Version 2.16.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.16.0

Enhancements

• Add support for PBKDF2 for password hashing & add support for configuring BCrypt and PBKDF2 (#4524)
• Separated DLS/FLS privilege evaluation from action privilege evaluation (#4490)
• Update PULL_REQUEST_TEMPLATE to include an API spec change in the checklist. (#4533)
• Update PATCH API to fail validation if nothing changes (#4530)
• Refactor InternalUsers REST API test (#4481)
• Refactor Role Mappings REST API test (#4450)
• Remove special handling for do_not_fail_on_forbidden on cluster actions (#4486)
• Add Tenants REST API test and partial fix (#4166)
• Refactor Roles REST API test and partial fix #4166 (#4433)
• New algorithm for resolving action groups (#4448)
• Check block request only if system index (#4430)
• Replaced uses of SecurityRoles by Set mappedRoles where the SecurityRoles functionality is not needed (#4432)

Bug Fixes

• Fixed test failures in FlsAndFieldMaskingTests (#4548)
• Typo in securityadmin.sh hint (#4526)
• Fix NPE getting metaFields from mapperService on a close index request (#4497)
• Fixes flaky integration tests (#4452)

Maintenance

• Remove unused dependancy Apache CXF (#4580)
• Remove unnecessary return statements (#4558)
• Refactor and update existing ml roles (#4151)
• Replace JUnit assertEquals() with Hamcrest matchers assertThat() (#4544)
• Update Gradle to 8.9 (#4553)
• Bump org.checkerframework:checker-qual from 3.44.0 to 3.45.0 (#4531)
• Add security analytics threat intel action (#4498)
• Bump kafka_version from 3.7.0 to 3.7.1 (#4501)
• Bump org.junit.jupiter:junit-jupiter from 5.10.2 to 5.10.3 (#4503)
• Bump com.fasterxml.woodstox:woodstox-core from 6.6.2 to 6.7.0 (#4483)
• Bump jjwt_version from 0.12.5 to 0.12.6 (#4484)
• Bump org.eclipse.platform:org.eclipse.core.runtime from 3.31.0 to 3.3.1.100 (#4467)
• Bump spring_version from 5.3.36 to 5.3.37 (#4466)
• Update to Gradle 8.8 (#4459)

Version 1.3.18.0

Compatible with OpenSearch 1.3.18

Maintenance

• Bump bouncycastle to 1.78.1 and kafka to 3.7.0 (#4437)

Version 2.15.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.15.0

Enhancements

• Replace BouncyCastle's OpenBSDBCrypt use with password4j for password hashing and verification (#4428)
• Adds validation for the action groups type key (#4411)
• Made sensitive header log statement more clear (#4372)
• Refactor ActionGroup REST API test and partial fix #4166 (#4371)
• Support multiple audience for jwt authentication (#4363)
• Configure masking algorithm default (#4345)

Bug Fixes

• Add cat/alias support for DNFOF (#4440)
• Add support for ipv6 ip address in user injection (#4409)
• [Fix #4280] Introduce new endpoint _plugins/_security/api/certificates (#4355)

Maintenance

• Bump com.nimbusds:nimbus-jose-jwt from 9.37.3 to 9.40 (#4337)(#4353)(#4396)(#4424)
• Bump Wandalen/wretry.action from 3.4.0 to 3.5.0 (#4335)
• Bump spring_version from 5.3.34 to 5.3.36 (#4352)(#4368)
• Bump org.apache.camel:camel-xmlsecurity from 3.22.1 to 3.22.2 (#4324)
• Bump com.google.errorprone:error_prone_annotations from 2.27.0 to 2.27.1 (#4323)
• Bump org.checkerframework:checker-qual from 3.42.0 to 3.43.0 (#4322)
• Bump org.scala-lang:scala-library from 2.13.13 to 2.13.14 (#4321)
• Bump commons-validator:commons-validator from 1.8.0 to 1.9.0 (#4395)
• Bump com.netflix.nebula.ospackage from 11.9.0 to 11.9.1 (#4394)
• Bump com.google.errorprone:error_prone_annotations from 2.27.1 to 2.28.0 (#4389)
• Bump commons-cli to 1.8.0 (#4369)
• Fix DelegatingRestHandlerTests (#4435)
• Extracted the user attr handling methods from ConfigModelV7 into its own class (#4431)
• Bump io.dropwizard.metrics:metrics-core and org.checkerframework:checker-qual (#4425)
• Bump gradle to 8.7 version (#4377)
• Updating security reachout email (#4333)
• REST API tests refactoring (#4252 and #4255) (#4328)
• Fix flaky tests (#4331)
• Move REST API tests into integration tests (Part 1) (#4153)
• fix build errors caused by filterIndices method being moved from SnapshotUtils to IndexUtils (#4319)
• Extract route paths prefixes into constants (#4358)

