- Shield Reference for 2.x and 1.x:
- Introduction
- Getting Started with Shield
- Installing Shield
- How Shield Works
- User Authentication
- How Authentication Works
- Enabling Anonymous Access [1.1.0] Added in 1.1.0.
- Native User Authentication
- LDAP User Authentication
- Active Directory User Authentication
- PKI User Authentication [1.3.0] Added in 1.3.0.
- File-based User Authentication
- Integrating with Other Authentication Systems
- Controlling the User Cache
- Migration tool for users and roles
- Role-based Access Control
- Auditing Security Events
- Securing Communications with Encryption and IP Filtering
- Configuring Clients and Integrations
- Managing Your License
- Example Shield Deployments
- Reference
- Limitations
- Troubleshooting
- Setting Up a Certificate Authority
- Release Notes
Release Notes
editRelease Notes
editVersion Compatibility
editYou must run the version of Shield that matches the version of Elasticsearch you are running. For example, Shield 2.4.6 requires Elasticsearch 2.4.6.
Updated Role Definitions
editThe default role definitions in the roles.yml
file may need to be changed to ensure proper interoperation with other
applications such as Marvel and Kibana. Any role changes are stored in roles.yml.new
when you upgrade. We recommend copying the following changes to your roles.yml
file.
-
[2.4.0]
Added in 2.4.0.
The
kibana4_server
role has been updated to support privileges necessary for reporting. -
[2.3.0]
Added in 2.3.0.
The default roles have been updated to use the new format and use new privilege names. The previous
format is now deprecated. The
kibana4
role has been removed; users should create their own based on the example kibana user role. -
[2.1.1]
Added in 2.1.1.
The
kibana4
role now grants access to the Field Stats API. -
[2.0.0]
Added in 2.0.0.
The permission on all the roles are updated to the verbose format to make it easier to enable field level and document level security. The
transport_client
role has been updated to work with Elasticsearch 2.0.0. Themarvel_user
role has been updated to work with Marvel 2.0 and aremote_marvel_agent
role has been added. Thekibana3
andmarvel_agent
roles have been removed. -
[1.1.0]
Added in 1.1.0.
kibana4_server
role added that defines the minimum set of permissions necessary for the Kibana 4 server. -
[1.0.1]
Added in 1.0.1.
kibana4
role updated to work with new features in Kibana 4 RC1
Change List
edit2.4.6
editJuly 25, 2017
Enhancements
- Adds support for Elasticsearch 2.4.6.
2.4.5
editApril 27, 2017
Enhancements
- Adds support for Elasticsearch 2.4.5.
2.4.4
editJanuary 12, 2017
Bug Fixes
- Execution now stops if a destructive operations check fails.
2.4.2
editNovember 22, 2016
Bug Fixes
-
Users with
manage
ormanage_security
cluster privileges can now access the.security
index if they have the appropriate index privileges.
Breaking Changes
-
Shield on tribe nodes now requires
tribe.on_conflict
to prefer one of the clusters.
2.4.1
editSeptember 28, 2016
Enhancements
- Compatibility with Elasticsearch 2.4.1
2.4.0
editAugust 31, 2016
Breaking Changes
-
The
monitor
cluster privilege now grants access to the GET/_license
API
2.3.5
editAugust 3, 2016
Bug Fixes
- Fixed a license problem that was preventing tribe nodes from working with Shield.
2.3.4
editJuly 7, 2016
Bug Fixes
-
The
default
transport profile SSL settings now override theshield.ssl.*
settings properly. - Fixed a memory leak that occured when indices were deleted or closed.
2.3.3
editMay 18, 2016
Bug Fixes
-
Fixed the
/_shield/realm/{realms}/_cache/clear
REST endpoint. This endpoint is deprecated and/_shield/realm/{realms}/_clear_cache
should be used going forward.
2.3.2
editApril 26, 2016
Bug Fixes
- Date math expressions in index names are now resolved before attempting to authorize access to the indices.
- Fixed an issue where active directory realms did not work unless the url setting was configured.
-
Enabled
_cat/indices
to be used when Shield is installed.
2.3.1
editApril 4, 2016
Bug Fixes
- Fixed an issue that could prevent nodes from joining the cluster.
