2.18.0.0

Version 2.18.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.18.0

Enhancements

• Improve error message when a node with an incorrectly configured certificate attempts to connect (#4819)
• Support datastreams as an AuditLog Sink (#4756)
• Auto-convert V6 configuration instances into V7 configuration instances (for OpenSearch 2.x only) (#4753)
• Add can trip circuit breaker override (#4779)
• Adding index permissions for remote index in AD (#4721)
• Fix env var password hashing for PBKDF2 (#4778)
• Add ensureCustomSerialization to ensure that headers are serialized correctly with multiple transport hops (#4741)

Bug Fixes

• Handle non-flat yaml settings for demo configuration detection (#4798)
• Fix bug where admin can read system index (#4775)
• Ensure that dual mode enabled flag from cluster settings can get propagated to core (#4830)
• Remove failed login attempt for saml authenticator (#4770)
• Fix issue in HashingStoredFieldVisitor with stored fields (#4827)
• Fix issue with Get mappings on a Closed index (#4777)
• changing comments permission for alerting_ack_alerts role (#4723)
• Fixed use of rolesMappingConfiguration in InternalUsersApiActionValidationTest (#4754)
• Use evaluateSslExceptionHandler() when constructing OpenSearchSecureSettingsFactory (#4726)

Maintenance

• Bump gradle to 8.10.2 (#4829)
• Bump ch.qos.logback:logback-classic from 1.5.8 to 1.5.11 (#4807) (#4825)
• Bump org.passay:passay from 1.6.5 to 1.6.6 (#4824)
• Bump org.junit.jupiter:junit-jupiter from 5.11.0 to 5.11.2 (#4767) (#4811)
• Bump io.dropwizard.metrics:metrics-core from 4.2.27 to 4.2.28 (#4789)
• Bump com.nimbusds:nimbus-jose-jwt from 9.40 to 9.41.2 (#4737) (#4787)
• Bump org.ow2.asm:asm from 9.7 to 9.7.1 (#4788)
• Bump com.google.googlejavaformat:google-java-format from 1.23.0 to 1.24.0 (#4786)
• Bump org.xerial.snappy:snappy-java from 1.1.10.6 to 1.1.10.7 (#4738)
• Bump org.gradle.test-retry from 1.5.10 to 1.6.0 (#4736)
• Moves @cliu123 to emeritus status (#4667)
• Add Derek Ho (github: derek-ho) as a maintainer (#4796)
• Add deprecation warning for GET/POST/PUT cache (#4776)
• Fix for: CVE-2024-47554 (#4792)
• Move Stephen to emeritus (#4804)
• Undeprecate securityadmin script (#4768)
• Bump commons-io:commons-io from 2.16.1 to 2.17.0 (#4750)
• Bump org.scala-lang:scala-library from 2.13.14 to 2.13.15 (#4749)
• org.checkerframework:checker-qual and ch.qos.logback:logback-classic to new versions (#4717)
• Add isActionPaginated to DelegatingRestHandler (#4765)
• Refactor ASN1 call (#4740)
• Fix 'integTest' not called with test workflows during release (#4815)
• Fixed bulk index requests in BWC tests and hardened assertions (#4831)

2.17.0.0

Version 2.17.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.17.0

Enhancements

• Add ignore_hosts config option for auth failure listener (#4538)
• added API roles for correlationAlerts (#4689)
• Allow multiple signing keys to be provided (#4666)
• adding alerting comments security actions to roles.yml (#4700)
• Permission changes for correlationAlerts (#4704)

Bug Fixes

• Addresses a bug with plugins.security.allow_unsafe_democertificates setting (#4603)
• Fix covereage-report workflow (#4684, #4683)
• Handle the audit config being null (#4664)
• Fixes authtoken endpoint (#4631)
• Fixed READ_ACTIONS required by TermsAggregationEvaluator (#4607)
• Sort the DNS Names in the SANs (#4640)

