Search Guard FLX 1.6.0

Release Date: 2024-02-05

This is a new minor release of Search Guard FLX.

It brings one breaking change, some new features, some bug fixes, and updates a number of dependencies.

New features

Auth Token cache should be configurable

You can now configure the Auth Token cache.

Config Vars: Support for base 64 and bcrypt encoding

Pipe expressions can be used to transform values of configuration variables.

Signals: Global configuration for proxy settings

It is now possible to manage proxies via an API and then reference them in watches.

Signals: Operator view

Introduces a new separate operator view which gives an overview over the current status of the watches and focuses on current issues.


Make error message about missing_permissions less verbose

This is a breaking change.

So far, error responses related to security exceptions have always included the missing_permissions attribute. From now on it will be hidden by default. If you want these details to be included, you must enable authorization debugging mode.

Support for json_file variable resolver

Adds a new variable resolver json_file that reads JSON files and provides their structure.

Misleading error message when using private tenant with Signals search API

Fixes a confusing error message that was returned when a user tried to use Signals with a private tenant.

Added explicit ldap_search_operation metrics

Adds explicit metrics about LDAP search operations.

Enforce absolute paths for login page branding images

Improves login page branding images validation so that only absolute paths are accepted.

AuthTokenService generates signing key but does not use it

Auth tokens are signed with default signing key in case of no explicit configuration.

Improve validation in case tenant does not exist

Improves validation of tenants pointed in role permissions.

Bug fixes

_analyze API fails to execute in SG FLX if no index is provided

Fixes handling of requests sent to the _analyze API when no index is specified.

Cannot delete configuration by type using request DELETE /_searchguard/config/authc

Fixes an endpoint which handles removal of the authc configuration.

Headers are not case-insensitive

Fixes improper handling of HTTP Headers.

Remove truststore only when it’s not used by any watch

Allows removal of truststore only when it’s not in use.

sg_frontend_multi_tenancy.yml in the example config directory is using the wrong format

Corrects an example of the frontend multi tenancy configuration.

Node startup fails if there are files larger than 2 GB in the elasticsearch/config directory or subdirectories

Fixes a java.lang.OutOfMemoryError error that could occur when loading demo certificates on startup.