3.5.0.0

Version 3.5.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.5.0

Features

• Allow configuring the timezone for audit log - Feature #5867 (#5901)
• Introduce new dynamic setting (plugins.security.dls.write_blocked) to block all writes when restrictions apply (#5828)
• JWT authentication for gRPC transport (#5916)
• Support for HTTP/3 (server side) (#5886)

Enhancements

• Enable audit logging of document contents for DELETE operations (#5914)
• Skip hasExplicitIndexPrivilege check for plugin users accessing their own system indices (#5858)
• Fix-issue-5687 allow access to nested JWT claims via dot notation (#5891)
• Implement buildSecureClientTransportEngine with serverName parameter (#5894)
• Serialize Search Request object in DLS Filter Level Handler only when… (#5883)

Bug Fixes

• Bug fix: Fixing partial cache update post snapshot restore (#5478)
• Fix IllegalArgumentException when resolved indices are empty (#5797)
• Fix test failure related to change in core to add content-encoding to response headers (#5897)
• Fixed NPE in LDAP recursive role search (#5861)
• Make gRPC JWT header keys case insensitive (#5929)

Infrastructure

• Clear CHANGELOG post 3.4 release (#5864)

Maintenance

• Bump at.yawk.lz4:lz4-java from 1.10.1 to 1.10.2 (#5874)
• Bump ch.qos.logback:logback-classic from 1.5.21 to 1.5.23 (#5888)
• Bump ch.qos.logback:logback-classic from 1.5.23 to 1.5.24 (#5902)
• Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.25 (#5912)
• Bump ch.qos.logback:logback-classic from 1.5.25 to 1.5.26 (#5919)
• Bump com.nimbusds:nimbus-jose-jwt from 10.6 to 10.7 (#5904)
• Bump io.dropwizard.metrics:metrics-core from 4.2.37 to 4.2.38 (#5922)
• Bump io.projectreactor:reactor-core from 3.8.1 to 3.8.2 (#5910)
• Bump net.bytebuddy:byte-buddy from 1.18.2 to 1.18.3 (#5877)
• Bump net.bytebuddy:byte-buddy from 1.18.3 to 1.18.4 (#5913)
• Bump org.checkerframework:checker-qual from 3.52.1 to 3.53.0 (#5906)
• Bump org.cryptacular:cryptacular from 1.2.7 to 1.3.0 (#5921)
• Bump org.junit.jupiter:junit-jupiter-api from 5.14.1 to 5.14.2 (#5903)
• Bump org.mockito:mockito-core from 5.20.0 to 5.21.0 (#5875)
• Bump org.ow2.asm:asm from 9.9 to 9.9.1 (#5876)
• Bump org.springframework.kafka:spring-kafka-test from 4.0.0 to 4.0.1 (#5873)
• Bump org.springframework.kafka:spring-kafka-test from 4.0.1 to 4.0.2 (#5918)
• Bump spring_version from 7.0.2 to 7.0.3 (#5911)
• Refer to version of error_prone_annotations from core's version catalog (2.45.0) (#5890)
• Remove MakeJava9Happy class that's not applicable in OS 3.X (#5896)
• Update Jackson to 2.20.1 (#5892)
• Upgrade eclipse dependencies (#5863)

Refactoring

• Refactor plugin system index tests to use parameterized test pattern (#5895)

3.4.0.0

Version 3.4.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.4.0

Added

• Add support for Basic Authentication in webhook audit log sink using plugins.security.audit.config.username and plugins.security.audit.config.password (#5792)

Changed

• Ensure all restHeaders from ActionPlugin.getRestHeaders are carried to threadContext for tracing (#5396)
• Deprecate plugins.security.system_indices.indices (#5775)
• Allow overlap of static and custom security configs, but prefer static (#5805)
• Update read access to specific search-relevance indices (#5590)

Enhancements

• Moved configuration reloading to dedicated thread to improve node stability (#5479)
• Makes resource settings dynamic (#5677)
• [Resource Sharing] Allow multiple sharable resource types in single resource index (#5713)
• Adding Alerting V2 roles to roles.yml (#5747)
• Add suggest api to ad read access role (#5754)
• Get list of headersToCopy from core and use getHeader(String headerName) instead of getHeaders() (#5769)
• [Resource Sharing] Keep track of resource_type on resource sharing document (#5772)
• Add support for X509 v3 extensions (SAN) for authentication (#5701)
• [Resource Sharing] Requires default_owner for resource/migrate API (#5789)
• Add --timeout (-to) as an option to securityadmin.sh (#5787)

