diff --git a/shield/docs/public/release-notes.asciidoc b/shield/docs/public/release-notes.asciidoc index 46e2c7f1c55..b47bba1d4ad 100644 --- a/shield/docs/public/release-notes.asciidoc +++ b/shield/docs/public/release-notes.asciidoc @@ -30,7 +30,7 @@ On upgrade, your current configuration files will remain untouched. The configur of Shield will be added with a `.new` extension. [float] -==== updated role definitions +==== Updated Role Definitions The default role definitions in the `roles.yml` file may need to be changed to ensure proper functionality with other applications such as Marvel and Kibana. Any role changes will be found in `roles.yml.new` after upgrading to the new version of Shield. We recommend copying the changes listed below to your `roles.yml` file. @@ -44,6 +44,15 @@ version of Shield. We recommend copying the changes listed below to your `roles. [[changelist]] === Change List +[float] +==== 2.1.0 + +.Breaking Changes +* Same as 2.0.1. <> is now disabled by default. Set `shield.dls_fls.enabled` to `true` in `elasticsearch.yml` to enable it. You cannot submit `_bulk` update requests when document and field level security is enabled. + +.Enhancements +* Adds support for Elasticsearch 2.1.0. + [float] ==== 2.0.1 @@ -53,27 +62,27 @@ version of Shield. We recommend copying the changes listed below to your `roles. [float] ==== 2.0.0 -.new features +.Breaking Changes +* All files that Shield uses must be kept in the <> due to the enhanced security of Elasticsearch 2.0. +* The network format has been changed from all previous versions of Shield and a full cluster restart is required to upgrade to Shield 2.0. + +.New Features * <> support has been added and can be configured per role. * Support for <> has been added, allowing Shield to integrate with more authentication sources and methods. * <> has also been added, which allows a user to send a request to elasticsearch that will be run with the specified user's permissions. -.bug fixes +.Bug Fixes * <> now captures requests from nodes using a different system key as tampered requests. * The <> stores the type of request when available. * `esusers` and `syskeygen` work when spaces are in the elasticsearch installation path. * Fixed a rare issue where authentication fails even when the username and password are correct. -.breaking changes -* All files that Shield uses must be kept in the <> due to the enhanced security of Elasticsearch 2.0. -* The network format has been changed from all previous versions of Shield and a full cluster restart is required to upgrade to Shield 2.0. - [float] ==== 1.3.2 -.bug fixes +.Bug Fixes * When using the <> mechanism, connection errors during startup no longer cause the node to stop. * The <> no longer generates invalid JSON. * The <> starts properly when forwarding the audit events to a remote cluster and uses @@ -82,7 +91,7 @@ the correct user to index the audit events. [float] ==== 1.3.1 -.bug fixes +.Bug Fixes * Fixes <> serialization to work with Shield 1.2.1 and earlier. ** NOTE: if you are upgrading from Shield 1.3.0 or Shield 1.2.2 a {ref-17}/setup-upgrade.html#restart-upgrade[cluster restart upgrade] will be necessary. When upgrading from other versions of Shield, follow the normal <>. @@ -90,25 +99,25 @@ will be necessary. When upgrading from other versions of Shield, follow the norm [float] ==== 1.3.0 -.new features -* <>: Adds Public Key Infrastructure (PKI) authentication through the use of X.509 certificates in place of - username and password credentials. -* <>: An index based output has been added for storing audit events in an Elasticsearch index. - -.breaking changes +.Breaking Changes * The `sha2` and `apr1` hashing algorithms have been removed as options for the <>. If your existing Shield installation uses either of these options, remove the setting and use the default `ssha256` algorithm. * The `users` file now only supports `bcrypt` password hashing. All existing passwords stored using the `esusers` tool have been hashed with `bcrypt` and are not