From 27c4cdbec9914611d84e17da519306243e559ebf Mon Sep 17 00:00:00 2001 From: floragunn Date: Mon, 29 Apr 2019 13:49:32 +0200 Subject: [PATCH 1/5] Add note about "elasticsearch.ssl.alwaysPresentCertificate: true" for Kibana client cert authentication --- _docs/kibana_installation.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/_docs/kibana_installation.md b/_docs/kibana_installation.md index ccba96ad..b7daebdd 100644 --- a/_docs/kibana_installation.md +++ b/_docs/kibana_installation.md @@ -210,6 +210,9 @@ You can override this behaviour explicitly by using the following option in your ``` # Allow using a client certificate defined in elasticsearch.ssl.certificate searchguard.allow_client_certificates: true +# If you are on Kibana >= 6.5.0 you might want to also set +#elasticsearch.ssl.alwaysPresentCertificate: true +# see https://github.com/elastic/kibana/pull/24304 ``` ## Where to go next From 1f1cab05ab47c2bf7f2d7210edae73a75060cad0 Mon Sep 17 00:00:00 2001 From: Sergii Bondarenko Date: Wed, 17 Apr 2019 12:38:57 +0200 Subject: [PATCH 2/5] Elasticsearch .url config option was deprecated. Use .hosts instead. Ref: https://github.com/elastic/kibana/pull/21928 --- _docs/quickstart.md | 4 ++-- _docs/quickstart_windows.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/_docs/quickstart.md b/_docs/quickstart.md index f4f8d695..4b568edf 100644 --- a/_docs/quickstart.md +++ b/_docs/quickstart.md @@ -134,7 +134,7 @@ If you've used the demo configuration to initializing Search Guard as outlined a ```yaml # Use HTTPS instead of HTTP -elasticsearch.url: "https://localhost:9200" +elasticsearch.hosts: ["https://localhost:9200"] # Configure the Kibana internal server user elasticsearch.username: "kibanaserver" @@ -191,4 +191,4 @@ For fine-grained access control on document- and field level, use the Search Gua If you need to stay compliant with security regulations like GDPR, HIPAA, PCI, ISO or SOX, use the [Search Guard Audit Logging](auditlogging.md) to generate and store audit trails. -And if you need to support multiple tenants in Kibana, use [Kibana Multitenancy](kibana_multitenancy.md) to separate Visualizations and Dashboards by tenant. \ No newline at end of file +And if you need to support multiple tenants in Kibana, use [Kibana Multitenancy](kibana_multitenancy.md) to separate Visualizations and Dashboards by tenant. diff --git a/_docs/quickstart_windows.md b/_docs/quickstart_windows.md index 7387849c..1d8ef114 100644 --- a/_docs/quickstart_windows.md +++ b/_docs/quickstart_windows.md @@ -139,7 +139,7 @@ If you've used the demo configuration to initializing Search Guard as outlined a ```yaml # Use HTTPS instead of HTTP -elasticsearch.url: "https://localhost:9200" +elasticsearch.hosts: ["https://localhost:9200"] # Configure the Kibana internal server user elasticsearch.username: "kibanaserver" From 2644329d24e83b01383a9ee7ff8265bfb45aecfb Mon Sep 17 00:00:00 2001 From: Sergii Bondarenko Date: Wed, 17 Apr 2019 13:15:35 +0200 Subject: [PATCH 3/5] Replcae .url by .hosts in all files. Plus fix English typos. --- _docs/kibana_authentication_basicauth.md | 4 ++-- _docs/kibana_authentication_jwt.md | 4 ++-- _docs/kibana_authentication_proxy.md | 4 ++-- _docs/kibana_authentication_types.md | 6 +++--- _docs/kibana_installation.md | 4 ++-- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/_docs/kibana_authentication_basicauth.md b/_docs/kibana_authentication_basicauth.md index 2b615bfa..6847994c 100644 --- a/_docs/kibana_authentication_basicauth.md +++ b/_docs/kibana_authentication_basicauth.md @@ -79,7 +79,7 @@ searchguard.auth.type: "basicauth" searchguard.cookie.password: <encryption key, min. 32 characters> # Use HTTPS instead of HTTP -elasticsearch.url: "https://<hostname>.com:<http