Release v1.0.0.0-beta1

Compatible with OpenSearch 1.0.0-beta1.

Enhancements

• Check and create multi-tenant index with alias for Update and Delete requests. Try to find a name for the multi-tenant index if index/alias with ".kibana_..._#" already exists (#1058)

Bug fixes

• [Fix][Usage][Hasher] wrong file reference hash.sh (#1093)

Maintenance

• Redact BCrypt security config internal hashes from audit logs (#756)
• Update docs on snapshot restore settings (#814)
• Optimize debug log enable check (#895)
• Correcting setupSslOnlyMode to use AbstractSecurityUnitTest.hasCustomTransportSettings() (#1057)
• Remove code setting the value for cluster.routing.allocation.disk.threshold_enabled (#1067)
• Rename for OpenSearch (#1126)
• Fix CI (#1131)
• Consume OpenSearch 1.0.0-alpha1 (#1132)
• Change name and version of plugin (#1133)
• Build with OpenSearch 1.0.0-alpha2 (#1140)
• Bump plugin version to beta1 (#1141)
• Build security plugin with OpenSearch 1.0.0-beta1 (#1143)
• Change opensearch version to use (#1146)
• Fix echo messages and anchor links (#1147)
• Update static roles for compatibility for new indices used in OpenSearch Dashboards (#1148)
• Update release note for OpenSearch Security Plugin 1.0.0.0-beta1(#1152)

Release v1.13.1.0

Compatible with Elasticsearch 7.10.2.

Bug fixes

• Fix for "java.lang.IllegalArgumentException: The array of keys must not be null" for "_cat/health" requests (#1048)
• Revert "Fix AuthCredentials equality (#876)" to improve performance (#1061)

Maintenance

• Bump version to 1.13.1.0 (#1054)
• Update release notes 1.13.1 (#1063)

Release v1.13.0.0

Compatible with Elasticsearch 7.10.2.

Enhancements

• Using SAML subject_key and roles_key in the HTTPSamlAuthenticator (#892)
• Support for ES system index (#946)
• Updating Autheticators to throw RuntimeException on errors (#505)
• Add security configuration for Kibana Notebooks (#903)
• Short circuit privilege evaluation for bulk requests without index resolution (#926)
• Added async search response index to system index list (#859)

Bug fixes

• Replace InjectedUser with User during serialization (#891)
• ConfigUpdateRequest should include only updated CType (#953)
• Fix AuthCredentials equality (#876)
• Revert "Using SAML subject_key and roles_key in the HTTPSamlAuthenticator (#1019)

Maintenance

• Pull request intake form (PR template) (#884)
• Fix typos in template (#898)
• Upgrade Bouncy Castle to 1.67 (#910)
• Optimize creating new collection objects in IndexResolverReplacer (#911)
• Optimize by avoid creating wildcard matchers for every request (#902)
• Replace writeByte with writeShort in TLSUtilTests (#927)
• Integrate Github CodeQL Analysis into CI (#905)
• Rename security plugin artifacts from opendistro_security to opendistro-security (#966)
• Remove veracode profile and associated config (#992)
• Try using another port 8088 for running the webhook test (#999)
• Cleanup single shard request index check (#993)
• add AD search task permission to ad read access (#997)
• Change CD workflow to use new staging bucket for artifacts (#954)
• Refactor Resolved (#929)
• Combine log messages of no cluster-level permission (#1002)
• Support ES 7.10.2 (#1005)
• Bump version to 1.13 (#1004)
• Cleanup reflection helper and advanced modules enabled / dls fls enab… (#1001)
• Sample configuration for password strength rules (#1020)
• Updating Github actions and files to use main branch. (#1023)
• Add the Linux Foundation's Developer Certificate of Origin in pull request template (#1022)
• Change the build configuration for deb package and rename the folder of artifacts. (#1027)
• Update release notes 1.13 (#1028)
• Fix release version (#1029)
• Revert back the renaming of jar file and update release notes 1.13 (#1031)
• Fixed async search action names and system index (#1033)
• Update release notes 1.13 (#1036)