Bug Fixes

• Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string (#5694)
• Improve array validator to also check for blank string in addition to null (#5714)
• Use RestRequestFilter.getFilteredRequest to declare sensitive API params (#5710)
• Fix deprecated SSL transport settings in demo certificates (#5723)
• Updates DlsFlsValveImpl condition to return true if request is internal and not a protected resource request (#5721)
• [Performance] Call AdminDns.isAdmin once per request (#5752)
• Update operations on .kibana system index now work correctly with Dashboards multi tenancy enabled. (#5778)

Refactoring

• [Resource Sharing] Make migrate api require default access level to be supplied and updates documentations + tests (#5717)
• [Resource Sharing] Removes share and revoke java APIs (#5718)
• Fix build failure in SecurityFilterTests (#5736)
• [Resource Sharing]Refactor ResourceProvider to an interface and other ResourceSharing refactors (#5755)
• Replace AccessController and remove restriction on word Extension (#5750)
• Add security provider earlier in bootstrap process (#5749)
• [GRPC] Fix compilation errors from core protobuf version bump to 0.23.0 (#5763)
• Modularized PrivilegesEvaluator (#5791)
• [Resource Sharing] Adds post support for update sharing info API (#5799)
• Cleaned up use of PrivilegesEvaluatorResponse (#5804)
• Remove reflective call to getInnerChannel (#5816)

Maintenance

• Bump org.junit.jupiter:junit-jupiter from 5.13.4 to 5.14.1 (#5678, #5764)
• Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.20 (#5680, #5724)
• Bump org.scala-lang:scala-library from 2.13.16 to 2.13.18 (#5682, #5809)
• Bump kafka_version from 4.0.0 to 4.1.1 (#5613, #5806)
• Bump org.gradle.test-retry from 1.6.2 to 1.6.4 (#5706)
• Bump org.checkerframework:checker-qual from 3.51.0 to 3.52.0 (#5705, #5821)
• Bump org.ow2.asm:asm from 9.8 to 9.9 (#5707)
• Bump stefanzweifel/git-auto-commit-action from 6 to 7 (#5704)
• Bump net.bytebuddy:byte-buddy from 1.17.7 to 1.18.2 (#5703, #5822)
• Bump derek-ho/start-opensearch from 7 to 9 (#5630, #5679)
• Bump github/codeql-action from 3 to 4 (#5702)
• Bump com.github.spotbugs from 6.4.2 to 6.4.4 (#5727)
• Bump com.autonomousapps.build-health from 3.0.4 to 3.5.1 (#5726, #5744, #5819)
• Bump spring_version from 6.2.11 to 6.2.14 (#5725, #5808)
• Bump org.springframework.kafka:spring-kafka-test from 4.0.0-M5 to 4.0.0-RC1 (#5742)
• Bump com.google.errorprone:error_prone_annotations from 2.42.0 to 2.44.0 (#5743, #5779)
• Bump actions/upload-artifact from 4 to 5 (#5740)
• Bump actions/download-artifact from 5 to 6 (#5739)
• Bump com.google.googlejavaformat:google-java-format from 1.28.0 to 1.32.0 (#5741, #5765, #5811)
• Bump com.jayway.jsonpath:json-path from 2.9.0 to 2.10.0 (#5767)
• Bump org.apache.ws.xmlschema:xmlschema-core from 2.3.1 to 2.3.2 (#5781)
• Bump commons-io:commons-io from 2.20.0 to 2.21.0 (#5780)
• Bump com.nimbusds:nimbus-jose-jwt from 10.5 to 10.6 (#5782)
• Upgrade to gradle 9.2 and run CI with JDK 25 (#5786)
• Bump commons-validator:commons-validator from 1.10.0 to 1.10.1 (#5807)
• Bump actions/checkout from 5 to 6 (#5810)
• Bump org.bouncycastle:bcpkix-jdk18on from 1.82 to 1.83 (#5825)
• Bump commons-codec:commons-codec from 1.19.0 to 1.20.0 (#5823)
• Upgrade springframework to 7.0.1 and zookeeper to 3.9.4 (#5829)

2.19.4.0

Version 2.19.4 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.19.4

Bug Fixes

• Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string (#5694)
• Optimize the Fls/Dls/FieldMasking data structure to only include the concrete indices from the current request (#5482)
• Ensure that IndexResolverReplacer resolves to indices for RolloverRequests (#5522)
• Add 'good' as a valid value for plugins.security.restapi.password_score_based_validation_strength (#5523)
• Use FilterLeafReader based DLS for parent/child queries (#5538)
• Fixed index resolution for rollover requests (#5526)
• Fixed TLS endpoint identification by SAN (#5669)
• Avoid ConcurrentModificationException for User class fields (#5615)