port>" +elasticsearch.hosts: ["https://<hostname>.com:<http port>"] # Configure the Kibana internal server user elasticsearch.username: "kibanaserver" @@ -92,4 +92,4 @@ elasticsearch.ssl.verificationMode: none elasticsearch.requestHeadersWhitelist: ["Authorization", "sgtenant"] - \ No newline at end of file + diff --git a/_docs/kibana_authentication_jwt.md b/_docs/kibana_authentication_jwt.md index 7c6f2324..ec0d73e7 100644 --- a/_docs/kibana_authentication_jwt.md +++ b/_docs/kibana_authentication_jwt.md @@ -81,7 +81,7 @@ searchguard.jwt.header: 'Authorization' searchguard.jwt.url_param: 'jwtparam' # Use HTTPS instead of HTTP -elasticsearch.url: "https://<hostname>.com:<http port>" +elasticsearch.hosts: ["https://<hostname>.com:<http port>"] # Configure the Kibana internal server user elasticsearch.username: "kibanaserver" @@ -115,4 +115,4 @@ basic_internal_auth_domain: type: basic challenge: false ... -``` \ No newline at end of file +``` diff --git a/_docs/kibana_authentication_proxy.md b/_docs/kibana_authentication_proxy.md index 9fa83c7f..21225905 100644 --- a/_docs/kibana_authentication_proxy.md +++ b/_docs/kibana_authentication_proxy.md @@ -55,7 +55,7 @@ searchguard.basicauth.enabled: false searchguard.auth.type: "proxy" # Use HTTPS instead of HTTP -elasticsearch.url: "https://<hostname>.com:<http port>" +elasticsearch.hosts: ["https://<hostname>.com:<http port>"] # Configure the Kibana internal server user elasticsearch.username: "kibanaserver" @@ -93,4 +93,4 @@ basic_internal_auth_domain: type: basic challenge: false ... -``` \ No newline at end of file +``` diff --git a/_docs/kibana_authentication_types.md b/_docs/kibana_authentication_types.md index 80fb3347..540cc68b 100644 --- a/_docs/kibana_authentication_types.md +++ b/_docs/kibana_authentication_types.md @@ -36,13 +36,13 @@ This is the default. If the user tries to access Kibana and has no active sessio In this mode, the user is authenticated by a third party system, like an identity provider that issues JSON web tokens, a Kerberos realm or an authenticating proxy. The Kibana plugin will forward any HTTP headers containing user crendentials to Search Guard. As with Basic Authentication, Search Guard uses these credentials for assigning roles and permissions. -*Hint: You cannot the Basic Authentication login page and SSO authentication together.* +*Hint: You cannot have the Basic Authentication login page and SSO authentication together.* ### Whitelisting HTTP headers By default, Kibana does not pass any HTTP header other than `Authorization` to Elasticsearch. If you try to transmit any other header, it is silently discarded. -In order for SSO to work, make sure that any HTTP header that is required for yur configured authentication type is added to the `elasticsearch.requestHeadersWhitelist` configuration entry in `kibana.yml`. +In order for SSO to work, make sure that any HTTP header that is required for your configured authentication type is added to the `elasticsearch.requestHeadersWhitelist` configuration entry in `kibana.yml`. Example: @@ -66,4 +66,4 @@ This does not mean that you need to enable Basic Authentication for regular user ## About certificate based authentication -We do not yet provide support for certificate-based (two-way SSL) authentication against Kibana due to technical limitations of the Kibana architecture. \ No newline at end of file +We do not yet provide support for certificate-based (two-way SSL) authentication against Kibana due to technical limitations of the Kibana architecture. diff --git a/_docs/kibana_installation.md b/_docs/kibana_installation.md index b7daebdd..91c8cf17 100644 --- a/_docs/kibana_installation.md +++ b/_docs/kibana_installation.md @@ -76,10 +76,10 @@ elasticsearch.password: "kibanaserver" ## Setting up SSL/TLS -If you use TLS on the Elasticsearch REST layer, you need to configure Kibana accordingly. Set the protocol on the entry `elasticsearch.url` to `https`: +If you use TLS on the Elasticsearch REST layer, you need to configure Kibana accordingly. Set the protocol on the entry `elasticsearch.hosts` to `https`: ```yaml -elasticsearch.url: "https://localhost:9200" +elasticsearch.hosts: ["https://localhost:9200"] ``` All requests that Kibana makes to Elasticsearch will now use HTTPS instead of HTTP. From 7e26f4bb10f826ad1d5e78aa80e131e306ab91ad Mon Sep 17 00:00:00 2001 From: floragunn Date: Fri, 26 Apr 2019 14:48:34 +0200 Subject: [PATCH 4/5] New EOL --- _config.yml | 9 ++++ _docs/eol.md | 125 ++++++++++++++++++--------------------------------- 2 files changed, 52 insertions(+), 82 deletions(-) diff --git a/_config.yml b/_config.yml index 15905388..ad0c0754 100644 --- a/_config.yml +++ b/_config.yml @@ -170,6 +170,15 @@ algolia: - ignorePlurals - singleWordSynonym +eol: + features: + - 5.6.16 + - 6.6.2 + - 6.7.1 + updates: + - 6.4.3 + - 6.5.4 + sgversions: enterprise: - 6.7.1|25.0|18.3|yes diff --git a/_docs/eol.md b/_docs/eol.md index 7f7402ce..bcaa2a47 100644 --- a/_docs/eol.md +++ b/_docs/eol.md @@ -17,116 +17,77 @@ description: Search Guard End Of Life policy. The Search Guard End of Life policy defines -* how long a release is in active development -* how long a release is supported and maintained -* how long a release receives critical security updates +* which Elasticsearch versions receive new Search Guard features and bugfixes +* which Elasticsearch version receive critical bugfixes for Search Guard (but no new features) +* which Elasticsearch version is End of Life (EOL) and will not receive any Search Guard updates -The Search Guard end of life policy closely relates to the [Elasticsearch end of life policy](https://www.elastic.co/de/support/eol). - -Search Guard releases that **have not reached end of life** are called **active releases**. - -Search Guard releases that **have reached end of life** are called **inactive releases**. +Please also refer to [Elasticsearch end of life policy](https://www.elastic.co/de/support/eol) to check whether your Elasticsearch version +has reached End of Life in general. ## Versioning schema The Search Guard versioning scheme is: -* e1.e2.e3-sgv (for 5.x and later) -* e1.e2.e3.sgv (for 2.x) +* e1.e2.e3-s1.s2.s3 +* Example: 6.7.1-25.0.0 where * e1: Elasticsearch Major Version * e2: Elasticsearch Minor Version -* e2: Elasticsearch Fix Version -* sgv: Search Guard Version - -## Active releases - -For active releases, we will provide Search Guard updates and maintenance for - -* All releases of the current minor version of the current major version - * 6.6.0, 6.6.1, 6.6.2 at the time of writing -* Current release of the previous minor version of the current major version - * 6.5.4 at the time of writing -* Last release of the previous major version (not all features will be backported) - * 5.6.15 at the time of writing - -## Inactive releases - -If a Search Guard version reaches EOL, the corresponding Elasticsearch version has reached EOL already, and customers are strongly advised to upgrade. We will not release updates for these versions, and ask customers to upgrade Search Guard alongside Elasticsearch. - -## Critical Security Fixes - -Critical security fixes will be backported to all active releases, including all major, minor and bugfix releases. - -## EOL dates - -| Search Guard Version | End of life date | -|---|---| -6.6.x-y | 2020-07-29 | -6.5.x-y | 2020-05-14 | -6.4.x-y | 2020-02-23 | -6.3.x-y | 2019-12-13 | -6.2.x-y | 2019-08-06 | -6.1.x-y | 2019-06-13 | -6.0.x-y | 2019-05-14 | -5.6.x-y | 2019-03-11 | -5.5.x-y | 2019-01-06 | -5.4.x-y | 2018-11-04 | -5.3.x-y | 2018-09-28 | -5.2.x-y | 2018-07-31 | -5.1.x-y | 2018-06-08 | -5.0.x-y | 2018-04-26 | -2.4.x.y | 2018-02-28 | -2.3.x.y | 2017-09-30 | -2.2.x.y | 2017-08-02 | - -## Maintenance and support overview as of 20.12.2018 - -### Search Guard 6 +* e3: Elasticsearch Fix Version +* s1: Search Guard Major Version (Incremented when new features are added) +* s2: Search Guard Minor Version (Incremented when bugfixes are applied) +* s3: Search Guard Fix Version (Incremented when trivial changes, like fixing typos, are applied -| Search Guard Version | Active release | Search Guard Updates | Critical Security Updates | -|---|---|---|---| -6.6.x-y | yes | yes | yes | -6.5.x-y | yes | yes | yes | -6.4.x-y | yes | yes | yes | -6.3.x-y | no | no | yes | -6.2.x-y | no | no | yes | -6.1.x-y | no | no | yes | +## Which Elasticsearch versions receive new Search Guard features and bugfixes -### Search Guard 5 +* Current release of the current minor version of the current Elasticsearch major version +* Current release of the previous minor version of the current Elasticsearch major version +* Current release of the previous Elasticsearch major version (but not all features will be backported) -| Search Guard Version | Active release | Search Guard Updates | Critical Security Updates | -|---|---|---|---| -5.6.15-y | yes | yes (partly) | yes | -5.6.x-y | no | no | no | -5.5.x-y | no | no | no | -5.4.x-y | no | no | no | -5.3.x-y | no | no | no | -5.2.x-y | no | no | no | -5.1.x-y | no | no | no | -5.0.x-y | no | no | no | -### Search Guard 2 +At the time of writing this is: {% for version in site.eol.features %} +* {{ version }}{% endfor %} +{: .note .js-note} -| Search Guard Version | Active release | Search Guard Updates | Critical Security Updates | -|---|---|---|---| -2.4.x.y | no | no | no | -2.3.x.y | no | no | no | -2.2.x.y | no | no | no | +## Which Elasticsearch versions receive critical bugfixes only (but no new features) +* Current releases of the third and fourth from last Elasticsearch minor version of the current Elasticsearch major version +At the time of writing this is: {% for version in site.eol.updates %} +* {{ version }}{% endfor %} +{: .note .js-note} +## Which Elasticsearch versions receive no updates at all any longer +* All other Elasticsearch versions not mentioned above +* All Elasticsearch versions which are EOL according to [Elasticsearch end of life policy](https://www.elastic.co/de/support/eol) +## Recommended upgrade Strategy +* Upgrade Elasticsearch always to the latest fix version or your Elasticsearch minor version +* Make sure your Elasticsearch minor version is not older than six month +* When the first beta version of a new Elasticsearch major version is released prepare to upgrade to the latest release of the current major version of Elasticsearch. +## EOL Examples +### Assume 7.0.0 is the current Elasticsearch Version +* Which Elasticsearch versions receive new Search Guard features and bugfixes: 6.7.1, 7.0.0 +* Which Elasticsearch versions receive critical bugfixes (but no new features): n/a +* Which Elasticsearch versions receive no updates at all any longer: all other (1.x.x-6.7.0) +### Assume 6.7.1 is the current Elasticsearch Version +* Which Elasticsearch versions receive new Search Guard features and bugfixes: 5.6.16, 6.6.2, 6.7.1 +* Which Elasticsearch versions receive critical bugfixes (but no new features): 6.4.3, 6.5.4 +* Which Elasticsearch versions receive no updates at all any longer: all other (1.x.x-5.6.15, 6.0.x-6.4.2, 6.5.0-6.5.3, 6.6.0-6.6.1, 6.7.0) +### Assume 6.5.4 is the current Elasticsearch Version +* Which Elasticsearch versions