Releases: opensearch-project/security
Releases · opensearch-project/security
2.17.0.0
Version 2.17.0 Release Notes
Compatible with OpenSearch and OpenSearch Dashboards version 2.17.0
Enhancements
- Add
ignore_hostsconfig option for auth failure listener (#4538) - added API roles for correlationAlerts (#4689)
- Allow multiple signing keys to be provided (#4666)
- adding alerting comments security actions to roles.yml (#4700)
- Permission changes for correlationAlerts (#4704)
Bug Fixes
- Addresses a bug with
plugins.security.allow_unsafe_democertificatessetting (#4603) - Fix covereage-report workflow (#4684, #4683)
- Handle the audit config being null (#4664)
- Fixes authtoken endpoint (#4631)
- Fixed READ_ACTIONS required by TermsAggregationEvaluator (#4607)
- Sort the DNS Names in the SANs (#4640)
Maintenance
- Bump com.google.errorprone:error_prone_annotations from 2.30.0 to 2.31.0 (#4696)
- Bump org.passay:passay from 1.6.4 to 1.6.5 (#4682)
- Bump spring_version from 5.3.37 to 5.3.39 (#4661)
- Bump commons-cli:commons-cli from 1.8.0 to 1.9.0 (#4659)
- Bump org.junit.jupiter:junit-jupiter from 5.10.3 to 5.11.0 (#4657)
- Bump org.cryptacular:cryptacular from 1.2.6 to 1.2.7 (#4656)
- Update Gradle to 8.10 (#4646)
- Bump org.xerial.snappy:snappy-java from 1.1.10.5 to 1.1.10.6 (#4639)
- Bump com.google.googlejavaformat:google-java-format from 1.22.0 to 1.23.0 (#4622)
- Increment version to 2.17.0-SNAPSHOT (#4615)
- Backports PRs with
backport-failedlabels that weren't actually backported (#4610) - Bump io.dropwizard.metrics:metrics-core from 4.2.26 to 4.2.27 (#4660)
- Bump com.netflix.nebula.ospackage from 11.9.1 to 11.10.0 (#4681)
- Interim build fix for PluginSubject related changes (#4694)
- Add Nils Bandener (Github: nibix) as a maintainer (#4673)
- Remove usages of org.apache.logging.log4j.util.Strings (#4653)
- Update backport section of PR template (#4625)
- Bump org.checkerframework:checker-qual from 3.45.0 to 3.46.0 (#4623)
- Refactor security provider instantiation (#4611)
1.3.19.0
2.16.0.0
Version 2.16.0 Release Notes
Compatible with OpenSearch and OpenSearch Dashboards version 2.16.0
Enhancements
- Add support for PBKDF2 for password hashing & add support for configuring BCrypt and PBKDF2 (#4524)
- Separated DLS/FLS privilege evaluation from action privilege evaluation (#4490)
- Update PULL_REQUEST_TEMPLATE to include an API spec change in the checklist. (#4533)
- Update PATCH API to fail validation if nothing changes (#4530)
- Refactor InternalUsers REST API test (#4481)
- Refactor Role Mappings REST API test (#4450)
- Remove special handling for do_not_fail_on_forbidden on cluster actions (#4486)
- Add Tenants REST API test and partial fix (#4166)
- Refactor Roles REST API test and partial fix #4166 (#4433)
- New algorithm for resolving action groups (#4448)
- Check block request only if system index (#4430)
- Replaced uses of SecurityRoles by Set mappedRoles where the SecurityRoles functionality is not needed (#4432)
Bug Fixes
- Fixed test failures in FlsAndFieldMaskingTests (#4548)
- Typo in securityadmin.sh hint (#4526)
- Fix NPE getting metaFields from mapperService on a close index request (#4497)
- Fixes flaky integration tests (#4452)
Maintenance
- Remove unused dependancy Apache CXF (#4580)
- Remove unnecessary return statements (#4558)
- Refactor and update existing ml roles (#4151)
- Replace JUnit assertEquals() with Hamcrest matchers assertThat() (#4544)
- Update Gradle to 8.9 (#4553)