Maintenance

• Bump com.google.errorprone:error_prone_annotations from 2.30.0 to 2.31.0 (#4696)
• Bump org.passay:passay from 1.6.4 to 1.6.5 (#4682)
• Bump spring_version from 5.3.37 to 5.3.39 (#4661)
• Bump commons-cli:commons-cli from 1.8.0 to 1.9.0 (#4659)
• Bump org.junit.jupiter:junit-jupiter from 5.10.3 to 5.11.0 (#4657)
• Bump org.cryptacular:cryptacular from 1.2.6 to 1.2.7 (#4656)
• Update Gradle to 8.10 (#4646)
• Bump org.xerial.snappy:snappy-java from 1.1.10.5 to 1.1.10.6 (#4639)
• Bump com.google.googlejavaformat:google-java-format from 1.22.0 to 1.23.0 (#4622)
• Increment version to 2.17.0-SNAPSHOT (#4615)
• Backports PRs with backport-failed labels that weren't actually backported (#4610)
• Bump io.dropwizard.metrics:metrics-core from 4.2.26 to 4.2.27 (#4660)
• Bump com.netflix.nebula.ospackage from 11.9.1 to 11.10.0 (#4681)
• Interim build fix for PluginSubject related changes (#4694)
• Add Nils Bandener (Github: nibix) as a maintainer (#4673)
• Remove usages of org.apache.logging.log4j.util.Strings (#4653)
• Update backport section of PR template (#4625)
• Bump org.checkerframework:checker-qual from 3.45.0 to 3.46.0 (#4623)
• Refactor security provider instantiation (#4611)

1.3.19.0

Version 1.3.19.0

Compatible with OpenSearch 1.3.19

Maintenance

• Bump org.apache.cxf:cxf-rt-rs-security-jose from 3.5.8 to 3.5.9 (#4579)

2.16.0.0

Version 2.16.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.16.0

Enhancements

• Add support for PBKDF2 for password hashing & add support for configuring BCrypt and PBKDF2 (#4524)
• Separated DLS/FLS privilege evaluation from action privilege evaluation (#4490)
• Update PULL_REQUEST_TEMPLATE to include an API spec change in the checklist. (#4533)
• Update PATCH API to fail validation if nothing changes (#4530)
• Refactor InternalUsers REST API test (#4481)
• Refactor Role Mappings REST API test (#4450)
• Remove special handling for do_not_fail_on_forbidden on cluster actions (#4486)
• Add Tenants REST API test and partial fix (#4166)
• Refactor Roles REST API test and partial fix #4166 (#4433)
• New algorithm for resolving action groups (#4448)
• Check block request only if system index (#4430)
• Replaced uses of SecurityRoles by Set mappedRoles where the SecurityRoles functionality is not needed (#4432)

Bug Fixes

• Fixed test failures in FlsAndFieldMaskingTests (#4548)
• Typo in securityadmin.sh hint (#4526)
• Fix NPE getting metaFields from mapperService on a close index request (#4497)
• Fixes flaky integration tests (#4452)

Maintenance

• Remove unused dependancy Apache CXF (#4580)
• Remove unnecessary return statements (#4558)
• Refactor and update existing ml roles (#4151)
• Replace JUnit assertEquals() with Hamcrest matchers assertThat() (#4544)
• Update Gradle to 8.9 (#4553)
• Bump org.checkerframework:checker-qual from 3.44.0 to 3.45.0 (#4531)
• Add security analytics threat intel action (#4498)
• Bump kafka_version from 3.7.0 to 3.7.1 (#4501)
• Bump org.junit.jupiter:junit-jupiter from 5.10.2 to 5.10.3 (#4503)
• Bump com.fasterxml.woodstox:woodstox-core from 6.6.2 to 6.7.0 (#4483)
• Bump jjwt_version from 0.12.5 to 0.12.6 (#4484)
• Bump org.eclipse.platform:org.eclipse.core.runtime from 3.31.0 to 3.3.1.100 (#4467)
• Bump spring_version from 5.3.36 to 5.3.37 (#4466)
• Update to Gradle 8.8 (#4459)

