Changelog for Search Guard 7.x-42.0.0

Release Date: 01.06.2020

New Features


  • Block support for Slack actions
    • Slack actions can now send messages with rich formatting and functionality using Slack blocks and attachments.
    • Note: This feature is currently only available when configuring watches via REST API. It is not available in the config UI.

  • Attachement support fo email actions
    • E-mail actions can be configured to add attachments to mails. Sources for the attachments can be HTTP endpoints or the Signals runtime data.
    • Note: This feature is currently only available when configuring watches via REST API. It is not available in the config UI.

Document- and Field-Level-Security

  • Make it possible for a role without filters to overwrite other roles

  • Field anonymization: Configure salt dynamically
    • Until this release the salt for field anonymization had to be set in elasticsearch.yml and was not changeable at runtime
    • You can now specify a salt also in sg_config.yml which is changeable at runtime
    • The salt can be set via the key sg_config.dynamic.field_anonymization_salt2: "<salt>"
    • To enable this feature, add the following line to elasticsearch.yml: searchguard.compliance.local_hashing_enabled: true


Search Guard Core

  • LDAP2: Use Unbound SDK only
    • The new ldap2 module now uses the Unbound SDK directly, omitting ldaptive altogether
    • This module will become the default LDAP implementation in Search Guard 8

Bug Fixes


  • Fix CCS authentication for Signals watches
    • Performing a cross cluster search from a Signals watch would not propagate authentication information to the remote cluster correctly. Thus, if the remote cluster requires authentication, the search would fail.
    • Note: Right now, this is only supported if the remote cluster is running Search Guard 7 as well.

Search Guard Core

  • Fix SSL log file entries
    • Elasticsearch logs would be sometimes spammed with “connection reset” errors even if they are uncritical.

Security Fixes

Search Guard Core

  • REST API: Don’t log sensitive information to the console
    • In some cases the REST API would print a password hash on the command line when the user updates his/her password and input was faulty
    • This would only be visible to the user actually changing the password


  • Prevent access to saved objects definitions
    • The default permissions for Kibana users no longer grant access to indexes matching the pattern .kibana_*, as this would allow users to access the configuration indexes of Kibana tenants they don’t have permission to access.
    • This affects only the definition of saved objects, actual data is not leaked