- Bump org.checkerframework:checker-qual from 3.44.0 to 3.45.0 (#4531)
- Add security analytics threat intel action (#4498)
- Bump kafka_version from 3.7.0 to 3.7.1 (#4501)
- Bump org.junit.jupiter:junit-jupiter from 5.10.2 to 5.10.3 (#4503)
- Bump com.fasterxml.woodstox:woodstox-core from 6.6.2 to 6.7.0 (#4483)
- Bump jjwt_version from 0.12.5 to 0.12.6 (#4484)
- Bump org.eclipse.platform:org.eclipse.core.runtime from 3.31.0 to 3.3.1.100 (#4467)
- Bump spring_version from 5.3.36 to 5.3.37 (#4466)
- Update to Gradle 8.8 (#4459)
1.3.18.0
2.15.0.0
Version 2.15.0 Release Notes
Compatible with OpenSearch and OpenSearch Dashboards version 2.15.0
Enhancements
- Replace BouncyCastle's OpenBSDBCrypt use with password4j for password hashing and verification (#4428)
- Adds validation for the action groups type key (#4411)
- Made sensitive header log statement more clear (#4372)
- Refactor ActionGroup REST API test and partial fix #4166 (#4371)
- Support multiple audience for jwt authentication (#4363)
- Configure masking algorithm default (#4345)
Bug Fixes
- Add cat/alias support for DNFOF (#4440)
- Add support for ipv6 ip address in user injection (#4409)
- [Fix #4280] Introduce new endpoint _plugins/_security/api/certificates (#4355)
Maintenance
- Bump com.nimbusds:nimbus-jose-jwt from 9.37.3 to 9.40 (#4337)(#4353)(#4396)(#4424)
- Bump Wandalen/wretry.action from 3.4.0 to 3.5.0 (#4335)
- Bump spring_version from 5.3.34 to 5.3.36 (#4352)(#4368)
- Bump org.apache.camel:camel-xmlsecurity from 3.22.1 to 3.22.2 (#4324)
- Bump com.google.errorprone:error_prone_annotations from 2.27.0 to 2.27.1 (#4323)
- Bump org.checkerframework:checker-qual from 3.42.0 to 3.43.0 (#4322)
- Bump org.scala-lang:scala-library from 2.13.13 to 2.13.14 (#4321)
- Bump commons-validator:commons-validator from 1.8.0 to 1.9.0 (#4395)
- Bump com.netflix.nebula.ospackage from 11.9.0 to 11.9.1 (#4394)
- Bump com.google.errorprone:error_prone_annotations from 2.27.1 to 2.28.0 (#4389)
- Bump commons-cli to 1.8.0 (#4369)
- Fix DelegatingRestHandlerTests (#4435)
- Extracted the user attr handling methods from ConfigModelV7 into its own class (#4431)
- Bump io.dropwizard.metrics:metrics-core and org.checkerframework:checker-qual (#4425)
- Bump gradle to 8.7 version (#4377)
- Updating security reachout email (#4333)
- REST API tests refactoring (#4252 and #4255) (#4328)
- Fix flaky tests (#4331)
- Move REST API tests into integration tests (Part 1) (#4153)
- fix build errors caused by filterIndices method being moved from SnapshotUtils to IndexUtils (#4319)
- Extract route paths prefixes into constants (#4358)
1.3.17.0
2.14.0.0
Version 2.14.0.0
Compatible with OpenSearch 2.14.0
Enhancements
- Check for and perform upgrades on security configurations (#4251)
- Replace bouncy castle blake2b (#4284)
- Adds saml auth header to differentiate saml requests and prevents auto login as anonymous user when basic authentication fails (#4228)
- Dynamic sign in options (#4137)
- Add index permissions for query insights exporters (#4231)
- Add new stop words system index (#4181)
- Switch to built-in security transports from core (#4119) (#4174) (#4187)
- System index permission grants reading access to documents in the index (#4291)
- Improve cluster initialization reliability (#4002) (#4256)
Bug Fixes
- Ensure that challenge response contains body (#4268)
- Add logging for audit log that are unable to saving the request body (#4272)
- Use predictable serialization logic for transport headers (#4288)
