Changelog for Search Guard 7.x-42.0.0
Release Date: 01.06.2020
New Features
Signals
- Block support for Slack actions
- Slack actions can now send messages with rich formatting and functionality using Slack blocks and attachments.
- Note: This feature is currently only available when configuring watches via REST API. It is not available in the config UI.
- Attachement support fo email actions
- E-mail actions can be configured to add attachments to mails. Sources for the attachments can be HTTP endpoints or the Signals runtime data.
- Note: This feature is currently only available when configuring watches via REST API. It is not available in the config UI.
- Support for HTML body format in email actions
- E-mail actions support now a new attribute
html_body
in order to send HTML formatted mails.
- E-mail actions support now a new attribute
Document- and Field-Level-Security
- Add a static prefix to anonymized fields
- This can be set in elasticsearch.yml via
searchguard.compliance.mask_prefix: "<prefix>"
- This can be set in elasticsearch.yml via
- Make it possible for a role without filters to overwrite other roles
- If a role has no DLS / FLS or FA filters, you can choose that this role overwrites restrictions from other roles
- This can be enabled in elasticsearch.yml via:
searchguard.dfm_empty_overrides_all: true
- Effects on DLS
- Effects on FLS
- Effects on Field Anonymization
- Field anonymization: Configure salt dynamically
- Until this release the salt for field anonymization had to be set in elasticsearch.yml and was not changeable at runtime
- You can now specify a salt also in sg_config.yml which is changeable at runtime
- The salt can be set via the key
sg_config.dynamic.field_anonymization_salt2: "<salt>"
- To enable this feature, add the following line to elasticsearch.yml:
searchguard.compliance.local_hashing_enabled: true
Improvements
Search Guard Core
- LDAP2: Use Unbound SDK only
- The new ldap2 module now uses the Unbound SDK directly, omitting ldaptive altogether
- This module will become the default LDAP implementation in Search Guard 8
Bug Fixes
Signals
- Fix CCS authentication for Signals watches
- Performing a cross cluster search from a Signals watch would not propagate authentication information to the remote cluster correctly. Thus, if the remote cluster requires authentication, the search would fail.
- Note: Right now, this is only supported if the remote cluster is running Search Guard 7 as well.
Search Guard Core
- Fix SSL log file entries
- Elasticsearch logs would be sometimes spammed with “connection reset” errors even if they are uncritical.
Security Fixes
Search Guard Core
- REST API: Don’t log sensitive information to the console
- In some cases the REST API would print a password hash on the command line when the user updates his/her password and input was faulty
- This would only be visible to the user actually changing the password
Multi Tenancy
- Prevent access to saved objects definitions
- The default permissions for Kibana users no longer grant access to indexes matching the pattern
.kibana_*
, as this would allow users to access the configuration indexes of Kibana tenants they don’t have permission to access. - This affects only the definition of saved objects, actual data is not leaked
- The default permissions for Kibana users no longer grant access to indexes matching the pattern