Releases: opensearch-project/security
Releases · opensearch-project/security
2.12.0.0
2024-02-20 Version 2.12.0.0
Compatible with OpenSearch 2.12.0
Enhancements
- Add additional sendRequestDecorate cases (#4007)
- [BUG-2556] Add new DLS filtering test (#4001)
- [Enhancement-3191]
transport_enabledsetting on an auth domain and authorizer may be unnecessary after transport client removal (#3966) - Update roles.yml with new API for experimental alerting plugin feature #4027 (#4029)
- Admin role for Query insights plugin (#4022)
- Validate 409s occur when multiple config updates happen simultaneously (#3962)
- Protect config object from concurrent modification issues (#3956)
- Add test coverage for ComplianceConfig (#3957)
- Update security analytics roles to include custom log type cluster permissions (#3954)
- Add logging for test LdapServer actions (#3942)
- HeapBasedRateTracker uses time provider to allow simluating of time in unit tests (#3941)
- Add additional logging around
testShouldSearchAlltests (#3943) - Add permission for get workflow step (#3940)
- Add additional ignore_headers audit configuration setting (#3926)
- Update to Gradle 8.5 (#3919) (#3923)
- Refactor SSL handler retrieval to use HttpChannel / TranportChannel APIs instead of typecasting (#3917) (#3922)
- Improve messaging on how to set initial admin password (#3918)
- Re-enable disabled PIT integration tests (#3914)
- Switched to more reliable OpenSearch Lucene snapshot location (#3913)
- Add deprecation check for
jwt_headersetting (#3896) - Add render search template as a cluster permission (#3689) (#3872)
- Add flow framework system indices and roles (#3851) (#3880)
- Search operation test flakiness fix (#3862)
- Extracts demo configuration setup into a java tool, adds support for Bundled JDK for this tool and updates DEVELOPER_GUIDE.md (#3845)
- SAML permissions changes in DynamicConfigModelV7 (#3853)
- Add do not fail on forbidden test cases around the stats API (#3825) (#3828)
Bug Fixes
- Fix Bug with Install demo configuration running in cluster mode with -y (#3936)
- Allow TransportConfigUpdateAction when security config initialization has completed (#3810) (#3927)
- Fix the CI / report-coverage check by switching to corresponding actions/upload-artifact@v4 (#3893) (#3895)
Maintenance
- Bump org.apache.camel:camel-xmlsecurity from 3.22.0 to 3.22.1 (#4018)
- Bump release-drafter/release-drafter from 5 to 6 (#4021)
- Bump com.netflix.nebula.ospackage from 11.6.0 to 11.7.0 (#4019)
- Bump org.junit.jupiter:junit-jupiter from 5.10.1 to 5.10.2 (#4020)
- Bump jjwt_version from 0.12.4 to 0.12.5 (#4017)
- Bump io.dropwizard.metrics:metrics-core from 4.2.24 to 4.2.25 (#3998)
- Bump gradle/gradle-build-action from 2 to 3 (#4000)
- Bump jjwt_version from 0.12.3 to 0.12.4 (#3999)
- Bump spotless (6.24.0 -> 6.25.0) to bump eclipse resources (3.18 -> 3.19) (#3993)
- Fix: remove unnecessary trailing slashes in APIs. (#3978)
- Adds new ml-commons system indices to the list (#3974)
- Bump io.dropwizard.metrics:metrics-core from 4.2.23 to 4.2.24 (#3970)
- Bump com.fasterxml.woodstox:woodstox-core from 6.5.1 to 6.6.0 (#3969)
- Bump com.diffplug.spotless from 6.23.3 to 6.24.0 (#3947)
- Bump org.apache.camel:camel-xmlsecurity from 3.21.3 to 3.22.0 (#3906)
- Bump com.google.errorprone:error_prone_annotations from 2.23.0 to 2.24.0 (#3897) (#3902)
- Bump io.dropwizard.metrics:metrics-core from 4.2.22 to 4.2.23 (#3900)
- Bump com.google.googlejavaformat:google-java-format from 1.18.1 to 1.19.1 (#3901)
- Bump github/codeql-action from 2 to 3 (#3859) (#3867)
- Bump org.apache.camel:camel-xmlsecurity from 3.21.2 to 3.21.3 (#3864)
- Bump org.checkerframework:checker-qual from 3.40.0 to 3.42.0 (#3857) (#3866)