2.3.0
editMarch 30, 2016
New Features
- Native realm with support for user management APIs.
- Role management APIs have been added.
Enhancements
- Added new privileges to simplify access control.
-
Renamed the
esusers
realm tofile
. The realm typeesusers
is now deprecated and thefile
type should be used instead.
Bug Fixes
-
When evaluating permissions for multiple roles that have document level security enabled for the same index, Shield perfomed an
AND
on the queries, which is not consistent with how role privileges work in Shield. This has been changed to anOR
relationship and may affect the behavior of existing roles; please ensure you are not relying on theAND
behavior of document level security queries. - When evaluation permissions for user that has roles with and without document level security (and/or field level security), the roles that granted unrestricted access were not being applied properly and the user’s access was still being restricted.
2.2.1
editMarch 15, 2016
Bug Fixes
- Enable document and field level security by default.
- Fix issues with message authentication on certain JDKs that do not support cloning message authentication codes.
-
Built in realms no longer throw an exception if the
Authorization
header does not contain a basic authentication token. - Ensure each tribe client node has the same shield configuration as defined in the settings.
2.2.0
editFebruary 2, 2016
New Features
- Shield plugin for Kibana: Secures user sessions and enables users to log in and out of Kibana. For information about installing the Shield plugin, see Using Kibana with Shield.
Bug Fixes
- Update requests (including within bulk requests) are blocked when document and field level security is enabled
2.1.2
editFebruary 2, 2016
Enhancements
- Adds support for Elasticssearch 2.1.2
2.1.1
editDecember 17, 2015
Bug Fixes
- Disable the request cache when document level security is in use for a search request.
- Fix startup failures when using auditing and enabling network information output.
-
Updated the
kibana4
role to include the Field Stats API.
2.1.0
editNovember 24, 2015
Breaking Changes
-
Same as 2.0.1. Document and Field Level Security is now disabled by default. Set
shield.dls_fls.enabled
totrue
inelasticsearch.yml
to enable it. You cannot submit_bulk
update requests when document and field level security is enabled.
Enhancements
- Adds support for Elasticsearch 2.1.0.
2.0.2
editDecember 16, 2015
Bug Fixes
- Disable the request cache when document level security is in use for a search request.
2.0.1
editNovember 24, 2015
Breaking Changes
-
Document and Field Level Security is now disabled by default. Set
shield.dls_fls.enabled
totrue
inelasticsearch.yml
to enable it. You cannot submit_bulk
update requests when document and field level security is enabled.
2.0.0
editOctober 28, 2015
Breaking Changes
- All files that Shield uses must be kept in the configuration directory due to the enhanced security of Elasticsearch 2.0.
- The network format has been changed from all previous versions of Shield and a full cluster restart is required to upgrade to Shield 2.0.
New Features
- Document and Field Level Security support has been added and can be configured per role.
- Support for custom authentication realms has been added, allowing Shield to integrate with more authentication sources and methods.
- User impersonation support has also been added, which allows a user to send a request to Elasticsearch that will be run with the specified user’s permissions.
Bug Fixes
- Auditing now captures requests from nodes using a different system key as tampered requests.
- The index output for auditing stores the type of request when available.
-
esusers
andsyskeygen
work when spaces are in the Elasticsearch installation path. - Fixed a rare issue where authentication fails even when the username and password are correct.
1.3.3
editNovember 24, 2015
Bug Fixes
- Fixed a rare issue where authentication fails even when the username and password are correct.
- The index output for auditing stores the type of request when available.
Enhancements
- Tampered requests with a bad header are now audited.
1.3.2
editAugust 10, 2015
Bug Fixes
- When using the LDAP user search mechanism, connection errors during startup no longer cause the node to stop.
- The Clear Cache API no longer generates invalid JSON.
- The index output for auditing starts properly when forwarding the audit events to a remote cluster and uses the correct user to index the audit events.
1.3.1
editJuly 21, 2015
Bug Fixes
-
Fixes message authentication serialization to work with Shield 1.2.1 and earlier.
- NOTE: if you are upgrading from Shield 1.3.0 or Shield 1.2.2 a cluster restart upgrade will be necessary. When upgrading from other versions of Shield, follow the normal upgrade procedure.
