Shield Docs: Added release notes for 2.1.

Original commit: elastic/x-pack-elasticsearch@042904968b
This commit is contained in:
debadair 2015-11-23 10:46:08 -08:00
parent 9f6398127c
commit a973cbcd72
1 changed files with 38 additions and 29 deletions

View File

@ -30,7 +30,7 @@ On upgrade, your current configuration files will remain untouched. The configur
of Shield will be added with a `.new` extension. of Shield will be added with a `.new` extension.
[float] [float]
==== updated role definitions ==== Updated Role Definitions
The default role definitions in the `roles.yml` file may need to be changed to ensure proper functionality with other The default role definitions in the `roles.yml` file may need to be changed to ensure proper functionality with other
applications such as Marvel and Kibana. Any role changes will be found in `roles.yml.new` after upgrading to the new applications such as Marvel and Kibana. Any role changes will be found in `roles.yml.new` after upgrading to the new
version of Shield. We recommend copying the changes listed below to your `roles.yml` file. version of Shield. We recommend copying the changes listed below to your `roles.yml` file.
@ -44,6 +44,15 @@ version of Shield. We recommend copying the changes listed below to your `roles.
[[changelist]] [[changelist]]
=== Change List === Change List
[float]
==== 2.1.0
.Breaking Changes
* Same as 2.0.1. <<setting-up-field-and-document-level-security, Document and Field Level Security>> is now disabled by default. Set `shield.dls_fls.enabled` to `true` in `elasticsearch.yml` to enable it. You cannot submit `_bulk` update requests when document and field level security is enabled.
.Enhancements
* Adds support for Elasticsearch 2.1.0.
[float] [float]
==== 2.0.1 ==== 2.0.1
@ -53,27 +62,27 @@ version of Shield. We recommend copying the changes listed below to your `roles.
[float] [float]
==== 2.0.0 ==== 2.0.0
.new features .Breaking Changes
* All files that Shield uses must be kept in the <<ref-shield-files-location, configuration directory>> due to the enhanced security of Elasticsearch 2.0.
* The network format has been changed from all previous versions of Shield and a full cluster restart is required to upgrade to Shield 2.0.
.New Features
* <<setting-up-field-and-document-level-security, Document and Field Level Security>> support has been added and can be * <<setting-up-field-and-document-level-security, Document and Field Level Security>> support has been added and can be
configured per role. configured per role.
* Support for <<custom-realms, custom authentication realms>> has been added, allowing Shield to integrate with more authentication sources and methods. * Support for <<custom-realms, custom authentication realms>> has been added, allowing Shield to integrate with more authentication sources and methods.
* <<submitting-requests-for-other-users, User impersonation support>> has also been added, which allows a user to send a request to elasticsearch that will be run * <<submitting-requests-for-other-users, User impersonation support>> has also been added, which allows a user to send a request to elasticsearch that will be run
with the specified user's permissions. with the specified user's permissions.
.bug fixes .Bug Fixes
* <<configuring-auditing, Auditing>> now captures requests from nodes using a different system key as tampered requests. * <<configuring-auditing, Auditing>> now captures requests from nodes using a different system key as tampered requests.
* The <<audit-index, index output for auditing>> stores the type of request when available. * The <<audit-index, index output for auditing>> stores the type of request when available.
* `esusers` and `syskeygen` work when spaces are in the elasticsearch installation path. * `esusers` and `syskeygen` work when spaces are in the elasticsearch installation path.
* Fixed a rare issue where authentication fails even when the username and password are correct. * Fixed a rare issue where authentication fails even when the username and password are correct.
.breaking changes
* All files that Shield uses must be kept in the <<ref-shield-files-location, configuration directory>> due to the enhanced security of Elasticsearch 2.0.
* The network format has been changed from all previous versions of Shield and a full cluster restart is required to upgrade to Shield 2.0.
[float] [float]
==== 1.3.2 ==== 1.3.2
.bug fixes .Bug Fixes
* When using the <<ldap-user-search,LDAP user search>> mechanism, connection errors during startup no longer cause the node to stop. * When using the <<ldap-user-search,LDAP user search>> mechanism, connection errors during startup no longer cause the node to stop.
* The <<cache-eviction-api,Cache Eviction API>> no longer generates invalid JSON. * The <<cache-eviction-api,Cache Eviction API>> no longer generates invalid JSON.
* The <<audit-index,index output for auditing>> starts properly when forwarding the audit events to a remote cluster and uses * The <<audit-index,index output for auditing>> starts properly when forwarding the audit events to a remote cluster and uses
@ -82,7 +91,7 @@ the correct user to index the audit events.
