Search Guard 6.x-24.0
Release Date: 20.12.2018
Security Fixes
Field anonymization
- Field anonymization: Added support for string arrays
- Until now string content within arrays where not masked/anonymized
- 4af8dde
DLS/FLS
- DLS/FLS: Fix field capabilities API and get mapping when FLS is activated
- Until now the field caps and the mapping API has leaked field names (not values) for fields which are not allowed for the user because FLS was activated
- PR #17
Fixes
Search Guard
- Impersonation: Only one authentication domain used for impersonated user lookup
- Only the domain which authenticated the user in the first place was considered for impersonation
- PR #597
- Core: username_atttibute is now also supported for Transport authentication
- Core: Log more infos if authentication has finally failed
- Include the remote address in the log message
- PR #595
sgadmin
- sgadmin: sgadmin does now print out stracktrace in case of an error
- Stacktrace is now printed out to stdout instead of stderr
- PR #598
LDAP
- LDAP: Fix LDAP hostname verification
- Hostname verfification can now be properly turned off
- PR #21
- LDAP: Skipping users for authz not working as expected
- LDAP authenticated users were not skipped properly
- PR #16
SAML
- SAML: IdP initiated SSO throws an error in Kibana (requires Kibana Plugin v17 or newer)
- The acsEndpoint to the authtoken call used by SAML was added
- PR #23
REST API
- REST API should support the username attribute
- The username attribute supports usernames containing dots
- PR #20
Features
Audit logging
- Audit logging: index does now have an additional @timestamp field
- Audit logging: Implemented retry for all auditlog sinks
- Non-persistent retry capabilities for sinks which can occasionally fail
- PR #19
Field anonymization
- Field anonymization: Custom field anonymization
- More fine grained control which parts of a field value should be anonymized
- Alternative hashing algorithms can now be configured
- 4af8dde
DLS/FLS
- DLS/FLS: Add support for
${user.roles}
property for DLS${user.roles}
will expand to a comma delimited list of the backend roles of the current user- 74f292c
REST API
- REST API: Password rules for REST API
- It’s now possible to configure a regex to define miniumum requirements for passwords
- PR #14
- REST API: Validate masked fields when regex or custom hashing algo used