1.3.18.0

Version 1.3.18.0

Compatible with OpenSearch 1.3.18

Maintenance

• Bump bouncycastle to 1.78.1 and kafka to 3.7.0 (#4437)

2.15.0.0

Version 2.15.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.15.0

Enhancements

• Replace BouncyCastle's OpenBSDBCrypt use with password4j for password hashing and verification (#4428)
• Adds validation for the action groups type key (#4411)
• Made sensitive header log statement more clear (#4372)
• Refactor ActionGroup REST API test and partial fix #4166 (#4371)
• Support multiple audience for jwt authentication (#4363)
• Configure masking algorithm default (#4345)

Bug Fixes

• Add cat/alias support for DNFOF (#4440)
• Add support for ipv6 ip address in user injection (#4409)
• [Fix #4280] Introduce new endpoint _plugins/_security/api/certificates (#4355)

Maintenance

• Bump com.nimbusds:nimbus-jose-jwt from 9.37.3 to 9.40 (#4337)(#4353)(#4396)(#4424)
• Bump Wandalen/wretry.action from 3.4.0 to 3.5.0 (#4335)
• Bump spring_version from 5.3.34 to 5.3.36 (#4352)(#4368)
• Bump org.apache.camel:camel-xmlsecurity from 3.22.1 to 3.22.2 (#4324)
• Bump com.google.errorprone:error_prone_annotations from 2.27.0 to 2.27.1 (#4323)
• Bump org.checkerframework:checker-qual from 3.42.0 to 3.43.0 (#4322)
• Bump org.scala-lang:scala-library from 2.13.13 to 2.13.14 (#4321)
• Bump commons-validator:commons-validator from 1.8.0 to 1.9.0 (#4395)
• Bump com.netflix.nebula.ospackage from 11.9.0 to 11.9.1 (#4394)
• Bump com.google.errorprone:error_prone_annotations from 2.27.1 to 2.28.0 (#4389)
• Bump commons-cli to 1.8.0 (#4369)
• Fix DelegatingRestHandlerTests (#4435)
• Extracted the user attr handling methods from ConfigModelV7 into its own class (#4431)
• Bump io.dropwizard.metrics:metrics-core and org.checkerframework:checker-qual (#4425)
• Bump gradle to 8.7 version (#4377)
• Updating security reachout email (#4333)
• REST API tests refactoring (#4252 and #4255) (#4328)
• Fix flaky tests (#4331)
• Move REST API tests into integration tests (Part 1) (#4153)
• fix build errors caused by filterIndices method being moved from SnapshotUtils to IndexUtils (#4319)
• Extract route paths prefixes into constants (#4358)

1.3.17.0

Version 1.3.17.0

Compatible with OpenSearch 1.3.17

Maintenance

• Update security reachout email (#4333)

2.14.0.0

Version 2.14.0.0

Compatible with OpenSearch 2.14.0

Enhancements

• Check for and perform upgrades on security configurations (#4251)
• Replace bouncy castle blake2b (#4284)
• Adds saml auth header to differentiate saml requests and prevents auto login as anonymous user when basic authentication fails (#4228)
• Dynamic sign in options (#4137)
• Add index permissions for query insights exporters (#4231)
• Add new stop words system index (#4181)
• Switch to built-in security transports from core (#4119) (#4174) (#4187)
• System index permission grants reading access to documents in the index (#4291)
• Improve cluster initialization reliability (#4002) (#4256)

Bug Fixes

• Ensure that challenge response contains body (#4268)
• Add logging for audit log that are unable to saving the request body (#4272)
• Use predictable serialization logic for transport headers (#4288)
• Update Log4JSink Default from sgaudit to audit and add test for default values (#4155)
• Remove Pom task dependencies rewrite (#4178) (#4186)
• Misc changes for tests (#4184)
• Add simple roles mapping integ test to test mapping of backend role to role (#4176)