- Bump com.flipkart.zjsonpatch:zjsonpatch from 0.4.14 to 0.4.16 (#3865)
- Bump com.netflix.nebula.ospackage from 11.5.0 to 11.6.0 (#3863)
1.3.14.0
2023-12-08 Version 1.3.14.0
Compatible with OpenSearch 1.3.14
Bug Fixes
- Prevent OptionalDataException from User data structures (#3725)
Enhancement
- Add early rejection from RestHandler for unauthorized requests (#3675)
- Expanding Authentication with SecurityRequest Abstraction (#3670)
- Adding minimum viable integration tests framework (#3649)
- For read-only tenants filter with allow list (4e962f2)
Maintenance
2.11.0.0
2023-10-18 Version 2.11.0.0
Compatible with OpenSearch 2.11.0
Enhancements
- Authorization in Rest Layer (#2753)
- Improve serialization speeds (#2802)
- Integration tests framework (#3388)
- Allow for automatic merging of dependabot changes after checks pass (#3409)
- Support security config updates on the REST API using permission(#3264)
- Expanding Authentication with SecurityRequest Abstraction (#3430)
- Add early rejection from RestHandler for unauthorized requests (#3418)
Bug Fixes
- Refactors reRequestAuthentication to call notifyIpAuthFailureListener before sending the response to the channel (#3411)
- For read-only tenants filter with allow list (c3e53e2)
Maintenance
- Change log message from warning to trace on WWW-Authenticate challenge (#3446)
- Disable codecov from failing CI if there is an upload issue (#3379)
- [Refactor] Change HTTP routes for Audit and Config PUT methods (#3407)
- Add tracer to Transport (#3463)
- Adds opensearch trigger bot to discerning merger list to allow automatic merges (#3481)
- Bump org.apache.camel:camel-xmlsecurity from 3.21.0 to 3.21.1 (#3436)
- Bump com.github.wnameless.json:json-base from 2.4.2 to 2.4.3 (#3437)
- Bump org.xerial.snappy:snappy-java from 1.1.10.4 to 1.1.10.5 (#3438)
- Bump org.ow2.asm:asm from 9.5 to 9.6 (#3439)
- Bump org.xerial.snappy:snappy-java from 1.1.10.3 to 1.1.10.4 (#3396)
- Bump com.google.errorprone:error_prone_annotations from 2.21.1 to 2.22.0 (#3400)
- Bump org.passay:passay from 1.6.3 to 1.6.4 (#3397)
- Bump org.gradle.test-retry from 1.5.4 to 1.5.5 (#3399)
- Bump org.springframework:spring-core from 5.3.29 to 5.3.30 (#3398)
- Bump tibdex/github-app-token from 2.0.0 to 2.1.0 (#3395)
- Bump org.apache.ws.xmlschema:xmlschema-core from 2.3.0 to 2.3.1 (#3374)
- Bump apache_cxf_version from 4.0.2 to 4.0.3 (#3376)
- Bump org.springframework:spring-beans from 5.3.29 to 5.3.30 (#3375)
- Bump com.github.wnameless.json:json-flattener from 0.16.5 to 0.16.6 (#3371)
- Bump aws-actions/configure-aws-credentials from 3 to 4 (#3373)
- Bump org.checkerframework:checker-qual from 3.36.0 to 3.38.0 (#3378)
- Bump com.nulab-inc:zxcvbn from 1.8.0 to 1.8.2 (#3357)
2.10.0.0
2023-08-31 Version 2.10.0.0
Compatible with OpenSearch 2.10.0
Enhancements
- Add .plugins-ml-config to the demo configuration system indices (#2993)
- Add workflow cluster permissions to alerting roles (#2994)
- Include password regex for Dashboardsinfo to display to users (#2999)
- Add geospatial ip2geo to the demo configuration system indices and roles (#3051)
- Make invalid password message clearer (#3057)
- Service Accounts password is randomly generated (#3077)
- Exclude sensitive info from the jackson serialization stacktraces (#3195)
- Prevent raw request body as output in serialization error messages (#3205)
- Command cat/indices will filter results per the Do Not Fail On Forbidden setting (#3236)
- Generate new demo certs with IPv6 loopback added to SAN in node certificate (#3268)
- System index permissions (#2887)
Bug Fixes
- Prevent raw request body as output in serialization error messages (#3205)
- Prevent flaky behavior when determining if an request will be executed on the current node. (#3066)