[float] [float]
==== 1.3.1 ==== 1.3.1
.bug fixes .Bug Fixes
* Fixes <<enable-message-authentication,message authentication>> serialization to work with Shield 1.2.1 and earlier. * Fixes <<enable-message-authentication,message authentication>> serialization to work with Shield 1.2.1 and earlier.
** NOTE: if you are upgrading from Shield 1.3.0 or Shield 1.2.2 a {ref-17}/setup-upgrade.html#restart-upgrade[cluster restart upgrade] ** NOTE: if you are upgrading from Shield 1.3.0 or Shield 1.2.2 a {ref-17}/setup-upgrade.html#restart-upgrade[cluster restart upgrade]
will be necessary. When upgrading from other versions of Shield, follow the normal <<upgrade-instructions,upgrade procedure>>. will be necessary. When upgrading from other versions of Shield, follow the normal <<upgrade-instructions,upgrade procedure>>.
@ -90,25 +99,25 @@ will be necessary. When upgrading from other versions of Shield, follow the norm
[float] [float]
==== 1.3.0 ==== 1.3.0
.new features .Breaking Changes
* <<pki,PKI Realm>>: Adds Public Key Infrastructure (PKI) authentication through the use of X.509 certificates in place of
username and password credentials.
* <<configuring-auditing, Index Output for Audit Events>>: An index based output has been added for storing audit events in an Elasticsearch index.
.breaking changes
* The `sha2` and `apr1` hashing algorithms have been removed as options for the <<ref-cache-hash-algo,`cache.hash_algo` setting>>. * The `sha2` and `apr1` hashing algorithms have been removed as options for the <<ref-cache-hash-algo,`cache.hash_algo` setting>>.
If your existing Shield installation uses either of these options, remove the setting and use the default `ssha256` If your existing Shield installation uses either of these options, remove the setting and use the default `ssha256`
algorithm. algorithm.
* The `users` file now only supports `bcrypt` password hashing. All existing passwords stored using the `esusers` tool * The `users` file now only supports `bcrypt` password hashing. All existing passwords stored using the `esusers` tool
have been hashed with `bcrypt` and are not affected. have been hashed with `bcrypt` and are not affected.
.enhancements .New Features
* <<pki,PKI Realm>>: Adds Public Key Infrastructure (PKI) authentication through the use of X.509 certificates in place of
username and password credentials.
* <<configuring-auditing, Index Output for Audit Events>>: An index based output has been added for storing audit events in an Elasticsearch index.
.Enhancements
* TLS 1.2 is now the default protocol. * TLS 1.2 is now the default protocol.
* Clients that do not support pre-emptive basic authentication can now support both anonymous and authenticated access * Clients that do not support pre-emptive basic authentication can now support both anonymous and authenticated access
by specifying the `shield.authc.anonymous.authz_exception` <<anonymous-access,setting>> with a value of `false`. by specifying the `shield.authc.anonymous.authz_exception` <<anonymous-access,setting>> with a value of `false`.
* Reduced logging for common SSL exceptions, such as a client closing the connection during a handshake. * Reduced logging for common SSL exceptions, such as a client closing the connection during a handshake.
.bug fixes .Bug Fixes
* The `esusers` and `syskeygen` tools now work correctly with environment variables in the RPM and DEB installation * The `esusers` and `syskeygen` tools now work correctly with environment variables in the RPM and DEB installation
environment files `/etc/sysconfig/elasticsearch` and `/etc/default/elasticsearch`. environment files `/etc/sysconfig/elasticsearch` and `/etc/default/elasticsearch`.
* Default ciphers no longer include `TLS_DHE_RSA_WITH_AES_128_CBC_SHA`. * Default ciphers no longer include `TLS_DHE_RSA_WITH_AES_128_CBC_SHA`.
@ -116,7 +125,7 @@ will be necessary. When upgrading from other versions of Shield, follow the norm
[float] [float]
==== 1.2.3 ==== 1.2.3
.bug fixes .Bug Fixes
* Fixes <<enable-message-authentication,message authentication>> serialization to work with Shield 1.2.1 and earlier. * Fixes <<enable-message-authentication,message authentication>> serialization to work with Shield 1.2.1 and earlier.
** NOTE: if you are upgrading from Shield 1.2.2 a {ref-17}/setup-upgrade.html#restart-upgrade[cluster restart upgrade] ** NOTE: if you are upgrading from Shield 1.2.2 a {ref-17}/setup-upgrade.html#restart-upgrade[cluster restart upgrade]
will be necessary. When upgrading from other versions of Shield, follow the normal <<upgrade-instructions,upgrade procedure>>. will be necessary. When upgrading from other versions of Shield, follow the normal <<upgrade-instructions,upgrade procedure>>.