receive new Search Guard features and bugfixes: 5.6.16, 6.4.3, 6.5.4 +* Which Elasticsearch versions receive critical bugfixes (but no new features): 6.2.4, 6.3.2 +* Which Elasticsearch versions receive no updates at all any longer: all other (1.x.x-5.6.15, 6.0.x-6.2.3, 6.3.0-6.3.1, 6.4.0-6.4.2, 6.5.0-6.5.3) \ No newline at end of file From 02d68595b58c0e7ebcb97d34a5db9501fcecc8a4 Mon Sep 17 00:00:00 2001 From: floragunn Date: Fri, 26 Apr 2019 15:41:23 +0200 Subject: [PATCH 5/5] Rework index page and version matrix --- _config.yml | 78 ++++++++++------------------- _docs/installation_versionmatrix.md | 3 ++ _includes/footer.html | 2 +- _layouts/versionmatrix.html | 37 ++------------ index.md | 40 +++++++++++++-- 5 files changed, 70 insertions(+), 90 deletions(-) diff --git a/_config.yml b/_config.yml index ad0c0754..8ecfb356 100644 --- a/_config.yml +++ b/_config.yml @@ -181,55 +181,29 @@ eol: sgversions: enterprise: - - 6.7.1|25.0|18.3|yes - - 6.7.0|24.3|18.3|yes - - 6.6.2|25.0|18.3|yes - - 6.6.1|24.3|18.3|yes - - 6.6.0|24.3|18.3|yes - - 6.5.4|25.0|18.3|yes - - 6.5.3|24.3|18.3|yes - - 6.5.2|24.3|18.3|yes - - 6.5.1|24.3|18.3|yes - - 6.4.3|25.0|17|yes - - 6.4.2|24.3|17|yes - - 6.4.1|24.3|17|yes - - 6.4.0|24.3|17|yes - - 6.3.2|24.0|17|yes - - 6.3.1|24.0|17|yes - - 6.3.0|24.0|17|yes - - 6.2.4|23.0|14|yes - - 6.2.3|23.0|14|yes - - 6.2.2|23.0|14|yes - - 6.2.1|23.0|14|yes - - 6.1.4|22.3|12|yes - - 6.1.3|22.3|12|yes - - 6.1.2|22.3|12|yes - - 6.1.1|22.3|12|yes - - 6.1.0|22.3|12|yes - sgssl: - - 6.7.1|25.6|false|no - - 6.7.0|25.6|false|no - - 6.6.2|25.6|false|no - - 6.6.1|25.6|false|no - - 6.6.0|25.6|false|no - - 6.5.4|25.6|false|no - - 6.5.3|25.6|false|no - - 6.5.2|25.6|false|no - - 6.5.1|25.6|false|no - - 6.4.3|25.6|false|no - - 6.4.2|25.6|false|no - - 6.4.1|25.6|false|no - - 6.4.0|25.6|false|no - - 6.3.2|25.4|false|no - - 6.3.1|25.4|false|no - - 6.3.0|25.4|false|no - - 6.2.4|25.4|true|yes - - 6.2.3|25.4|true|yes - - 6.2.2|25.4|true|yes - - 6.2.1|25.4|true|yes - - 6.1.4|25.4|true|yes - - 6.1.3|25.4|true|yes - - 6.1.2|25.4|true|yes - - 6.1.1|25.4|true|yes - - 6.1.0|25.4|true|yes - - 6.0.1|25.4|true|yes + #esv |sgv |kbv |feat|upd|eol + - 6.7.1|25.0|18.3|yes|yes|no + - 6.7.0|24.3|18.3|no|no|yes + - 6.6.2|25.0|18.3|yes|yes|no + - 6.6.1|24.3|18.3|no|no|yes + - 6.6.0|24.3|18.3|no|no|yes + - 6.5.4|25.0|18.3|no|yes|no + - 6.5.3|24.3|18.3|no|no|yes + - 6.5.2|24.3|18.3|no|no|yes + - 6.5.1|24.3|18.3|no|no|yes + - 6.4.3|25.0|17|no|yes|no + - 6.4.2|24.3|17|no|no|yes + - 6.4.1|24.3|17|no|no|yes + - 6.4.0|24.3|17|no|no|yes + - 6.3.2|24.0|17|no|no|yes + - 6.3.1|24.0|17|no|no|yes + - 6.3.0|24.0|17|no|no|yes + - 6.2.4|23.0|14|no|no|yes + - 6.2.3|23.0|14|no|no|yes + - 6.2.2|23.0|14|no|no|yes + - 6.2.1|23.0|14|no|no|yes + - 6.1.4|22.3|12|no|no|yes + - 6.1.3|22.3|12|no|no|yes + - 6.1.2|22.3|12|no|no|yes + - 6.1.1|22.3|12|no|no|yes + - 6.1.0|22.3|12|no|no|yes diff --git a/_docs/installation_versionmatrix.md b/_docs/installation_versionmatrix.md index eaefa1b7..436d6882 100644 --- a/_docs/installation_versionmatrix.md +++ b/_docs/installation_versionmatrix.md @@ -15,3 +15,6 @@ All Search Guard releases, past and present, are available on Maven Central. You If you are upgrading from Elasticsearch < 6.5.0 to Elasticsearch >= 6.5.0, please read the [upgrade instructions to Elasticsearch 6.5.x](upgrading_6_5_0.md). {: .note .js-note .note-warning} + +Please also refer to [Search Guard End of Life policy](eol.md) to make sure that you are not running an outdated Search Guard version. +{: .note .js-note .note-warning} \ No newline at end of file diff --git a/_includes/footer.html b/_includes/footer.html index 88024c46..3f7872cb 100644 --- a/_includes/footer.html +++ b/_includes/footer.html @@ -55,7 +55,7 @@

