Security and Alerting for Elasticsearch and OpenSearch
Search Guard Tech Preview Documentation
Welcome to the preview of the next generation of Search Guard! We provide you this preview in order to give you an impression of the changes and an opportunity to test it and give feedback.
Please note that this preview is not yet ready for use in production systems. It might have bugs. Also, we might decide to introduce further breaking changes before the release.
This technical preview brings a number of fundamental improvements and updates to Search Guard. These require breaking changes in the configuration format.
Major changes include:
- The first version of Search Guard which brings support for OpenSearch and OpenSearch Dashboards.
- Completely new approach for configuring authentication. The new configuration format is more coherent, more predictable and much more powerful. Simple setups require very little configuration; very complex setups are possible by straight-forward configuration. If something goes wrong, Search Guard provides extensive error messages and diagnostic information.
- Completely new approach for logging into Dashboards/Kibana. Logged in users now get an actual server-side session. This fixes a number of issues, such as:
- Issues with cookies exceeding the browser size limit.
- The “logout” menu item is able to invalidate the session. Thus, session cookies cannot be re-used any more.
- Configuration of SSO using OIDC or SAML for Dashboards/Kibana no longer interfers with backend authentication configuration. Thus, you can now have challenging basic authentication on the backend while using OIDC or SAML for Dashboards/Kibana.
- The configuration format is now more streamlined and consistent.
- Dashboards/Kibana authentication configuration can be changed without having to restart the node.
- New administration tool
sgctlwhich shall replace
sgctlis stateful; that means, you can define connection profiles once and use these later. Thus, you don’t have to specify all connection configuration on each invocation. The interface of
sgctlis more streamlined and offers you improved configuration validation functionality.
- Improved way of handling unauthorized indices. You no longer have to worry that your wildcard query breaks because it might pick up an index you don’t have permissions for.
You can get the current snapshot of the Search Guard Tech Preview at the following locations. If you chose to use the demo installer, you just need to download the script. The script will take care of downloading all further components.
|Target Platform||Backend Plugin||Frontend Plugin||Demo Installer|
|OpenSearch 1.2.4||Search Guard OpenSearch Plugin TP3||Search Guard OpenSearch Dashboards Plugin TP3||Demo Installer TP3|
|Elasticsearch 7.10.2||Search Guard Elasticsearch Plugin TP3||Search Guard Kibana Plugin TP3||Demo Installer TP3|
|Elasticsearch 7.16.3||Search Guard Elasticsearch Plugin TP3||Search Guard Kibana Plugin TP3||Demo Installer TP3|
|Elasticsearch 7.17.1||Search Guard Elasticsearch Plugin TP3||Search Guard Kibana Plugin TP3||Demo Installer TP3|
|Search Guard Control Tool sgctl 0.2.4|
You have several options to try the Search Guard Tech Preview:
If you want to start with a quick test of a fresh installation on your local system, you can use the Search Guard Demo Installer.
If you have an existing Search Guard setup and what to test its configuration with the Search Guard Tech Preview, you can use the migrate-config command of
sgctl. Please also review the list of breaking changes below.
You might want to read the following sections of the documentation to get a comprehensive overview over the new possibilities of Search Guard:
- Using sgctl (See also the repository README).
- Using configuration variables
- Configuring authentication
- Configuring Dashboards/Kibana authentication
- Migrating from Search Guard 53 and before
There has been a number of breaking changes to the Search Guard configuration. Some don’t require config changes, some can be automatically migrated by using the
sgctl migrate-config command, still some need manual intervention.
The breaking changes include so far:
sg_config.ymlis being replaced by a number of more specialized files. This allows for a clearer and more concise configuration.
The old style user attributes (
attr.jwt..., etc) are not supported any more for users logging in via Kibana. You need to use new style user attributes (
user.attrs....) instead. See the chapters on DLS and Roles for details.
Support for OpenSSL was removed from Search Guard already quite a while a go. Now, also the configuration options - which were just ignored in the meantime - have been also removed. Thus, if you have any
openssl, you need to remove these.
do_not_fail_on_forbiddenmode has been replaced by
ignore_unauthorizedmode with refined semantics. This mode is now active by default.
Search Guard no longer warns about filtered alias settings.
More about the configuration migration can be found here.
A comprehensive overview over the configuration format changes can be found here.
Your feedback is welcome! You can use the Search Guard Forum for questions and general feedback. You can also report issues at the Search Guard Gitlab repository.