News

Shield 1.1 and 1.2 Released

We're happy to announce Shield 1.0.2, Shield 1.1 and Shield 1.2, download it here!

Shield 1.0.2 is a bugfix release, please see the changelist for more information.

Shield 1.1 and Shield 1.2 are the first feature releases since the introduction of Shield in late January. We have received important feedback from our users and the new Shield releases address some of the most requested features and improves overall performance. Without further ado, here are the highlights:

elasticsearch 1.5 support

Shield 1.1 and 1.2 are identical feature wise; the only difference is the compatible versions of Elasticsearch. Shield 1.1 is the last feature release that will be compatible with Elasticsearch 1.4.2 and newer versions of 1.4.x; Shield 1.2 requires Elasticsearch 1.5.0 or higher. Additionally, the plugin download service has been enhanced so that installing the latest version of Shield will actually download the appropriate version of Shield based on your Elasticsearch version.

ldap user search

Shield now supports LDAP user search, which connects to the LDAP server as a specific user with search privileges to find users and groups rather than requiring all users to have LDAP search privileges. LDAP user search provides improved flexibility, better performance when authenticating users in a complex directory structure, and is necessary to work in environments that restrict directory search operations. For more information, please see the ldap documentation.

anonymous access

Shield now supports anonymous access. Anonymous access (requests without user credentials) in Shield can be mapped to specific roles allowing for fine grained control of what actions are permitted for anonymous users. For example, anonymous searches against a specific index can be allowed while still restricting the modification of data in that index to users with proper authorization. Audit logging for anonymous access is also supported. Anonymous access is disabled by default, read here for more information.

dynamic ip filtering

Shield now allows for IP Filtering settings to be configured dynamically via the Cluster Update Settings API. You can dynamically disable or enable ip filtering in addition to updating the allowed and denied hosts. This will be very helpful in expanding a locked down cluster as a new node's IP address can be added to the allowed IP addresses without the need to restart nodes in the cluster. A few examples are provided here.

mapping ldap users to roles

Mapping ldap users to roles is now supported in addition to mapping ldap groups to roles. Mapping users to roles is helpful in environments where maintaining specific LDAP groups for elasticsearch access would cause too much overhead. An example mapping of both users and groups to roles can be found in the role mapping section.

settings filtering

Shield now filters out sensitive settings, such as SSL configuration and passwords, by default and provides a mechanism to specify other settings to filter. These settings will no longer appear in the output of the node settings API. Further information can be found in the settings section.

For a complete changelist, please refer to the documentation.

upgrading

Please refer to the upgrade section of the Shield documentation.