Maintenance

• Bump com.nimbusds:nimbus-jose-jwt:9.48 from 9.48 to 10.0.2 (#5480)
• Bump checkstyle from 10.3.3 to 10.26.1 (#5480)
• Add tenancy access info to serialized user in threadcontext (#5519)
• Optimized wildcard matching runtime performance (#5543)
• Always install demo certs if configured with demo certs (#5517)
• Bump org.apache.zookeeper:zookeeper from 3.9.3 to 3.9.4 (#5689)

3.3.2.0

Version 3.3.2 Release Notes

Compatible with OpenSearch 3.3.2 and OpenSearch Dashboards 3.3.0

Bug Fixes

• Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string (#5694)
• Add security provider earlier in bootstrap process (#5749)

3.3.0.0

Version 3.3.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.3.0

Added

• Introduced new experimental versioned security configuration management feature (#5357)
• Introduced View API and Rollback API for experimental versioned security configurations (#5431)

Features

• [Rule-based Autotagging] Add logic to extract security attributes for rule-based autotagging (#5606)

Enhancements

• [Resource Sharing] Use DLS to automatically filter sharable resources for authenticated user based on all_shared_principals (#5600)
• [Resource Sharing] Keep track of list of principals for which sharable resource is visible for searching (#5596)
• [Resource Sharing] Keep track of tenant for sharable resources by persisting user requested tenant with sharing info (#5588)
• [SecurityPlugin Health Check] Add AuthZ initialization completion check in health check API (#5626)
• [Resource Sharing] Adds API to provide dashboards support for resource access management (#5597)
• Direct JWKS (JSON Web Key Set) support in the JWT authentication backend (#5578)
• Adds a list setting to explicitly specify resources to be protected (#5671)
• Make configuration setting for user custom attribute serialization dynamic (#5657)

Bug Fixes

• Added new option skip_users to client cert authenticator (clientcert_auth_domain.http_authenticator.config.skip_users in config.yml) (#5525)
• [Resource Sharing] Fixes accessible resource ids search by marking created_by.user field as keyword search instead of text (#5574)
• [Resource Sharing] Reverts @Inject pattern usage for ResourceSharingExtension to client accessor pattern. (#5576)
• Inject user custom attributes when injecting user and role information to the thread context (#5560)
• Allow any plugin system request when plugins.security.system_indices.enabled is set to false (#5579)
• [Resource Sharing] Always treat GET _doc request as indices request even when performed on sharable resource index (#5631)
• Fix JWT log spam when JWT authenticator is configured with an empty list for roles_key (#5640)
• Updates resource visibility when handling PATCH api to update sharing record (#5654)
• Handles resource updates which otherwise may wipe out all_shared_principals (#5658)
• Makes initial share map mutable to allow multiple shares (#5666)
• Add the fallback logic to use 'ssl_engine' if 'ssl_handler' attribute is not available / compatible (#5667)
• Change incorrect licenses in Security Principal files (#5675)

Refactoring

• [Resource Sharing] Match index settings of .kibana indices for resource sharing indices (#5605)

Documentation

• [Resource Sharing] Adds comprehensive documentation for Resource Access Control feature (#5540)

