Version: SG Tech Preview

Search Guard - Security for Elasticsearch

Security and Alerting for Elasticsearch and OpenSearch

Search Guard Tech Preview Documentation

Welcome to the preview of the next generation of Search Guard! We provide you this preview in order to give you an impression of the changes and an opportunity to test it and give feedback.

Please note that this preview is not yet ready for use in production systems. It might have bugs. Also, we might decide to introduce further breaking changes before the release.

What’s New

This technical preview brings a number of fundamental improvements and updates to Search Guard. These require breaking changes in the configuration format.

Major changes include:

  • The first version of Search Guard which brings support for OpenSearch and OpenSearch Dashboards.
  • Completely new approach for configuring authentication. The new configuration format is more coherent, more predictable and much more powerful. Simple setups require very little configuration; very complex setups are possible by straight-forward configuration. If something goes wrong, Search Guard provides extensive error messages and diagnostic information.
  • Completely new approach for logging into Dashboards/Kibana. Logged in users now get an actual server-side session. This fixes a number of issues, such as:
    • Issues with cookies exceeding the browser size limit.
    • The “logout” menu item is able to invalidate the session. Thus, session cookies cannot be re-used any more.
    • Configuration of SSO using OIDC or SAML for Dashboards/Kibana no longer interfers with backend authentication configuration. Thus, you can now have challenging basic authentication on the backend while using OIDC or SAML for Dashboards/Kibana.
    • The configuration format is now more streamlined and consistent.
    • Dashboards/Kibana authentication configuration can be changed without having to restart the node.
  • New administration tool sgctl which shall replace sgadmin. sgctl is stateful; that means, you can define connection profiles once and use these later. Thus, you don’t have to specify all connection configuration on each invocation. The interface of sgctl is more streamlined and offers you improved configuration validation functionality.
  • Improved way of handling unauthorized indices. You no longer have to worry that your wildcard query breaks because it might pick up an index you don’t have permissions for.


You can get the current snapshot of the Search Guard Tech Preview at the following locations. If you chose to use the demo installer, you just need to download the script. The script will take care of downloading all further components.

Target Platform Backend Plugin Frontend Plugin Demo Installer
OpenSearch 1.2.4 Search Guard OpenSearch Plugin TP3 Search Guard OpenSearch Dashboards Plugin TP3 Demo Installer TP3
Elasticsearch 7.10.2 Search Guard Elasticsearch Plugin TP3 Search Guard Kibana Plugin TP3 Demo Installer TP3
Elasticsearch 7.16.3 Search Guard Elasticsearch Plugin TP3 Search Guard Kibana Plugin TP3 Demo Installer TP3
Elasticsearch 7.17.1 Search Guard Elasticsearch Plugin TP3 Search Guard Kibana Plugin TP3 Demo Installer TP3
Platform Independent
Search Guard Control Tool sgctl 0.2.4

Getting Started

You have several options to try the Search Guard Tech Preview:

  • If you want to start with a quick test of a fresh installation on your local system, you can use the Search Guard Demo Installer.

  • If you have an existing Search Guard setup and what to test its configuration with the Search Guard Tech Preview, you can use the migrate-config command of sgctl. Please also review the list of breaking changes below.

You might want to read the following sections of the documentation to get a comprehensive overview over the new possibilities of Search Guard:

Breaking Changes

There has been a number of breaking changes to the Search Guard configuration. Some don’t require config changes, some can be automatically migrated by using the sgctl migrate-config command, still some need manual intervention.

The breaking changes include so far:

  • The file sg_config.yml is being replaced by a number of more specialized files. This allows for a clearer and more concise configuration.

  • The old style user attributes (attr.ldap...., attr.jwt..., etc) are not supported any more for users logging in via Kibana. You need to use new style user attributes (user.attrs....) instead. See the chapters on DLS and Roles for details.

  • Support for OpenSSL was removed from Search Guard already quite a while a go. Now, also the configuration options - which were just ignored in the meantime - have been also removed. Thus, if you have any searchguard settings in elasticsearch.yml mentioning openssl, you need to remove these.

  • The do_not_fail_on_forbidden mode has been replaced by ignore_unauthorized mode with refined semantics. This mode is now active by default.

  • Search Guard no longer warns about filtered alias settings.

  • More about the configuration migration can be found here.

  • A comprehensive overview over the configuration format changes can be found here.


Your feedback is welcome! You can use the Search Guard Forum for questions and general feedback. You can also report issues at the Search Guard Gitlab repository.

Not what you were looking for? Try the search.