Version 1.3.17.0

Compatible with OpenSearch 1.3.17

Maintenance

• Update security reachout email (#4333)

Version 2.14.0.0

Compatible with OpenSearch 2.14.0

Enhancements

• Check for and perform upgrades on security configurations (#4251)
• Replace bouncy castle blake2b (#4284)
• Adds saml auth header to differentiate saml requests and prevents auto login as anonymous user when basic authentication fails (#4228)
• Dynamic sign in options (#4137)
• Add index permissions for query insights exporters (#4231)
• Add new stop words system index (#4181)
• Switch to built-in security transports from core (#4119) (#4174) (#4187)
• System index permission grants reading access to documents in the index (#4291)
• Improve cluster initialization reliability (#4002) (#4256)

Bug Fixes

• Ensure that challenge response contains body (#4268)
• Add logging for audit log that are unable to saving the request body (#4272)
• Use predictable serialization logic for transport headers (#4288)
• Update Log4JSink Default from sgaudit to audit and add test for default values (#4155)
• Remove Pom task dependencies rewrite (#4178) (#4186)
• Misc changes for tests (#4184)
• Add simple roles mapping integ test to test mapping of backend role to role (#4176)

Maintenance

• Add getProperty.org.bouncycastle.ec.max_f2m_field_size to plugin-security.policy (#4270)
• Add getProperty.org.bouncycastle.pkcs12.default to plugin-security.policy (#4266)
• Bump apache_cxf_version from 4.0.3 to 4.0.4 (#4287)
• Bump ch.qos.logback:logback-classic from 1.5.3 to 1.5.5 (#4248)
• Bump codecov/codecov-action from v3 to v4 (#4237)
• Bump com.fasterxml.woodstox:woodstox-core from 6.6.1 to 6.6.2 (#4195)
• Bump com.google.googlejavaformat:google-java-format from 1.21.0 to 1.22.0 (#4220)
• Bump commons-io:commons-io from 2.15.1 to 2.16.1 (#4196) (#4246)
• Bump com.nulab-inc:zxcvbn from 1.8.2 to 1.9.0 (#4219)
• Bump io.dropwizard.metrics:metrics-core from 4.2.15 to 4.2.25 (#4193) (#4197)
• Bump net.shibboleth.utilities:java-support from 8.4.1 to 8.4.2 (#4245)
• Bump spring_version from 5.3.33 to 5.3.34 (#4250)
• Bump Wandalen/wretry.action from 1.4.10 to 3.3.0 (#4167) (#4198) (#4221) (#4247)
• Bump open_saml_version from 4.3.0 to 4.3.2 (#4303) (#4239)

Version 1.3.16.0

Compatible with OpenSearch 1.3.16

Bug Fixes

• Allow TransportConfigUpdateAction when security config initialization has completed (#4115)

Maintenance

• Force resolution of org.apache.zookeeper:zookeeper to 3.9.2 and org.bitbucket.b_c:jose4j to 0.9.4 (#4136)
• Integration Tests for Security Config Initialization (#4134)
• Remove and refactor console print statements (#4206)

2024-03-19 Version 2.13.0.0

Compatible with OpenSearch 2.13.0

Enhancements

• Admin role for Query insights plugin (#4022)
• Add query assistant role and new ml system indices (#4143)
• Redact sensitive configuration values when retrieving security configuration (#4028)
• v2.12 update roles.yml with new API for experimental alerting plugin feature (#4035)
• Add deprecate message that TLSv1 and TLSv1.1 support will be removed in the next major version (#4083)
• Log password requirement details in demo environment (#4082)
• Redact sensitive URL parameters from audit logging (#4070)
• Fix unconsumed parameter exception when authenticating with jwtUrlParameter (#4065)
• Regenerates root-ca, kirk and esnode certificates to address already expired root ca certificate (#4066)
• Add exclude_roles configuration parameter to LDAP authorization backend (#4043)
• Refactor and update existing ml roles (#4157)