Dependencies

• Update delete_backport_branch workflow to include release-chores branches (#5548)
• Bump 1password/load-secrets-action from 2 to 3 (#5573)
• Bump actions/checkout from 4 to 5 (#5572, #5660)
• Bump jjwt_version from 0.12.6 to 0.13.0 (#5568, #5581)
• Bump org.mockito:mockito-core from 5.18.0 to 5.20.0 (#5566, #5650)
• Bump open_saml_version from 5.1.4 to 5.1.6 (#5567, #5614)
• Bump com.google.j2objc:j2objc-annotations from 3.0.0 to 3.1 (#5570)
• Bump spring_version from 6.2.9 to 6.2.11 (#5569, #5636)
• Bump com.github.spotbugs from 6.2.4 to 6.4.1 (#5584, #5611, #5637)
• Bump open_saml_shib_version from 9.1.4 to 9.1.6 (#5585, #5612)
• Bump org.springframework.kafka:spring-kafka-test from 4.0.0-M3 to 4.0.0-M5 (#5583, #5661)
• Bump net.bytebuddy:byte-buddy from 1.17.6 to 1.17.7 (#5586)
• Bump io.dropwizard.metrics:metrics-core from 4.2.33 to 4.2.37 (#5589, #5638)
• Bump com.nimbusds:nimbus-jose-jwt:9.48 from 9.48 to 10.4.2 (#5595)
• Bump actions/github-script from 7 to 8 (#5610)
• Bump org.eclipse.platform:org.eclipse.core.runtime from 3.33.100 to 3.34.0 (#5628)
• Bump org.opensearch:protobufs from 0.6.0 to 0.13.0 (#5553)
• Bump org.checkerframework:checker-qual from 3.49.5 to 3.51.0 (#5627)
• Bump com.nimbusds:nimbus-jose-jwt from 10.4.2 to 10.5 (#5629)
• Bump derek-ho/start-opensearch from 7 to 8 (#5630)
• Bump actions/setup-java from 4 to 5 (#5582, #5664)
• Bump org.eclipse.platform:org.eclipse.equinox.common from 3.20.100 to 3.20.200 (#5651)
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 (#5649)
• Bump com.google.errorprone:error_prone_annotations from 2.41.0 to 2.42.0 (#5648)
• Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre (#5665)
• Bump com.typesafe.scala-logging:scala-logging_3 from 3.9.5 to 3.9.6 (#5663)
• Sync org.opensearch:protobufs version with core (#5659)

3.2.0.0

Version 3.2.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.2.0

Features

• Introduced new experimental versioned security configuration management feature (#5357)
• [Resource Sharing] Adds migrate API to move resource-sharing info to security plugin (#5389)
• Introduces support for the Argon2 Password Hashing Algorithm (#5441)
• Introduced permission validation support using query parameter without executing the request (#5496)
• Add support for configuring auxiliary transports for SSL only (#5375)
• Introduced SPIFFE X.509 SVID support via SPIFFEPrincipalExtractor (#5521)

Enhancements

• Create a mechanism for plugins to explicitly declare actions they need to perform with their assigned PluginSubject (#5341)
• Moves OpenSAML jars to a Shadow Jar configuration to facilitate its use in FIPS enabled environments (#5400)
• [Resource Sharing] Adds a Resource Access Evaluator for standalone Resource access authorization (#5408)
• Replaced the standard distribution of BouncyCastle with BC-FIPS (#5439)
• Introduced setting plugins.security.privileges_evaluation.precomputed_privileges.enabled (#5465)
• Optimized wildcard matching runtime performance (#5470)
• Optimized performance for construction of internal action privileges data structure (#5470)
• Restricting query optimization via star tree index for users with queries on indices with DLS/FLS/FieldMasked restrictions (#5492)
• Handle subject in nested claim for JWT auth backends (#5467)
• Integration with stream transport (#5530)

Bug Fixes

• Fix compilation issue after change to Subject interface in core and bump to 3.2.0 (#5423)
• Provide SecureHttpTransportParameters to complement SecureTransportParameters counterpart (#5432)
• Use isClusterPerm instead of requestedResolved.isLocalAll() to determine if action is a cluster action (#5445)
• Fix config update with deprecated config types failing in mixed clusters (#5456)
• Fix usage of jwt_clock_skew_tolerance_seconds in HTTPJwtAuthenticator (#5506)
• Always install demo certs if configured with demo certs (#5517)
• [Resource Sharing] Restores client accessor pattern to fix compilation issues when security plugin is not installed (#5541)

Refactoring

• Refactor JWT Vendor to take a claims builder and rename oboEnabled to be enabled (#5436)
• Remove ASN1 reflection methods (#5454)
• Remove provider reflection code (#5457)
• Add tenancy access info to serialized user in threadcontext (#5519)

3.1.0.0

Version 3.1.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.1.0

Features

• [Resource Permissions] Introduces Centralized Resource Access Control Framework (#5281)

Enhancements

• Github workflow for changelog verification (#5318)
• Add flush cache endpoint for individual user (#5337)
• Handle roles in nested claim for JWT auth backends (#5355)
• Register cluster settings listener for plugins.security.cache.ttl_minutes (#5324
• Integrate search-relevance functionalities with security plugin (#5376)
• Use extendedPlugins in integrationTest framework for sample resource plugin testing (#5322)
• Introduced new, performance-optimized implementation for tenant privileges (#5339)
• Performance improvements: Immutable user object (#5212)
• Include mapped roles when setting userInfo in ThreadContext (#5369)
• Adds details for debugging Security not initialized error(#5370)
• [Resource Sharing] Store resource sharing info in indices that map 1-to-1 with resource index (#5358)