- © 2017-2018 floragunn GmbH - All Rights Reserved

+ © 2017-2019 floragunn GmbH - All Rights Reserved

diff --git a/_layouts/versionmatrix.html b/_layouts/versionmatrix.html index f48c808c..8cfad013 100644 --- a/_layouts/versionmatrix.html +++ b/_layouts/versionmatrix.html @@ -37,7 +37,9 @@

Search Guard

Search Guard Version Kibana Plugin Version Artifact - Support available + Receive new features + Receive critical bugfixes + End of Life @@ -50,41 +52,12 @@

Search Guard

{{ sgversions[2] }} com.floragunn:search-guard-6:{{ sgversions[0] }}-{{ sgversions[1] }} {{ sgversions[3] }} + {{ sgversions[4] }} + {{ sgversions[5] }} {% endfor %} - - -

Search Guard SSL

- - - - - - - - - - - - {% for version in site.sgversions.sgssl %} - - {% assign sgversions = version | split: "|" %} - - - {% if sgversions[2] == "true" %} - - {% else %} - - {% endif %} - - - {% endfor %} - -
Elasticsearch VersionSearch Guard SSL VersionArtifactSupport available
{{ sgversions[0] }}{{ sgversions[1] }}com.floragunn:search-guard-ssl:{{ sgversions[0] }}-{{ sgversions[1] }}not released as standalone plugin{{ sgversions[3] }}
- - diff --git a/index.md b/index.md index 64589d8b..ac14d9cc 100644 --- a/index.md +++ b/index.md @@ -19,15 +19,45 @@ Copryight 2016-2017 floragunn GmbH

Search Guard {{site.searchguard.esmajorversion}} Documentation

-Version: {{site.searchguard.majorversion}}.{{site.searchguard.minorversion}} +* [Installation](installation_versionmatrix.md) +* [Quick Start](quickstart.md) + +

Current releases

+ + + + + + + + + + + + {% for version in site.sgversions.enterprise %} + + {% assign sgversions = version | split: "|" %} + + {% if sgversions[3] != 'yes' %} + {% continue %} + {% endif %} + + + + + + + + + {% endfor %} + +
Elasticsearch VersionSearch Guard VersionKibana Plugin VersionArtifact
{{ sgversions[0] }}{{ sgversions[1] }}{{ sgversions[2] }}com.floragunn:search-guard-6:{{ sgversions[0] }}-{{ sgversions[1] }}
+ Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. -Copyright 2016-2017 floragunn GmbH - - - +Copyright 2016-2019 floragunn GmbH