspective, there's not always a clear difference between a Kibana feature and an Elasticsearch feature -- the end result is that something is broken in the Kibana UI. But on the Kibana side, the distinction between the two is important.

For subscription features that are in Kibana, we'd need to go around to each team that owns those features to assess the impact of an expired license. In most cases, my guess would be that these features stop working entirely as soon as Elasticsearch marks a license as no longer active. The licensing service that plugins use to check the license status is pretty much pulling this info directly from ES. So as soon as a status changes to invalid or expired, I’d expect the majority of features to stop working or disappear.

For subscription features that are in Elasticsearch but accessed through Kibana, we'd similarly need to work our way through each team that owns a plugin depending on those features. However, I'm less confident that teams are proactively performing license checks for these features on the Kibana side, meaning it's quite likely that an Elasticsearch feature could start failing but not be handled gracefully by Kibana.

Overall, I expect this would require an audit by each team contributing to Kibana (similar to what Platform Security is doing in https://github.com/elastic/kibana/issues/74646) in order to have confidence that the expected behavior is fully documented.

cc @VijayDoshi @rayafratkina for awareness

[rayafratkina]

Definitely ++ to thinking holistically of what users will experience once the license expires. Reading through the comments, I think we need to primarily clarify what happens with data and access on license expiration. For all other features, I think "they will stop working" is a good enough answer.

Since https://github.com/elastic/kibana/issues/74646 already addresses the access questions, ++ @sajjadwahmed @cjcenizal to look into what happens to data and data administration capabilities.

[mbarretta]

I encourage an expansive take on this. As an example, w.r.t. Transforms: does "stop working" mean:

• existing jobs stop running? if so, are they stopped automatically first or somehow disabled behind the scenes?
• existing jobs cannot be modified (stopped, etc)
• existing jobs cannot be deleted
• new jobs cannot be created

These are the detailed questions we see from our users, and a broad "it just stops working" doesn't provide the necessary detail to answer.

[smgduncan]

To echo Mike's point - similarly around the SSO / Security aspects. The docs say 'it stops working' but I've heard rumours (from our Sales reps) that we don't immediately block cluster access on license expiry - e.g. SSO will continue to work. So far I've not been able to find a clear statement around this, either internal or external. This aligns with the comment by @rayafratkina above, but even from reading #74646 I'm not 100% clear on whether access stops working, or you just get a warning in Kibana?

[mbarretta]

The docs have removed details vs adding them. As of 8.9, the full text is:

If your license expires, your subscription level reverts to Basic and you will no longer be able to use Platinum or Enterprise features.

What does it mean to "no longer be able to use"? To restate points from above:

• Can users no longer login if authn/z was using a SAML provider? Or can everyone login?
• If using Basic RBAC with DLS, would DLS still be enforced or could anyone see everything?
• Would ML jobs continue to run or would all jobs be stopped?
• Would fully/partially mounted indices automatically unmount? Would fully mounted (i.e. cold) indices be queryable at all or just default to a zero replica index?
• Do ILM policies become disabled or just no longer able to be created/modified?
• etc etc

The "cost" of ending a subscription is part of the analysis before starting one.

[mbarretta]

Bump on this. @skearns64 FYI