Ignore xpack.security.enabled setting

[kobelb]

With the introduction of Kibana's RBAC, we changed the docs to recommend that users no longer set xpack.security.enabled: false

Do not set this to false; it disables the login form, user and role management screens, and authorization using Kibana privileges. To disable security features entirely, see Elasticsearch security settings.

However, we didn't deprecate this setting as we weren't confident that certain use-cases weren't enabled by xpack.security.enabled: false. I haven't heard of any valid use-cases where we continue to need this setting, so we should deprecate it and then remove it in 8.0

Related: #89584

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[watson]

Today we only surface the deprecation notice if this setting is set to false. Since we want this to be controlled 100% by Elasticsearch, shouldn't we also surface the deprecation notice if this is set to true - i.e. just if it's present? cc @jportner

[jportner]

Today we only surface the deprecation notice if this setting is set to false. Since we want this to be controlled 100% by Elasticsearch, shouldn't we also surface the deprecation notice if this is set to true - i.e. just if it's present? cc @jportner

Yeah, I think that makes sense. Let's change the deprecation in 7.x accordingly.

Note, the Core team has an open issue to prevent plugins from being disabled in 8.0+ (including spaces and security): #89584

[watson]

Let's change the deprecation in 7.x accordingly.

And in master as well, right? This deprecation notice is currently present both in 7.x and master

[jportner]

And in master as well, right? This deprecation notice is currently present both in 7.x and master

Ah, the deprecation can be removed from master. I doubt the Core team will be doing that for us in their PR, so we should probably do it.