Maintenance

• Add exlusion for logback-core to resolve CVE-2023-6378 (#4050)
• Bump com.netflix.nebula.ospackage from 11.7.0 to 11.8.1 (#4041, #4075)
• Bump Wandalen/wretry.action from 1.3.0 to 1.4.10 (#4042, #4092, #4108, #4135)
• Bump spring_version from 5.3.31 to 5.3.33 (#4058, #4131)
• Bump org.scala-lang:scala-library from 2.13.12 to 2.13.13 (#4076)
• Bump com.google.googlejavaformat:google-java-format from 1.19.1 to 1.21.0 (#4078, #4110)
• Bump ch.qos.logback:logback-classic from 1.2.13 to 1.5.3 (#4091, #4111)
• Bump com.fasterxml.woodstox:woodstox-core from 6.6.0 to 6.6.1 (#4093)
• Bump kafka_version from 3.5.1 to 3.7.0 (#4095)
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.1 to 4.0.2 (#4109)
• Bump org.apache.zookeeper:zookeeper from 3.9.1. to 3.9.2 (#4130)
• Bump org.awaitility:awaitility from 4.2.0 to 4.2.1 (#4133)
• Bump com.google.errorprone:error_prone_annotations from 2.25.0 to 2.26.1 (#4132)

2024-02-20 Version 2.12.0.0

Compatible with OpenSearch 2.12.0

Enhancements

• Add additional sendRequestDecorate cases (#4007)
• [BUG-2556] Add new DLS filtering test (#4001)
• [Enhancement-3191] transport_enabled setting on an auth domain and authorizer may be unnecessary after transport client removal (#3966)
• Update roles.yml with new API for experimental alerting plugin feature #4027 (#4029)
• Admin role for Query insights plugin (#4022)
• Validate 409s occur when multiple config updates happen simultaneously (#3962)
• Protect config object from concurrent modification issues (#3956)
• Add test coverage for ComplianceConfig (#3957)
• Update security analytics roles to include custom log type cluster permissions (#3954)
• Add logging for test LdapServer actions (#3942)
• HeapBasedRateTracker uses time provider to allow simluating of time in unit tests (#3941)
• Add additional logging around testShouldSearchAll tests (#3943)
• Add permission for get workflow step (#3940)
• Add additional ignore_headers audit configuration setting (#3926)
• Update to Gradle 8.5 (#3919) (#3923)
• Refactor SSL handler retrieval to use HttpChannel / TranportChannel APIs instead of typecasting (#3917) (#3922)
• Improve messaging on how to set initial admin password (#3918)
• Re-enable disabled PIT integration tests (#3914)
• Switched to more reliable OpenSearch Lucene snapshot location (#3913)
• Add deprecation check for jwt_header setting (#3896)
• Add render search template as a cluster permission (#3689) (#3872)
• Add flow framework system indices and roles (#3851) (#3880)
• Search operation test flakiness fix (#3862)
• Extracts demo configuration setup into a java tool, adds support for Bundled JDK for this tool and updates DEVELOPER_GUIDE.md (#3845)
• SAML permissions changes in DynamicConfigModelV7 (#3853)
• Add do not fail on forbidden test cases around the stats API (#3825) (#3828)

Bug Fixes

• Fix Bug with Install demo configuration running in cluster mode with -y (#3936)
• Allow TransportConfigUpdateAction when security config initialization has completed (#3810) (#3927)
• Fix the CI / report-coverage check by switching to corresponding actions/upload-artifact@v4 (#3893) (#3895)

Maintenance

• Bump org.apache.camel:camel-xmlsecurity from 3.22.0 to 3.22.1 (#4018)
• Bump release-drafter/release-drafter from 5 to 6 (#4021)
• Bump com.netflix.nebula.ospackage from 11.6.0 to 11.7.0 (#4019)
• Bump org.junit.jupiter:junit-jupiter from 5.10.1 to 5.10.2 (#4020)
• Bump jjwt_version from 0.12.4 to 0.12.5 (#4017)
• Bump io.dropwizard.metrics:metrics-core from 4.2.24 to 4.2.25 (#3998)
• Bump gradle/gradle-build-action from 2 to 3 (#4000)
• Bump jjwt_version from 0.12.3 to 0.12.4 (#3999)
• Bump spotless (6.24.0 -> 6.25.0) to bump eclipse resources (3.18 -> 3.19) (#3993)
• Fix: remove unnecessary trailing slashes in APIs. (#3978)
• Adds new ml-commons system indices to the list (#3974)
• Bump io.dropwizard.metrics:metrics-core from 4.2.23 to 4.2.24 (#3970)
• Bump com.fasterxml.woodstox:woodstox-core from 6.5.1 to 6.6.0 (#3969)
• Bump com.diffplug.spotless from 6.23.3 to 6.24.0 (#3947)
• Bump org.apache.camel:camel-xmlsecurity from 3.21.3 to 3.22.0 (#3906)
• Bump com.google.errorprone:error_prone_annotations from 2.23.0 to 2.24.0 (#3897) (#3902)
• Bump io.dropwizard.metrics:metrics-core from 4.2.22 to 4.2.23 (#3900)
• Bump com.google.googlejavaformat:google-java-format from 1.18.1 to 1.19.1 (#3901)
• Bump github/codeql-action from 2 to 3 (#3859) (#3867)
• Bump org.apache.camel:camel-xmlsecurity from 3.21.2 to 3.21.3 (#3864)
• Bump org.checkerframework:checker-qual from 3.40.0 to 3.42.0 (#3857) (#3866)
• Bump com.flipkart.zjsonpatch:zjsonpatch from 0.4.14 to 0.4.16 (#3865)
• Bump com.netflix.nebula.ospackage from 11.5.0 to 11.6.0 (#3863)