- Update Log4JSink Default from sgaudit to audit and add test for default values (#4155)
- Remove Pom task dependencies rewrite (#4178) (#4186)
- Misc changes for tests (#4184)
- Add simple roles mapping integ test to test mapping of backend role to role (#4176)
Maintenance
- Add getProperty.org.bouncycastle.ec.max_f2m_field_size to plugin-security.policy (#4270)
- Add getProperty.org.bouncycastle.pkcs12.default to plugin-security.policy (#4266)
- Bump apache_cxf_version from 4.0.3 to 4.0.4 (#4287)
- Bump ch.qos.logback:logback-classic from 1.5.3 to 1.5.5 (#4248)
- Bump codecov/codecov-action from v3 to v4 (#4237)
- Bump com.fasterxml.woodstox:woodstox-core from 6.6.1 to 6.6.2 (#4195)
- Bump com.google.googlejavaformat:google-java-format from 1.21.0 to 1.22.0 (#4220)
- Bump commons-io:commons-io from 2.15.1 to 2.16.1 (#4196) (#4246)
- Bump com.nulab-inc:zxcvbn from 1.8.2 to 1.9.0 (#4219)
- Bump io.dropwizard.metrics:metrics-core from 4.2.15 to 4.2.25 (#4193) (#4197)
- Bump net.shibboleth.utilities:java-support from 8.4.1 to 8.4.2 (#4245)
- Bump spring_version from 5.3.33 to 5.3.34 (#4250)
- Bump Wandalen/wretry.action from 1.4.10 to 3.3.0 (#4167) (#4198) (#4221) (#4247)
- Bump open_saml_version from 4.3.0 to 4.3.2 (#4303) (#4239)
1.3.16.0
Version 1.3.16.0
Compatible with OpenSearch 1.3.16
Bug Fixes
- Allow TransportConfigUpdateAction when security config initialization has completed (#4115)
Maintenance
2.13.0.0
2024-03-19 Version 2.13.0.0
Compatible with OpenSearch 2.13.0
Enhancements
- Admin role for Query insights plugin (#4022)
- Add query assistant role and new ml system indices (#4143)
- Redact sensitive configuration values when retrieving security configuration (#4028)
- v2.12 update roles.yml with new API for experimental alerting plugin feature (#4035)
- Add deprecate message that TLSv1 and TLSv1.1 support will be removed in the next major version (#4083)
- Log password requirement details in demo environment (#4082)
- Redact sensitive URL parameters from audit logging (#4070)
- Fix unconsumed parameter exception when authenticating with jwtUrlParameter (#4065)
- Regenerates root-ca, kirk and esnode certificates to address already expired root ca certificate (#4066)
- Add exclude_roles configuration parameter to LDAP authorization backend (#4043)
- Refactor and update existing ml roles (#4157)
Maintenance
- Add exlusion for logback-core to resolve CVE-2023-6378 (#4050)
- Bump com.netflix.nebula.ospackage from 11.7.0 to 11.8.1 (#4041, #4075)
- Bump Wandalen/wretry.action from 1.3.0 to 1.4.10 (#4042, #4092, #4108, #4135)
- Bump spring_version from 5.3.31 to 5.3.33 (#4058, #4131)
- Bump org.scala-lang:scala-library from 2.13.12 to 2.13.13 (#4076)
- Bump com.google.googlejavaformat:google-java-format from 1.19.1 to 1.21.0 (#4078, #4110)
- Bump ch.qos.logback:logback-classic from 1.2.13 to 1.5.3 (#4091, #4111)
- Bump com.fasterxml.woodstox:woodstox-core from 6.6.0 to 6.6.1 (#4093)
- Bump kafka_version from 3.5.1 to 3.7.0 (#4095)
- Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 (#4109)
- Bump org.apache.zookeeper:zookeeper from 3.9.1. to 3.9.2 (#4130)
- Bump org.awaitility:awaitility from 4.2.0 to 4.2.1 (#4133)
- Bump com.google.errorprone:error_prone_annotations from 2.25.0 to 2.26.1 (#4132)
2.12.0.0
2024-02-20 Version 2.12.0.0
Compatible with OpenSearch 2.12.0
Enhancements
- Add additional sendRequestDecorate cases (#4007)
- [BUG-2556] Add new DLS filtering test (#4001)
- [Enhancement-3191]
