Changelog for Search Guard 7.x-36.0.0
Release Date: 23.07.2019
Security Fixes
n/a
Features
- Introduce search_guard_roles for internal users (PR #706)
- This makes it possible to assign Search Guard roles directly to internal users without the need for using the role mapping
- Internal users database
- Added
searchguard.filter_sgindex_from_all_requests
option in elasticsearch.yml to filter out the searchguard index from all-index requests- When set to
true
Search Guard will under the hood filter out the searchguard index from requests targetingall
indices like*
or_all
- Default is
false
to make this change to a breaking change (will betrue
by default in future releases)
- When set to
- Added ChaCha20 support for TLS 1.2 (Commit 2e99232)
- This requires Oracle JDK >= 12 or OpenSSL 1.1.1
- Make it possible to disable built-in roles (PR #708)
- Search Guard 7 introduced new static built-in resources like roles and action groups. For backwards-compatibility with Search Guard 6, the static resources can be disabled in elasticsearch.yml by setting:
searchguard.unsupported.load_static_resources: false
Fixes
- [BREAKING] Use “backend_roles” instead of “roles” for the authinfo endpoint(PR #707)
- In the JSON returned by the authinfo endpoint, “roles” have been renamed to “backend_roles” to make it clear that the listed roles are not Search Guard roles.
- Fixed build pipeline to circumvent wrong plugin version info
- Fix default permissions to allow Index Lifecycle Management (ILM) for logstash user and beats
- GitHub #694: Beats With ILM Enabled Failed To check For Alias: 403
- (PR #713: Cleanup and redefine logstash and ILM roles and action groups)
- Also added new default action groups
- SGS_CLUSTER_MANAGE_ILM
- SGS_CLUSTER_READ_ILM
- SGS_INDICES_MANAGE_ILM
- SGS_CLUSTER_MANAGE_INDEX_TEMPLATES
- SGS_CLUSTER_MANAGE_PIPELINES
- Fixed when tenants not handled correctly when using impersonation
- Fix JSON unescaping bug which caused issues when JWK KID’s contained forward slashes
- Better tolerate SAML IdP problems upon startup
- Dependency updates
- Update Bouncycastle to 1.62
- Update Jackson databind dependency to 2.9.9
- Update Kafka client dependency to 2.0.1 (alongside with spring-kafka-test)
- Upgrade CXF to 3.2.9
- Fix index resolution for
*,-index
like patterns -
[REGRESSION] Respect also non-dn usernames when skipping users for LDAP authorization in
ldap2
backend -
Fix access control exception with
ldap2
backend -
Added cluster:admin/xpack/monitoring* permission to SGS_LOGSTASH. This was missing and caused logstash monitoring not working in Kibana. PR #709: Better tolerate IdP problems upon startup
-
Fix built-in roles to work with xp monitoring when multi cluster monitoring is supported
-
Validate all config files before uploading them via sgadmin and make sure yaml parser does not tolerate duplicate keys
- Include error details in “details” field in case the submitted payload is unparseable, renamed internal method