Search Guard 6.x-20.0
Release Date: 22.12.2017
Search Guard SSL
- Disable client initiated TLS renegotiation by default
- Disable HTTP compression by default when https is enabled
Search Guard Core
- Search Guard ships as Enterprise Edition by default
- All enterprise modules are already contained in the plugin
- You don’t need to download and install them manually anymore
- Search Guard Community Edition switch
- Enable the Community Edition by adding a switch in elasticsearch.yml
- Improved the demo installer installer for easy PoC setup
- If configured, Search Guard initializes its index automatically if it’s not present
- Usage of the Search Guard certificates generated by the demo installer must be allowed explicitely
- Production safeguard
- Full Cross Cluster Search support
- Full support for Custom authentication modules
- Authenticators can be enabled and disabled for REST and transport individually
- Custom user attributes for index names and DLS queries
- Use additional properties from authentication backends for variable substitution
- For example, use a JWT claim value directly in an index name or DLS query
- User impersonation on REST layer
- Role Mapping Modes
- You can now map backend roles to Search Guard roles directly
- Made PEM certificates a first class citizen
- BREAKING: Alias checks on index-level
- You can only create aliases on indices you have permissions for
whoami
switch for sgadmin- Outputs infos regarding the used certificate, useful for debugging License system, license checks
- Introduced License Handling
- Added endpoint for license and installed modules
https://<host>:<http_port>/_searchguard/license
- Removed fallback to default authenticator
- If no authentication domain is configured, Search Guard will now raise an error
REST management API
- Introduced role-based access control
- You can configure which roles have access to the API in
elasticsearch.yml
- If the Search Guard index is initialized, access is possible without an admin certificate
- You can configure which roles have access to the API in
- Access control for endpoints and methods
- You can grant roles permissions for specific endpoints and methods
- For example, allow to view roles, but disallow to change or delete them
- Globally disable endpoints and methods
- Reserved resources
- Any resource, like users, role or permissions, can be marked as read-only
- read-only permissions are not changeable by the REST API
- Use to protected resources like the Kibana server user
BREAKING: Audit logging
- Completely revised the Audit Log Module
- Since the structure of the events has changed, the new default index name is
auditlog6
- Since the structure of the events has changed, the new default index name is
- Events can be tracked on REST-layer, transport-layer or both
- Events can be skipped based on their action (transport layer) and/or REST request path (REST layer)
- You can configure whether sub-requests for bulk requests should be stored separately
- Before, sub-requests have been added to the original event as numbered fields
- This leads to field limit problems for huge bulk requests
- Sub-requests can now be logged as separate events and then correlated
- Events can now be correlated by a field
task_id
- Introduced new category GRANTED_PRIVILEGES
- Before, both succesfull authentication events and other successfull requests have been logged in the AUTHENTICATED category
- Succesfull authentication events are still written to the AUTHENTICATED category
- Other successfull events are written to the GRANTED_PRIVILEGES category
- Improved back-pressure handling
- Configurable queue sizes
- Added PEM support for external_elasticsearch and webhook storage types
- Added PEM support for external_elasticsearch and webhook storage types
- Added
log4j
storage type- Use
log4j
appenders as event sink, e.g. SNMP
- Use
Document-Level security
- Use custom user attributes for dynamic DLS queries
- This makes it possible to write powerful dynamic queries based on user attributes
- For example, JWT claims
- For example, LDAP attributes
JWT
- All claims are added as custom user attributes with the
attr.jwt.
prefix - Can be used as variables in DLS queries and index names
Active Directory / LDAP
- All attributes of the user entry are added as custom user attributes with the
ldap.ldap.
prefix - Can be used as variables in DLS queries and index names
Known Issues
- Warning message on install about missing sha512 checksum