transport_enabledsetting on an auth domain and authorizer may be unnecessary after transport client removal (#3966) - Update roles.yml with new API for experimental alerting plugin feature #4027 (#4029)
- Admin role for Query insights plugin (#4022)
- Validate 409s occur when multiple config updates happen simultaneously (#3962)
- Protect config object from concurrent modification issues (#3956)
- Add test coverage for ComplianceConfig (#3957)
- Update security analytics roles to include custom log type cluster permissions (#3954)
- Add logging for test LdapServer actions (#3942)
- HeapBasedRateTracker uses time provider to allow simluating of time in unit tests (#3941)
- Add additional logging around
testShouldSearchAlltests (#3943) - Add permission for get workflow step (#3940)
- Add additional ignore_headers audit configuration setting (#3926)
- Update to Gradle 8.5 (#3919) (#3923)
- Refactor SSL handler retrieval to use HttpChannel / TranportChannel APIs instead of typecasting (#3917) (#3922)
- Improve messaging on how to set initial admin password (#3918)
- Re-enable disabled PIT integration tests (#3914)
- Switched to more reliable OpenSearch Lucene snapshot location (#3913)
- Add deprecation check for
jwt_headersetting (#3896) - Add render search template as a cluster permission (#3689) (#3872)
- Add flow framework system indices and roles (#3851) (#3880)
- Search operation test flakiness fix (#3862)
- Extracts demo configuration setup into a java tool, adds support for Bundled JDK for this tool and updates DEVELOPER_GUIDE.md (#3845)
- SAML permissions changes in DynamicConfigModelV7 (#3853)
- Add do not fail on forbidden test cases around the stats API (#3825) (#3828)
Bug Fixes
- Fix Bug with Install demo configuration running in cluster mode with -y (#3936)
- Allow TransportConfigUpdateAction when security config initialization has completed (#3810) (#3927)
- Fix the CI / report-coverage check by switching to corresponding actions/upload-artifact@v4 (#3893) (#3895)
Maintenance
- Bump org.apache.camel:camel-xmlsecurity from 3.22.0 to 3.22.1 (#4018)
- Bump release-drafter/release-drafter from 5 to 6 (#4021)
- Bump com.netflix.nebula.ospackage from 11.6.0 to 11.7.0 (#4019)
- Bump org.junit.jupiter:junit-jupiter from 5.10.1 to 5.10.2 (#4020)
- Bump jjwt_version from 0.12.4 to 0.12.5 (#4017)
- Bump io.dropwizard.metrics:metrics-core from 4.2.24 to 4.2.25 (#3998)
- Bump gradle/gradle-build-action from 2 to 3 (#4000)
- Bump jjwt_version from 0.12.3 to 0.12.4 (#3999)
- Bump spotless (6.24.0 -> 6.25.0) to bump eclipse resources (3.18 -> 3.19) (#3993)
- Fix: remove unnecessary trailing slashes in APIs. (#3978)
- Adds new ml-commons system indices to the list (#3974)
- Bump io.dropwizard.metrics:metrics-core from 4.2.23 to 4.2.24 (#3970)
- Bump com.fasterxml.woodstox:woodstox-core from 6.5.1 to 6.6.0 (#3969)
- Bump com.diffplug.spotless from 6.23.3 to 6.24.0 (#3947)
- Bump org.apache.camel:camel-xmlsecurity from 3.21.3 to 3.22.0 (#3906)
- Bump com.google.errorprone:error_prone_annotations from 2.23.0 to 2.24.0 (#3897) (#3902)
- Bump io.dropwizard.metrics:metrics-core from 4.2.22 to 4.2.23 (#3900)
- Bump com.google.googlejavaformat:google-java-format from 1.18.1 to 1.19.1 (#3901)
- Bump github/codeql-action from 2 to 3 (#3859) (#3867)
- Bump org.apache.camel:camel-xmlsecurity from 3.21.2 to 3.21.3 (#3864)
- Bump org.checkerframework:checker-qual from 3.40.0 to 3.42.0 (#3857) (#3866)
- Bump com.flipkart.zjsonpatch:zjsonpatch from 0.4.14 to 0.4.16 (#3865)
- Bump com.netflix.nebula.ospackage from 11.5.0 to 11.6.0 (#3863)