Release Notes

edit

Version Compatibility

edit

You must run the version of Shield that matches the version of Elasticsearch you are running. For example, Shield 2.1.2 requires Elasticsearch 2.1.2.

Upgrading Shield

edit

To upgrade Shield, just uninstall the current Shield plugin and install the new version of Shield. Your configuration will be preserved and you do this with a rolling upgrade of Elasticsearch when upgrading to a new minor version; a full cluster restart is required when upgrading from Elasticsearch 1.x. On each node, after you have stopped it run:

bin/plugin remove shield
bin/plugin install shield

Then start the node. Larger sites should perform a rolling upgrade to ensure recovery is as quick as possible.

On upgrade, your current configuration files will remain untouched. The configuration files provided by the new version of Shield will be added with a .new extension.

Updated Role Definitions

edit

The default role definitions in the roles.yml file may need to be changed to ensure proper functionality with other applications such as Marvel and Kibana. Any role changes will be found in roles.yml.new after upgrading to the new version of Shield. We recommend copying the changes listed below to your roles.yml file.

  • [2.1.1] Added in 2.1.1. The kibana4 role now grants access to the Field Stats API.
  • [2.0.0] Added in 2.0.0. The permission on all the roles are updated to the verbose format to make it easier to enable field level and document level security. The transport_client role has been updated to work with Elasticsearch 2.0.0. The marvel_user role has been updated to work with Marvel 2.0 and a remote_marvel_agent role has been added. The kibana3 and marvel_agent roles have been removed.
  • [1.1.0] Added in 1.1.0. kibana4_server role added that defines the minimum set of permissions necessary for the Kibana 4 server.
  • [1.0.1] Added in 1.0.1. kibana4 role updated to work with new features in Kibana 4 RC1

Change List

edit

2.1.2

edit

February 2, 2016

Enhancements

  • Adds support for Elasticssearch 2.1.2

2.1.1

edit

December 17, 2015

Bug Fixes

2.1.0

edit

November 24, 2015

Breaking Changes

  • Same as 2.0.1. Document and Field Level Security is now disabled by default. Set shield.dls_fls.enabled to true in elasticsearch.yml to enable it. You cannot submit _bulk update requests when document and field level security is enabled.

Enhancements

  • Adds support for Elasticsearch 2.1.0.

2.0.2

edit

December 16, 2015

Bug Fixes

2.0.1

edit

November 24, 2015

Breaking Changes

  • Document and Field Level Security is now disabled by default. Set shield.dls_fls.enabled to true in elasticsearch.yml to enable it. You cannot submit _bulk update requests when document and field level security is enabled.

Enhancement

  • Adds support for Elasticsearch 2.0.1.

2.0.0

edit

October 28, 2015

Breaking Changes

  • All files that Shield uses must be kept in the configuration directory due to the enhanced security of Elasticsearch 2.0.
  • The network format has been changed from all previous versions of Shield and a full cluster restart is required to upgrade to Shield 2.0.

New Features

Bug Fixes

  • Auditing now captures requests from nodes using a different system key as tampered requests.
  • The index output for auditing stores the type of request when available.
  • esusers and syskeygen work when spaces are in the elasticsearch installation path.
  • Fixed a rare issue where authentication fails even when the username and password are correct.

1.3.3

edit

November 24, 2015

Bug Fixes

  • Fixed a rare issue where authentication fails even when the username and password are correct.
  • The index output for auditing stores the type of request when available.

Enhancements

  • Tampered requests with a bad header are now audited.

1.3.2

edit

August 10, 2015

Bug Fixes

  • When using the LDAP user search mechanism, connection errors during startup no longer cause the node to stop.
  • The Cache Eviction API no longer generates invalid JSON.
  • The index output for auditing starts properly when forwarding the audit events to a remote cluster and uses the correct user to index the audit events.

1.3.1

edit

July 21, 2015

Bug Fixes

  • Fixes message authentication serialization to work with Shield 1.2.1 and earlier.

    • NOTE: if you are upgrading from Shield 1.3.0 or Shield 1.2.2 a cluster restart upgrade will be necessary. When upgrading from other versions of Shield, follow the normal upgrade procedure.