Maintenance

• Add getProperty.org.bouncycastle.ec.max_f2m_field_size to plugin-security.policy (#4270)
• Add getProperty.org.bouncycastle.pkcs12.default to plugin-security.policy (#4266)
• Bump apache_cxf_version from 4.0.3 to 4.0.4 (#4287)
• Bump ch.qos.logback:logback-classic from 1.5.3 to 1.5.5 (#4248)
• Bump codecov/codecov-action from v3 to v4 (#4237)
• Bump com.fasterxml.woodstox:woodstox-core from 6.6.1 to 6.6.2 (#4195)
• Bump com.google.googlejavaformat:google-java-format from 1.21.0 to 1.22.0 (#4220)
• Bump commons-io:commons-io from 2.15.1 to 2.16.1 (#4196) (#4246)
• Bump com.nulab-inc:zxcvbn from 1.8.2 to 1.9.0 (#4219)
• Bump io.dropwizard.metrics:metrics-core from 4.2.15 to 4.2.25 (#4193) (#4197)
• Bump net.shibboleth.utilities:java-support from 8.4.1 to 8.4.2 (#4245)
• Bump spring_version from 5.3.33 to 5.3.34 (#4250)
• Bump Wandalen/wretry.action from 1.4.10 to 3.3.0 (#4167) (#4198) (#4221) (#4247)
• Bump open_saml_version from 4.3.0 to 4.3.2 (#4303) (#4239)

1.3.16.0

Version 1.3.16.0

Compatible with OpenSearch 1.3.16

Bug Fixes

• Allow TransportConfigUpdateAction when security config initialization has completed (#4115)

Maintenance

• Force resolution of org.apache.zookeeper:zookeeper to 3.9.2 and org.bitbucket.b_c:jose4j to 0.9.4 (#4136)
• Integration Tests for Security Config Initialization (#4134)
• Remove and refactor console print statements (#4206)

2.13.0.0

2024-03-19 Version 2.13.0.0

Compatible with OpenSearch 2.13.0

Enhancements

• Admin role for Query insights plugin (#4022)
• Add query assistant role and new ml system indices (#4143)
• Redact sensitive configuration values when retrieving security configuration (#4028)
• v2.12 update roles.yml with new API for experimental alerting plugin feature (#4035)
• Add deprecate message that TLSv1 and TLSv1.1 support will be removed in the next major version (#4083)
• Log password requirement details in demo environment (#4082)
• Redact sensitive URL parameters from audit logging (#4070)
• Fix unconsumed parameter exception when authenticating with jwtUrlParameter (#4065)
• Regenerates root-ca, kirk and esnode certificates to address already expired root ca certificate (#4066)
• Add exclude_roles configuration parameter to LDAP authorization backend (#4043)
• Refactor and update existing ml roles (#4157)

Maintenance

• Add exlusion for logback-core to resolve CVE-2023-6378 (#4050)
• Bump com.netflix.nebula.ospackage from 11.7.0 to 11.8.1 (#4041, #4075)
• Bump Wandalen/wretry.action from 1.3.0 to 1.4.10 (#4042, #4092, #4108, #4135)
• Bump spring_version from 5.3.31 to 5.3.33 (#4058, #4131)
• Bump org.scala-lang:scala-library from 2.13.12 to 2.13.13 (#4076)
• Bump com.google.googlejavaformat:google-java-format from 1.19.1 to 1.21.0 (#4078, #4110)
• Bump ch.qos.logback:logback-classic from 1.2.13 to 1.5.3 (#4091, #4111)
• Bump com.fasterxml.woodstox:woodstox-core from 6.6.0 to 6.6.1 (#4093)
• Bump kafka_version from 3.5.1 to 3.7.0 (#4095)
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 (#4109)
• Bump org.apache.zookeeper:zookeeper from 3.9.1. to 3.9.2 (#4130)
• Bump org.awaitility:awaitility from 4.2.0 to 4.2.1 (#4133)
• Bump com.google.errorprone:error_prone_annotations from 2.25.0 to 2.26.1 (#4132)