- Resolve a class of ConcurrentModificationException from during bulk requests (#3094)
- Fix Document GET with DLS terms query (#3136)
- Send log messages to log4j systems instead of system out / error (#3231)
- Fix roles verification for roles mapping and internal users (#3278)
- Prevent raw request body as output in serialization error messages (#3205)
- Fix permissions issues while reading keys in PKCS#1 format (#3289)
Maintenance
- [Build Break] Update imports for files refactored in core PR #8157 (#3003)
- [Build Break] Fix build after Lucene upgrade and breaking XContentFactory changes (#3069)
- [Build Break] Update CircuitBreakerService and LifecycleComponent after core refactor in #9006 (#3082)
- [Build Break] React to changes in ActionListener and ActionResponse from #9082 (#3153)
- [Build Break] Disable gradlew build cache to ensure most up-to-date dependencies (#3186)
- Bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.7.1 to 2.8.1 (#3109)
- Bump com.diffplug.spotless from 6.19.0 to 6.21.0 (#3108)
- Bump com.fasterxml.woodstox:woodstox-core from 6.4.0 to 6.5.1 (#3148)
- Bump com.github.spotbugs from 5.0.14 to 5.1.3 (#3251)
- Bump com.github.wnameless.json:json-base from 2.4.0 to 2.4.2 (#3062)
- Bump com.github.wnameless.json:json-flattener from 0.16.4 to 0.16.5 (#3296)
- Bump com.google.errorprone:error_prone_annotations from 2.3.4 to 2.20.0 (#3023)
- Bump com.google.guava:guava from 32.1.1-jre to 32.1.2-jre (#3149)
- Bump commons-io:commons-io from 2.11.0 to 2.13.0 (#3074)
- Bump com.netflix.nebula.ospackage from 11.1.0 to 11.3.0 (#3023)
- Bump com.nulab-inc:zxcvbn from 1.7.0 to 1.8.0 (#3023)
- Bump com.unboundid:unboundid-ldapsdk from 4.0.9 to 4.0.14 (#3143)
- Bump io.dropwizard.metrics:metrics-core from 3.1.2 to 4.2.19 (#3073)
- Bump kafka_version from 3.5.0 to 3.5.1 (#3041)
- Bump net.minidev:json-smart from 2.4.11 to 2.5.0 (#3120)
- Bump org.apache.camel:camel-xmlsecurity from 3.14.2 to 3.21.0 (#3023)
- Bump org.apache.santuario:xmlsec from 2.2.3 to 2.3.3 (#3210)
- Bump org.checkerframework:checker-qual from 3.5.0 to 3.36.0 (#3023)
- Bump org.cryptacular:cryptacular from 1.2.4 to 1.2.5 (#3071)
- Bump org.gradle.test-retry from 1.5.2 to 1.5.4 (#3072)
- Bump org.junit.jupiter:junit-jupiter from 5.8.2 to 5.10.0 (#3146)
- Bump org.ow2.asm:asm from 9.1 to 9.5 (#3121)
- Bump org.scala-lang:scala-library from 2.13.9 to 2.13.11 (#3119)
- Bump org.slf4j:slf4j-api from 1.7.30 to 1.7.36 (#3249)
- Bump org.xerial.snappy:snappy-java from 1.1.10.1 to 1.1.10.3 (#3106)
- Bump actions/create-release from 1.0.0 to 1.1.4 (#3141)
- Bump actions/setup-java from 1 to 3 (#3142)
- Bump actions/upload-release-asset from 1.0.1 to 1.0.2 (#3144)
- Bump fernandrone/linelint from 0.0.4 to 0.0.6 (#3211)
- Bump tibdex/github-app-token from 1.5.0 to 1.8.0 (#3147)
- Remove log spam for files that are cleaned up (#3118)
- Updates integTestRemote task to dynamically fetch common-utils version from build.gradle (#3122)
- Switch CodeQL to assemble artifacts using the same build as the rest of CI (#3132)
- Only run the backport job on merged pull requests (#3134)
- Add code coverage exclusions on false positives (#3196)
- Enable jarhell check (#3227)
- Retry code coverage upload on failure (#3242)
- [Refactor] Adopt request builder patterns for SecurityRestApiActions for consistency and clarity (#3123)
- [Refactor] Remove json-path from deps and use JsonPointer instead (#3262)
- Use version of org.apache.commons:commons-lang3 defined in core (#3306)
- Fix checkstyle #3283
- Demo Configuration changes (#3330)
1.3.12.0
2.9.0.0
2023-07-18 Version 2.9.0.0
Compatible with OpenSearch 2.9.0
Enhancements