2023-12-08 Version 1.3.14.0

Compatible with OpenSearch 1.3.14

Bug Fixes

• Prevent OptionalDataException from User data structures (#3725)

Enhancement

• Add early rejection from RestHandler for unauthorized requests (#3675)
• Expanding Authentication with SecurityRequest Abstraction (#3670)
• Adding minimum viable integration tests framework (#3649)
• For read-only tenants filter with allow list (4e962f2)

Maintenance

• Update the version of snappy-java to 1.1.10.5 (#3478)
• Update the version of zookeeper to 3.9.1, xmlsec to 2.3.4, and jackson-databind to 2.14.2 (#3800)
• Adds OpenSearch trigger bot to discerning merger list to allow automatic merges (#3474)

2023-10-18 Version 2.11.0.0

Compatible with OpenSearch 2.11.0

Enhancements

• Authorization in Rest Layer (#2753)
• Improve serialization speeds (#2802)
• Integration tests framework (#3388)
• Allow for automatic merging of dependabot changes after checks pass (#3409)
• Support security config updates on the REST API using permission(#3264)
• Expanding Authentication with SecurityRequest Abstraction (#3430)
• Add early rejection from RestHandler for unauthorized requests (#3418)

Bug Fixes

• Refactors reRequestAuthentication to call notifyIpAuthFailureListener before sending the response to the channel (#3411)
• For read-only tenants filter with allow list (c3e53e2)

Maintenance

• Change log message from warning to trace on WWW-Authenticate challenge (#3446)
• Disable codecov from failing CI if there is an upload issue (#3379)
• [Refactor] Change HTTP routes for Audit and Config PUT methods (#3407)
• Add tracer to Transport (#3463)
• Adds opensearch trigger bot to discerning merger list to allow automatic merges (#3481)
• Bump org.apache.camel:camel-xmlsecurity from 3.21.0 to 3.21.1 (#3436)
• Bump com.github.wnameless.json:json-base from 2.4.2 to 2.4.3 (#3437)
• Bump org.xerial.snappy:snappy-java from 1.1.10.4 to 1.1.10.5 (#3438)
• Bump org.ow2.asm:asm from 9.5 to 9.6 (#3439)
• Bump org.xerial.snappy:snappy-java from 1.1.10.3 to 1.1.10.4 (#3396)
• Bump com.google.errorprone:error_prone_annotations from 2.21.1 to 2.22.0 (#3400)
• Bump org.passay:passay from 1.6.3 to 1.6.4 (#3397)
• Bump org.gradle.test-retry from 1.5.4 to 1.5.5 (#3399)
• Bump org.springframework:spring-core from 5.3.29 to 5.3.30 (#3398)
• Bump tibdex/github-app-token from 2.0.0 to 2.1.0 (#3395)
• Bump org.apache.ws.xmlschema:xmlschema-core from 2.3.0 to 2.3.1 (#3374)
• Bump apache_cxf_version from 4.0.2 to 4.0.3 (#3376)
• Bump org.springframework:spring-beans from 5.3.29 to 5.3.30 (#3375)
• Bump com.github.wnameless.json:json-flattener from 0.16.5 to 0.16.6 (#3371)
• Bump aws-actions/configure-aws-credentials from 3 to 4 (#3373)
• Bump org.checkerframework:checker-qual from 3.36.0 to 3.38.0 (#3378)
• Bump com.nulab-inc:zxcvbn from 1.8.0 to 1.8.2 (#3357)