affected. -.enhancements +.New Features +* <>: Adds Public Key Infrastructure (PKI) authentication through the use of X.509 certificates in place of + username and password credentials. +* <>: An index based output has been added for storing audit events in an Elasticsearch index. + +.Enhancements * TLS 1.2 is now the default protocol. * Clients that do not support pre-emptive basic authentication can now support both anonymous and authenticated access by specifying the `shield.authc.anonymous.authz_exception` <> with a value of `false`. * Reduced logging for common SSL exceptions, such as a client closing the connection during a handshake. -.bug fixes +.Bug Fixes * The `esusers` and `syskeygen` tools now work correctly with environment variables in the RPM and DEB installation environment files `/etc/sysconfig/elasticsearch` and `/etc/default/elasticsearch`. * Default ciphers no longer include `TLS_DHE_RSA_WITH_AES_128_CBC_SHA`. @@ -116,7 +125,7 @@ will be necessary. When upgrading from other versions of Shield, follow the norm [float] ==== 1.2.3 -.bug fixes +.Bug Fixes * Fixes <> serialization to work with Shield 1.2.1 and earlier. ** NOTE: if you are upgrading from Shield 1.2.2 a {ref-17}/setup-upgrade.html#restart-upgrade[cluster restart upgrade] will be necessary. When upgrading from other versions of Shield, follow the normal <>. @@ -124,7 +133,7 @@ will be necessary. When upgrading from other versions of Shield, follow the norm [float] ==== 1.2.2 -.bug fixes +.Bug Fixes * The `esusers` tool no longer warns about missing roles that are properly defined in the `roles.yml` file. * The period character, `.`, is now allowed in usernames and role names. * The {ref-17}/query-dsl-terms-filter.html#_caching_19[terms filter lookup cache] has been disabled to ensure all requests @@ -136,27 +145,27 @@ will be necessary. When upgrading from other versions of Shield, follow the norm [float] ==== 1.2.1 -.bug fixes -* Several bug fixes including a fix to ensure that {ref-17}/disk.html[Disk-based Shard Allocation] +.Bug Fixes +* Several bug fixes including a fix to ensure that {ref}/disk.html[Disk-based Shard Allocation] works properly with Shield [float] ==== 1.2.0 -.enhancements +.Enhancements * Adds support for Elasticsearch 1.5 [float] ==== 1.1.1 -.bug fixes -* Several bug fixes including a fix to ensure that {ref-17}/disk.html[Disk-based Shard Allocation] +.Bug Fixes +* Several bug fixes including a fix to ensure that {ref}/disk.html[Disk-based Shard Allocation] works properly with Shield [float] ==== 1.1.0 -.new features +.New Features * LDAP: ** Add the ability to bind as a specific user for LDAP searches, which removes the need to specify `user_dn_templates`. This mode of operation also makes use of connection pooling for better performance. Please see <> @@ -167,27 +176,27 @@ for more information. * IP Filtering: ** IP Filtering settings can now be <> using the {ref}/cluster-update-settings.html[Cluster Update Settings API]. -.enhancements +.Enhancements * Significant memory footprint reduction of internal data structures * Test if SSL/TLS ciphers are supported and warn if any of the specified ciphers are not supported * Reduce the amount of logging when a non-encrypted connection is opened and `https` is being used * Added the <>, which is a role that contains the minimum set of permissions required for the Kibana 4 server. * In-memory user credential caching hash algorithm defaults now to salted SHA-256 (see <> -.bug fixes +.Bug Fixes * Filter out sensitive settings from the settings APIs [float] ==== 1.0.2 -.bug fixes +.Bug Fixes * Filter out sensitive settings from the settings APIs * Significant memory footprint reduction of internal data structures [float] ==== 1.0.1 -.bug fixes +.Bug Fixes * Fixed dependency issues with Elasticsearch 1.4.3 and (Lucene 4.10.3 that comes with it) * Fixed bug in how user roles were handled. When multiple roles were defined for a user, and one of the roles only had cluster permissions, not all privileges were properly evaluated.