1.3.0
editJune 24, 2015
Breaking Changes
-
The
sha2
andapr1
hashing algorithms have been removed as options for thecache.hash_algo
setting. If your existing Shield installation uses either of these options, remove the setting and use the defaultssha256
algorithm. -
The
users
file now only supportsbcrypt
password hashing. All existing passwords stored using theesusers
tool have been hashed withbcrypt
and are not affected.
New Features
- PKI Realm: Adds Public Key Infrastructure (PKI) authentication through the use of X.509 certificates in place of username and password credentials.
- Index Output for Audit Events: An index based output has been added for storing audit events in an Elasticsearch index.
Enhancements
- TLS 1.2 is now the default protocol.
-
Clients that do not support pre-emptive basic authentication can now support both anonymous and authenticated access
by specifying the
shield.authc.anonymous.authz_exception
setting with a value offalse
. - Reduced logging for common SSL exceptions, such as a client closing the connection during a handshake.
Bug Fixes
-
The
esusers
andsyskeygen
tools now work correctly with environment variables in the RPM and DEB installation environment files/etc/sysconfig/elasticsearch
and/etc/default/elasticsearch
. -
Default ciphers no longer include
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
.
1.2.3
editJuly 21, 2015
Bug Fixes
-
Fixes message authentication serialization to work with Shield 1.2.1 and earlier.
- NOTE: if you are upgrading from Shield 1.2.2 a cluster restart upgrade will be necessary. When upgrading from other versions of Shield, follow the normal upgrade procedure.
1.2.2
editJune 24, 2015
Bug Fixes
-
The
esusers
tool no longer warns about missing roles that are properly defined in theroles.yml
file. -
The period character,
.
, is now allowed in usernames and role names. - The terms filter lookup cache has been disabled to ensure all requests are properly authorized. This removes the need to manually disable the terms filter cache.
-
For LDAP client connections, only the protocols and ciphers specified in the
shield.ssl.supported_protocols
andshield.ssl.ciphers
settings will be used. - The auditing mechanism now logs authentication failed events when a request contains an invalid authentication token.
1.2.1
editApril 29, 2015
Bug Fixes
- Several bug fixes including a fix to ensure that Disk-based Shard Allocation works properly with Shield
1.2.0
editMarch 24, 2015
Enhancements
- Adds support for Elasticsearch 1.5
1.1.1
editApril 29, 2015
Bug Fixes
- Several bug fixes including a fix to ensure that Disk-based Shard Allocation works properly with Shield
1.1.0
editMarch 24, 2015
New Features
-
LDAP:
-
Add the ability to bind as a specific user for LDAP searches, which removes the need to specify
user_dn_templates
. This mode of operation also makes use of connection pooling for better performance. Please see ldap user search for more information. - User distinguished names (DNs) can now be used for role mapping.
-
Add the ability to bind as a specific user for LDAP searches, which removes the need to specify
-
Authentication:
- Anonymous access is now supported (disabled by default).
-
IP Filtering:
- IP Filtering settings can now be dynamically updated using the Cluster Update Settings API.
Enhancements
- Significant memory footprint reduction of internal data structures
- Test if SSL/TLS ciphers are supported and warn if any of the specified ciphers are not supported
-
Reduce the amount of logging when a non-encrypted connection is opened and
https
is being used -
Added the
kibana4_server
role, which is a role that contains the minimum set of permissions required for the Kibana 4 server. - In-memory user credential caching hash algorithm defaults now to salted SHA-256 (see Cache hash algorithms
Bug Fixes
- Filter out sensitive settings from the settings APIs
1.0.2
editMarch 24, 2015
Bug Fixes
- Filter out sensitive settings from the settings APIs
- Significant memory footprint reduction of internal data structures
1.0.1
editFebruary 13, 2015
Bug Fixes
- Fixed dependency issues with Elasticsearch 1.4.3 and (Lucene 4.10.3 that comes with it)
- Fixed bug in how user roles were handled. When multiple roles were defined for a user, and one of the roles only had cluster permissions, not all privileges were properly evaluated.
-
Updated
kibana4
permissions to be compatible with Kibana 4 RC1 -
Ensure the mandatory
base_dn
settings is set in theldap
realm configuration
On this page
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now