Release v1.12.0.0

Compatible with Elasticsearch 7.10.0

Enhancements

• Adding support for SSL dual mode (#712)
• When replacing .kibana index with multi-tenant index, create index with alias if one already does not exist (#765)
• Demo Config : Adding AD Indices to system index and creating pre-defined roles (#776)
• Add user & roles to the thread context (#798)
• Security configuration for reporting and notification plugins (#836)
• Support user injection for transport requests (#763)
• Support ES 7.10.0 (#840)
• Support certs with separate Extended Key Usage (#493)
• Adding requested tenant to the thread context transient info for consumption (#850)

Bug fixes

• Fix missing trim when parsing roles in proxy authenticator (#766)
• Fix empty password issue in upgrade from 6x to 7x (#816)
• Reject empty password in internal user creation (#818)
• Use reflection to get reduceOrder, termBytes and format due to java.lang.IllegalAccessError (#866)
• Fix for java.io.OptionalDataException that is caused by changes to User object after it is put on thread context. (#869)
• Catch and respond invalid_index_name_exception when an index with invalid name is mentioned (#865)

Maintenance

• Create release drafter (#769)
• Upgrade junit to 4.13.1 (#835)
• updating static_roles.yml (#838)
• Security configuration cleanup for static and test resources (#841)
• Change version to 1.12.0.0 (#860)
• Upgrade github CD action to using Environment Files (#862)
• Refactor getUserInfoString (#864)
• Update 1.12 release notes (#867)
• Update 1.12 release notes (#872)
• Use StringJoiner instead of (Immutable)List builder (#877)

Release v1.11.0.0

Compatible with Elasticsearch version 7.9.1

Enhancements

• Restrict configured indices access to adminDn only. #690

Bug fixes

• Fix IllegalStateException that is raised when AuditLogImpl.close() is called from ES Bootstrap shutdown hook. #764
• Initialize opendistro_role to null in ConfigV6.Kibana and ConfigV7.Kibana so the default value is not persisted in the open distro security config index. #740
• Removing newline whitespace from metadata content #734

Maintenance

• Enable alerting in Demo config for plugins security and default alerting roles #768
• Generate SHA-512 checksum for opendistro_security .zip only (exclude securityadmin-standalone) #753
• Consolidate writeable resource validation check #752
• Exclude jakarta.activation-api library from CXF transient dependencies to avoid conflict with jakarata.activation. #751
• Upgrade Apache CXF to 3.4.0 #717

Release v1.10.1.0

Support Elasticsearch version 7.9.1

Enhancements

• Remove cluster monitor check from audit transport check (#653)
• Enable or disable check for all audit REST and transport categories (#645)
• Add ability for plugins to inject roles (#560)

Bug fixes

• Remove exception details from responses (#667)
• Adding onelogin loadXML util helper to prevent XXE attacks (#659)
• Add non-null to store even non-default values in serialization (#652)
• Refactor opendistro_security_action_trace logger (#609)
• Fail on invalid rest and transport categories (#638)
• Correct a typo in the Readme file. (#607)
• Fix AccessControlException during HTTPSamlAuthenticator initialization. (#626)
• Remove unnecessary check of remote address for null (#616)
• Prevent hidden roles from being added via rolesmapping and internalusers API (#614)

Maintenance

• Support ES 7.9.1 (#706)
• Support ES 7.9.0 (#661)
• Close AuditLog while closing OpenDistroSecurityPlugin and unregister shutdown hook when closing AuditLogImpl. (#663)
• Fix unit tests failures in HTTPSamlAuthenticatorTest (#664)
• Add copyright headers for audit classes (#644)
• Clean up rest and transport header filtering (#637)
• Upgrade jackson-databind to 2.11.2 (#618)

Release v1.9.0.2

Install

• To install plugin navigate to the Elasticsearch home directory and run

sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-security/opendistro_security-1.9.0.2.zip

Enhancements

• Remove cluster monitor check from audit transport check (#653)
• Enable or disable check for all audit REST and transport categories (#645)
• Add ability for plugins to inject roles (#560)

