Changelog for Search Guard 7.x-41.0.0

Release Date: 05.05.2020

• Upgrade Guide from 6.x to 7.x

Features

• JWT: Support for nested keys
  • Makes it possible to extract username and roles from a nested JSON structure by using JSON Path expressions
  • Tracking number: SGD-19
    
    
• Introduce “skip_users” for all authenticators and authorizers
  • Makes it possible to skip certain users globally when performing authc/authz
  • Tracking number: SGD-15
    
    
• Block users on a global level
  • Makes it possible to block user accounts on a global level
  • Tracking number: SGD-335
    
    
• IP filtering
  • Makes it possible to block IPs and netmasks on a global level
  • Tracking number: SGD-302
    
    
• Signals: Implement watch id and tenant as runtime attribute
  • The watch id and the tenant attributes can now be used in Painless scripts
  • Tracking number: SGD-446
    
    
• Signals: Add a flag to Execute Watch REST API which allows to view scope of scripts
  • If show_all_runtime_attributesis set to true, the API response will contain the the complete set of attributes that are available to scripts and templates after all checks have been finished.
  • Tracking number: SGD-443
    
    
• Added support for X-Pack SQL
  • Makes it possible to use X-Pack SQL with Search Guard
  • Tracking number: SGD-23

Fixes

• Signals: Broken InternalAuthTokenProvider due to all nodes believing they are master on startup
  • During Signals startup, under certain circumstances, more than one node may start to create Signals indices
  • This has no runtime impact, but leads to exceptions in the logs
  • Tracking number: SGD-225
    
    
• Signals: Painless whitelist and Mustache map attributes disagree about the structure of SeverityMapping.EvaluationResult
  • Tracking number: SGD-452
    
    
• Signals: Monthly trigger allows only to configure the day of month 1 to 12
  • Tracking number: SGD-449
    
    
• Update Jackson Databind
  • Jackson reports a security vulnerability which affects jackson-databind-2.8.11.1
  • Search Guard is not affected by this vulnerability:
    • No direct input from untrusted sources, no polymorphic type deserialisation, not use of “gadget types” in JSON POJOs
  • Jackson has been upgraded nonetheless in Search Guard and the TLS Tool

Security Fixes

• n/a