Elasticsearch breaking changes

edit

This list summarizes the most important breaking changes in Elasticsearch 7.6.2. For the complete list, go to Elasticsearch breaking changes.

Security changes

edit

Elasticsearch API key privileges

edit

If you use an API key to create another API key (sometimes called a derived key), its behavior is impacted by the fix for CVE-2020-7009.

When you make a request to create API keys, you can specify an expiration and privileges for the API key. Previously, when you created a derived key, it had no privileges. This behavior disregarded any privileges that you specified in the create API key API.

As of 7.6.2, this behavior changes. To create a derived key, you must explicitly specify a role descriptor with no privileges:

...
"role_descriptors": {
    "no-privilege": {
    }
}
...