Search Guard - Enterprise Security for Elasticsearch

Search Guard 6.x-20.0

Release Date: 22.12.2017

Upgrade Guide from 5.x to 6.x

Search Guard SSL

  • Disable client initiated TLS renegotiation by default
  • Disable HTTP compression by default when https is enabled

Search Guard Core

  • Search Guard ships as Enterprise Edition by default
    • All enterprise modules are already contained in the plugin
    • You don’t need to download and install them manually anymore
  • Search Guard Community Edition switch
    • Enable the Community Edition by adding a switch in elasticsearch.yml
  • Improved the demo installer installer for easy PoC setup
    • If configured, Search Guard initializes its index automatically if it’s not present
  • Usage of the Search Guard certificates generated by the demo installer must be allowed explicitely
    • Production safeguard
  • Full Cross Cluster Search support
  • Full support for Custom authentication modules
  • Authenticators can be enabled and disabled for REST and transport individually
  • Custom user attributes for index names and DLS queries
    • Use additional properties from authentication backends for variable substitution
    • For example, use a JWT claim value directly in an index name or DLS query
  • User impersonation on REST layer
  • Role Mapping Modes
    • You can now map backend roles to Search Guard roles directly
  • Made PEM certificates a first class citizen
  • BREAKING: Alias checks on index-level
    • You can only create aliases on indices you have permissions for
  • whoami switch for sgadmin
    • Outputs infos regarding the used certificate, useful for debugging License system, license checks
  • Introduced License Handling
  • Added endpoint for license and installed modules
    • https://<host>:<http_port>/_searchguard/license
  • Removed fallback to default authenticator
    • If no authentication domain is configured, Search Guard will now raise an error

REST management API

  • Introduced role-based access control
    • You can configure which roles have access to the API in elasticsearch.yml
    • If the Search Guard index is initialized, access is possible without an admin certificate
  • Access control for endpoints and methods
    • You can grant roles permissions for specific endpoints and methods
    • For example, allow to view roles, but disallow to change or delete them
  • Globally disable endpoints and methods
  • Reserved resources
    • Any resource, like users, role or permissions, can be marked as read-only
    • read-only permissions are not changeable by the REST API
    • Use to protected resources like the Kibana server user

BREAKING: Audit logging

  • Completely revised the Audit Log Module
    • Since the structure of the events has changed, the new default index name is auditlog6
  • Events can be tracked on REST-layer, transport-layer or both
  • Events can be skipped based on their action (transport layer) and/or REST request path (REST layer)
  • You can configure whether sub-requests for bulk requests should be stored separately
    • Before, sub-requests have been added to the original event as numbered fields
    • This leads to field limit problems for huge bulk requests
    • Sub-requests can now be logged as separate events and then correlated
  • Events can now be correlated by a field task_id
  • Introduced new category GRANTED_PRIVILEGES
    • Before, both succesfull authentication events and other successfull requests have been logged in the AUTHENTICATED category
    • Succesfull authentication events are still written to the AUTHENTICATED category
    • Other successfull events are written to the GRANTED_PRIVILEGES category
  • Improved back-pressure handling
  • Configurable queue sizes
  • Added PEM support for external_elasticsearch and webhook storage types
  • Added PEM support for external_elasticsearch and webhook storage types
  • Added log4j storage type
    • Use log4j appenders as event sink, e.g. SNMP

Document-Level security

  • Use custom user attributes for dynamic DLS queries
  • This makes it possible to write powerful dynamic queries based on user attributes
  • For example, JWT claims
  • For example, LDAP attributes

JWT

  • All claims are added as custom user attributes with the attr.jwt. prefix
  • Can be used as variables in DLS queries and index names

Active Directory / LDAP

  • All attributes of the user entry are added as custom user attributes with the ldap.ldap. prefix
  • Can be used as variables in DLS queries and index names

Known Issues

  • Warning message on install about missing sha512 checksum