Bug fixes

• Remove exception details from responses (#667)
• Adding onelogin loadXML util helper to prevent XXE attacks (#659)
• Add non-null to store even non-default values in serialization (#652)
• Refactor opendistro_security_action_trace logger (#609)
• Fail on invalid rest and transport categories (#638)
• Correct a typo in the Readme file. (#607)
• Fix AccessControlException during HTTPSamlAuthenticator initialization. (#626)
• Remove unnecessary check of remote address for null (#616)
• Prevent hidden roles from being added via rolesmapping and internalusers API (#614)

Maintenance

• Close AuditLog while closing OpenDistroSecurityPlugin and unregister shutdown hook when closing AuditLogImpl. (#663)
• Fix unit tests failures in HTTPSamlAuthenticatorTest (#664)
• Add copyright headers for audit classes (#644)
• Clean up rest and transport header filtering (#637)
• Upgrade jackson-databind to 2.11.2 (#618)

Release v1.9.0.1

Enhancements

• Hot reloading audit configuration (#409)
• Add configuration for REST API whitelisting (#520)
• Implement ability to configure readonly fields for audit configuration (#559)
• Decrypt SAML assertions (#539)
• Add REST API method to audit logging (#589)
• Log index event requests on transport layer (#588)
• Added kibana attribute to security config which will be used by tenantinfo api. (#514)
• Log granted privileges on REST layer if user has access to opendistro APIs (#594)

Bug fixes

• Fix broken link to security configuration page (#558)
• Make sure Internal users API supports adding reserved opendistrosecurityroles
  (by superuser). Do not filter out reserved roles in the InternalUsersModelV7 (#556)
• Removing hidden/reserved roles added via roles mapping (#586)

Maintenance

• Refactoring: moved getSettingAsSet() method and DEFAULT_DISABLED_CATEGORIES from AuditConfig to ConfigConstants. (#543)
• Introduced method to construct AuditCategory EnumSet from Settings (#543)
• Use Jackson to serialize and de-serialize audit configuration (#542)
• Support "true" and "false" String to boolean conversion in DefaultObjectMapper.getOrDefault() (#548)
• Removing static ILM action groups (#552)
• Fix failing NodesDnApiTest#testNodesDnApi (#568)
• Upgrade Apache CXF to 3.2.14 (#577)
• Upgrade Apache Kafka Client to 2.5.0 (#584)
• Upgrade Onelogin Java SAML to 2.5.0 (#585)
• Upgrade Bouncy Castle to 1.66 (#603)
• Upgrade OpenSAML SAML Provider Implementations to 3.4.5 (#604)

Release v1.9.0.0

Supported Elasticsearch version 7.8.0

Enhancements

• Added support for Elasticsearch 7.8.0 (#516)
• Allow superadmin to update/delete hidden resources (#513)
• Added metadata_content to SAML config (#477, #495)
• Implemented put if absent behavior for security config (#402)

Bug fixes

• Removed the faulty index exists check and have more predictable behavior (#517)
• Avoid using Basic Authorization header as JWT token (#501)
• Granted access to all packages under com.sun.jndi (#494)
• Prevented users from mapping to hidden/reserved opendistro_security_roles (#486)
• Checked for substitute permissions before attempting to use SafeObjectOutputStream (#478)

Maintenance

• Updated Maven endpoint URL for deployment (#519)
• Avoid using reflection to instantiate OpenDistroSecurityFlsDlsIndexSearcherWrapper (#511)
• Bumped Jackson-databind version (#509)
• Refactored salt from compliance config into Salt class (#506)
• Fixed typo in DefaultOpenDistroSecurityKeyStore.java (#502)
• Refactored to use indexing operation listener for every index module call (#491)
• Moved compliance ignore users from audit config to compliance config (#484)
• Removed immutable indices from compliance config (#483)
• Updated CD workflow to publish artifacts to maven central (#481)
• Refactored Base64Helper class (#468)
• Refactored WildcardMatcher (#458)

Release v1.8.0.0

Supported Elasticsearch version 7.7.0

Enhancements

• Added support for Elasticsearch 7.7.0 (#361, #461)
• Implemented migration and validation APIs for version upgrade (#454)

Maintenance

• Jackson-databind version bump (#406)