1.3.0

edit

June 24, 2015

Breaking Changes

  • The sha2 and apr1 hashing algorithms have been removed as options for the cache.hash_algo setting. If your existing Shield installation uses either of these options, remove the setting and use the default ssha256 algorithm.
  • The users file now only supports bcrypt password hashing. All existing passwords stored using the esusers tool have been hashed with bcrypt and are not affected.

New Features

  • PKI Realm: Adds Public Key Infrastructure (PKI) authentication through the use of X.509 certificates in place of username and password credentials.
  • Index Output for Audit Events: An index based output has been added for storing audit events in an Elasticsearch index.

Enhancements

  • TLS 1.2 is now the default protocol.
  • Clients that do not support pre-emptive basic authentication can now support both anonymous and authenticated access by specifying the shield.authc.anonymous.authz_exception setting with a value of false.
  • Reduced logging for common SSL exceptions, such as a client closing the connection during a handshake.

Bug Fixes

  • The esusers and syskeygen tools now work correctly with environment variables in the RPM and DEB installation environment files /etc/sysconfig/elasticsearch and /etc/default/elasticsearch.
  • Default ciphers no longer include TLS_DHE_RSA_WITH_AES_128_CBC_SHA.

1.2.3

edit

July 21, 2015

Bug Fixes

  • Fixes message authentication serialization to work with Shield 1.2.1 and earlier.

    • NOTE: if you are upgrading from Shield 1.2.2 a cluster restart upgrade will be necessary. When upgrading from other versions of Shield, follow the normal upgrade procedure.

1.2.2

edit

June 24, 2015

Bug Fixes

  • The esusers tool no longer warns about missing roles that are properly defined in the roles.yml file.
  • The period character, ., is now allowed in usernames and role names.
  • The terms filter lookup cache has been disabled to ensure all requests are properly authorized. This removes the need to manually disable the terms filter cache.
  • For LDAP client connections, only the protocols and ciphers specified in the shield.ssl.supported_protocols and shield.ssl.ciphers settings will be used.
  • The auditing mechanism now logs authentication failed events when a request contains an invalid authentication token.

1.2.1

edit

April 29, 2015

Bug Fixes

  • Several bug fixes including a fix to ensure that Disk-based Shard Allocation works properly with Shield

1.2.0

edit

March 24, 2015

Enhancements

  • Adds support for Elasticsearch 1.5

1.1.1

edit

April 29, 2015

Bug Fixes

  • Several bug fixes including a fix to ensure that Disk-based Shard Allocation works properly with Shield

1.1.0

edit

March 24, 2015

New Features

  • LDAP:

    • Add the ability to bind as a specific user for LDAP searches, which removes the need to specify user_dn_templates. This mode of operation also makes use of connection pooling for better performance. Please see ldap user search for more information.
    • User distinguished names (DNs) can now be used for role mapping.
  • Authentication:

  • IP Filtering:

Enhancements

  • Significant memory footprint reduction of internal data structures
  • Test if SSL/TLS ciphers are supported and warn if any of the specified ciphers are not supported
  • Reduce the amount of logging when a non-encrypted connection is opened and https is being used
  • Added the kibana4_server role, which is a role that contains the minimum set of permissions required for the Kibana 4 server.
  • In-memory user credential caching hash algorithm defaults now to salted SHA-256 (see Cache hash algorithms

Bug Fixes

  • Filter out sensitive settings from the settings APIs

1.0.2

edit

March 24, 2015

Bug Fixes

  • Filter out sensitive settings from the settings APIs
  • Significant memory footprint reduction of internal data structures

1.0.1

edit

February 13, 2015

Bug Fixes

  • Fixed dependency issues with Elasticsearch 1.4.3 and (Lucene 4.10.3 that comes with it)
  • Fixed bug in how user roles were handled. When multiple roles were defined for a user, and one of the roles only had cluster permissions, not all privileges were properly evaluated.
  • Updated kibana4 permissions to be compatible with Kibana 4 RC1
  • Ensure the mandatory base_dn settings is set in the ldap realm configuration