- Use boucycastle PEM reader instead of reg expression (#2877)
- Adding field level security test cases for FlatFields (#2876) (#2893)
- Add password message to /dashboardsinfo endpoint (#2949) (#2955)
- Add .plugins-ml-connector to system index (#2947) (#2954)
- Parallel test jobs for CI (#2861) (#2936)
- Adds a check to skip serialization-deserialization if request is for same node (#2765) (#2973)
- Add workflow cluster permissions to alerting roles and add .plugins-ml-config in the system index (#2996)
Maintenance
- Match version of zstd-jni from core (#2835)
- Add Andrey Pleskach (Willyborankin) to Maintainers (#2843)
- Updates bwc versions to latest release (#2849)
- Add search model group permission to ml_read_access role (#2855) (#2858)
- Format 2.x (#2878)
- Update snappy to 1.1.10.1 and guava to 32.0.1-jre (#2886) (#2889)
- Resolve ImmutableOpenMap issue from core refactor (#2908)
- Misc changes (#2902) (#2904)
- Bump BouncyCastle from jdk15on to jdk15to18 (#2901) (#2917)
- Fix the import org.opensearch.core.common.Strings; and import org.opensearch.core.common.logging.LoggerMessageFormat; (#2953)
- Remove commons-collections 3.2.2 (#2924) (#2957)
- Resolve CVE-2023-2976 by forcing use of Guava 32.0.1 (#2937) (#2974)
- Bump jaxb to 2.3.8 (#2977) (#2979)
- Update Gradle to 8.2.1 (#2978) (#2981)
- Changed maven repo location for compatibility check (#2988)
- Bump guava to 32.1.1-jre (#2976) (#2990)
2.8.0.0
2023-06-06 Version 2.8.0.0
Compatible with OpenSearch 2.8.0
Features
- Identify extension Transport requests and permit handshake and extension registration actions (#2599)
- Use ExtensionsManager.lookupExtensionSettingsById when verifying extension unique id (#2749)
- Generate auth tokens for service accounts (#2716)
- Security User Refactor (#2594)
- Add score based password verification (#2557)
- Usage of JWKS with JWT (w/o OpenID connect) (#2808)
Bug Fixes
deserializeSafeFromHeaderusescontext.getHeader(headerName)instead ofcontext.getHeaders()(#2768)- Fix multitency config update (#2758)
Enhancements
- Add default roles for SQL plugin: PPL and cross-cluster search (#2729)
- Update security-analytics roles to add correlation engine apis (#2732)
- Changes in role.yml for long-running operation notification feature in Index-Management repo (#2789)
- Rest admin permissions (#2411)
- Separate config option to enable restapi: permissions (#2605)
Maintenance
2.7.0.0
2023-04-25 Version 2.7.0.0
Compatible with OpenSearch 2.7.0
Features
- Dynamic tenancy configurations (#2607)
Bug Fixes
- Support multitenancy for the anonymous user (#2459)
- Fix error message when system index is blocked (#2525)
- Fix of OpenSSLTest is not using the OpenSSL Provider (#2301)
- Add chmod 0600 to install_demo_configuration bash script (#2550)
- Fix SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder" (#2564)
- Fix lost privileges during auto initializing of the index (#2498)
- Fix NPE and add additional graceful error handling (#2687)
Enhancements
- Clock skew tolerance for oidc token validation (#2482)
- Adding index template permissions to kibana_server role (#2503)
- Add a test in order to catch incorrect handling of index parsing during Snapshot Restoration (#2384)
- Expand Dls Tests for easier verification of functionality (#2634)
- New system index[.ql-datasources] for ppl/sql datasource configurations (#2650)
- Allows for configuration of LDAP referral following (#2135)
Maintenance
- Update kafka client to 3.4.0 (#2484)
- Update to gradle 8.0.2 (#2520)
- XContent Refactor (#2598)
- Update json-smart to 2.4.10 and update spring-core to 5.3.26 (#2630)
- Update certs for SecuritySSLReloadCertsActionTests (#2679)
Infrastructure
Documentation
- Fix the format of the codeowners file (#2469)
