Version: SG Tech Preview

Search Guard - Security for Elasticsearch

Security and Alerting for Elasticsearch and OpenSearch

Search Guard Tech Preview Documentation

Welcome to the preview of the next generation of Search Guard! We provide you this preview in order to give you an impression of the changes and an opportunity to test it and give feedback.

Please note that this preview is not yet ready for use in production systems. It might have bugs. Also, we might decide to introduce further breaking changes before the release.

What’s New

This technical preview brings a number of fundamental improvements and updates to Search Guard. These require breaking changes in the configuration format.

Major changes include:

  • The first version of Search Guard which brings support for OpenSearch and OpenSearch Dashboards.
  • Completely new approach for logging into Dashboards/Kibana. Logged in users now get an actual server-side session. This fixes a number of issues, such as:
    • Issues with cookies exceeding the browser size limit.
    • The “logout” menu item is able to invalidate the session. Thus, session cookies cannot be re-used any more.
    • Configuration of SSO using OIDC or SAML for Dashboards/Kibana no longer interfers with backend authentication configuration. Thus, you can now have challenging basic authentication on the backend while using OIDC or SAML for Dashboards/Kibana.
    • The configuration format is now more streamlined and consistent.
    • Dashboards/Kibana authentication configuration can be changed without having to restart the node.
  • New administration tool sgctl which shall replace sgadmin. sgctl is stateful; that means, you can define connection profiles once and use these later. Thus, you don’t have to specify all connection configuration on each invocation. The interface of sgctl is more streamlined and offers you improved configuration validation functionality.

Download

You can get the current snapshot of the Search Guard Tech Preview at the following locations. If you chose to use the demo installer, you just need to download the script. The script will take care of downloading all further components.

Target Platform Backend Plugin Frontend Plugin Demo Installer
OpenSearch 1.0.0 Search Guard OpenSearch Plugin TP2 Search Guard OpenSearch Dashboards Plugin TP2 Demo Installer TP2
Elasticsearch 7.10.2 Search Guard Elasticsearch Plugin TP2 Search Guard Kibana Plugin TP2 Demo Installer TP2
Elasticsearch 7.14.1 Search Guard Elasticsearch Plugin TP2 Search Guard Kibana Plugin TP2 Demo Installer TP2
Platform Independent
Search Guard Control Tool sgctl 0.1.1

Getting Started

You have several options to try the Search Guard Tech Preview:

  • If you want to start with a quick test of a fresh installation on your local system, you can use the Search Guard Demo Installer.

  • If you have an existing Search Guard setup and what to test its configuration with the Search Guard Tech Preview, you can use the migrate-config command of sgctl. Please also review the list of breaking changes below.

See the documentation on Dashboards/Kibana Authentication for an comprehensive overview over the new possibilities Search Guard offers.

Documentation on how to use the sgctl command can be found in the README.

Breaking Changes

There has been a number of breaking changes to the Search Guard configuration. Some don’t require config changes, some can be automatically migrated by using the sgctl migrate command, still some need manual intervention.

The breaking changes include so far:

  • The old style user attributes (attr.ldap...., attr.jwt..., etc) are not supported any more for users logging in via Kibana. You need to use new style user attributes (user.attrs....) instead. See the chapters on DLS and Roles for details.

  • Support for OpenSSL was removed from Search Guard already quite a while a go. Now, also the configuration options - which were just ignored in the meantime - have been also removed. Thus, if you have any searchguard settings in elasticsearch.yml mentioning openssl, you need to remove these.

  • The do_not_fail_on_forbidden setting in sg_config is now active by default.

  • Search Guard no longer warns about filtered alias settings.

  • A comprehensive overview over the changes regarding authenticator configuration in Kibana can be found here.

Feedback

Your feedback is welcome! You can use the Search Guard Forum for questions and general feedback. You can also report issues at the Search Guard Gitlab repository.



Not what you were looking for? Try the search.