@ -124,7 +133,7 @@ will be necessary. When upgrading from other versions of Shield, follow the norm
[float] [float]
==== 1.2.2 ==== 1.2.2
.bug fixes .Bug Fixes
* The `esusers` tool no longer warns about missing roles that are properly defined in the `roles.yml` file. * The `esusers` tool no longer warns about missing roles that are properly defined in the `roles.yml` file.
* The period character, `.`, is now allowed in usernames and role names. * The period character, `.`, is now allowed in usernames and role names.
* The {ref-17}/query-dsl-terms-filter.html#_caching_19[terms filter lookup cache] has been disabled to ensure all requests * The {ref-17}/query-dsl-terms-filter.html#_caching_19[terms filter lookup cache] has been disabled to ensure all requests
@ -136,27 +145,27 @@ will be necessary. When upgrading from other versions of Shield, follow the norm
[float] [float]
==== 1.2.1 ==== 1.2.1
.bug fixes .Bug Fixes
* Several bug fixes including a fix to ensure that {ref-17}/disk.html[Disk-based Shard Allocation] * Several bug fixes including a fix to ensure that {ref}/disk.html[Disk-based Shard Allocation]
works properly with Shield works properly with Shield
[float] [float]
==== 1.2.0 ==== 1.2.0
.enhancements .Enhancements
* Adds support for Elasticsearch 1.5 * Adds support for Elasticsearch 1.5
[float] [float]
==== 1.1.1 ==== 1.1.1
.bug fixes .Bug Fixes
* Several bug fixes including a fix to ensure that {ref-17}/disk.html[Disk-based Shard Allocation] * Several bug fixes including a fix to ensure that {ref}/disk.html[Disk-based Shard Allocation]
works properly with Shield works properly with Shield
[float] [float]
==== 1.1.0 ==== 1.1.0
.new features .New Features
* LDAP: * LDAP:
** Add the ability to bind as a specific user for LDAP searches, which removes the need to specify `user_dn_templates`. ** Add the ability to bind as a specific user for LDAP searches, which removes the need to specify `user_dn_templates`.
This mode of operation also makes use of connection pooling for better performance. Please see <<ldap-user-search, ldap user search>> This mode of operation also makes use of connection pooling for better performance. Please see <<ldap-user-search, ldap user search>>
@ -167,27 +176,27 @@ for more information.
* IP Filtering: * IP Filtering:
** IP Filtering settings can now be <<dynamic-ip-filtering,dynamically updated>> using the {ref}/cluster-update-settings.html[Cluster Update Settings API]. ** IP Filtering settings can now be <<dynamic-ip-filtering,dynamically updated>> using the {ref}/cluster-update-settings.html[Cluster Update Settings API].
.enhancements .Enhancements
* Significant memory footprint reduction of internal data structures * Significant memory footprint reduction of internal data structures
* Test if SSL/TLS ciphers are supported and warn if any of the specified ciphers are not supported * Test if SSL/TLS ciphers are supported and warn if any of the specified ciphers are not supported
* Reduce the amount of logging when a non-encrypted connection is opened and `https` is being used * Reduce the amount of logging when a non-encrypted connection is opened and `https` is being used
* Added the <<kibana4-roles, `kibana4_server` role>>, which is a role that contains the minimum set of permissions required for the Kibana 4 server. * Added the <<kibana4-roles, `kibana4_server` role>>, which is a role that contains the minimum set of permissions required for the Kibana 4 server.
* In-memory user credential caching hash algorithm defaults now to salted SHA-256 (see <<ref-cache-hash-algo, Cache hash algorithms>> * In-memory user credential caching hash algorithm defaults now to salted SHA-256 (see <<ref-cache-hash-algo, Cache hash algorithms>>
.bug fixes .Bug Fixes
* Filter out sensitive settings from the settings APIs * Filter out sensitive settings from the settings APIs
[float] [float]
==== 1.0.2 ==== 1.0.2
.bug fixes .Bug Fixes
* Filter out sensitive settings from the settings APIs * Filter out sensitive settings from the settings APIs
* Significant memory footprint reduction of internal data structures * Significant memory footprint reduction of internal data structures
[float] [float]
==== 1.0.1 ==== 1.0.1
.bug fixes .Bug Fixes
* Fixed dependency issues with Elasticsearch 1.4.3 and (Lucene 4.10.3 that comes with it) * Fixed dependency issues with Elasticsearch 1.4.3 and (Lucene 4.10.3 that comes with it)
* Fixed bug in how user roles were handled. When multiple roles were defined for a user, and one of the * Fixed bug in how user roles were handled. When multiple roles were defined for a user, and one of the
roles only had cluster permissions, not all privileges were properly evaluated. roles only had cluster permissions, not all privileges were properly evaluated.