Bug Fixes

• Corrections in DlsFlsFilterLeafReader regarding PointVales and object valued attributes (#5303)
• Fixes issue computing diffs in compliance audit log when writing to security index (#5279)
• Fixes dependabot broken pull_request workflow for changelog update (#5331)
• Fixes assemble workflow failure during Jenkins build (#5334)
• Fixes security index stale cache issue post snapshot restore (#5307)
• Only log Invalid Authentication header when HTTP Basic auth challenge is called (#5377)

Maintenance

• Add forecast roles and permissions (#5386)
• Add missing cluster:monitor permission (#5405)
• Add missing mapping get permission (#5412)
• Bump guava_version from 33.4.6-jre to 33.4.8-jre (#5284)
• Bump spring_version from 6.2.5 to 6.2.7 (#5283, #5345)
• Bump com.google.errorprone:error_prone_annotations from 2.37.0 to 2.38.0 (#5285)
• Bump org.mockito:mockito-core from 5.15.2 to 5.18.0 (#5296, #5362)
• Bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.8.2 to 2.8.3 (#5294)
• Bump org.ow2.asm:asm from 9.7.1 to 9.8 (#5293)
• Bump commons-codec:commons-codec from 1.16.1 to 1.18.0 (#5295)
• Bump net.bytebuddy:byte-buddy from 1.15.11 to 1.17.5 (#5313)
• Bump org.awaitility:awaitility from 4.2.2 to 4.3.0 (#5314)
• Bump org.springframework.kafka:spring-kafka-test from 3.3.4 to 3.3.5 (#5315)
• Bump com.fasterxml.jackson.core:jackson-databind from 2.18.2 to 2.19.0 (#5292)
• Bump org.apache.commons:commons-collections4 from 4.4 to 4.5.0 (#5316)
• Bump com.google.googlejavaformat:google-java-format from 1.26.0 to 1.27.0 (#5330)
• Bump io.github.goooler.shadow from 8.1.7 to 8.1.8 (#5329)
• Bump commons-io:commons-io from 2.18.0 to 2.19.0 (#5328)
• Upgrade kafka_version from 3.7.1 to 4.0.0 (#5131)
• Bump io.dropwizard.metrics:metrics-core from 4.2.30 to 4.2.32 (#5361)
• Bump org.junit.jupiter:junit-jupiter from 5.12.2 to 5.13.1 (#5371, #5382)
• Bump bouncycastle_version from 1.80 to 1.81 (#5380)
• Bump org.junit.jupiter:junit-jupiter-api from 5.13.0 to 5.13.1 (#5383)
• Bump org.checkerframework:checker-qual from 3.49.3 to 3.49.4 (#5381)

Refactoring

• Removed unused support for custom User object serialization (#5339)
• [Resource Sharing] Refactor ResourcePermissions to refer to action groups as access levels (#5335)

3.0.0.0

Version 3.0.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.0.0

Breaking Changes

• Fix Blake2b hash implementation (#5089)
• Remove OpenSSL provider (#5220)
• Remove whitelist settings in favor of allowlist (#5224)

Enhancements

• Optimized Privilege Evaluation (#4380)
• Add support for CIDR ranges in ignore_hosts setting (#5099)
• Add 'good' as a valid value for plugins.security.restapi.password_score_based_validation_strength (#5119)
• Adding stop-replication permission to index_management_full_access (#5160)
• Replace password generator step with a secure password generator action (#5153)
• Run Security build on image from opensearch-build (#4966)

Bug Fixes

• Fix version matcher string in demo config installer (#5157)
• Escape pipe character for injected users (#5175)
• Assume default of v7 models if _meta portion is not present (#5193))
• Fixed IllegalArgumentException when building stateful index privileges (#5217)
• DlsFlsFilterLeafReader::termVectors implementation causes assertion errors for users with FLS/FM active (#5243)
• Only check validity of certs in the chain of the node certificates (#4979)
• Corrections in DlsFlsFilterLeafReader regarding PointVales and object valued attributes (#5304)

Maintenance

• Update AuditConfig.DEPRECATED_KEYS deprecation message to match 4.0 (#5155)
• Update deprecation message for _opendistro/_security/kibanainfo API (#5156)
• Update DlsFlsFilterLeafReader to reflect Apache Lucene 10 API changes (#5123)
• Adapt to core changes in SecureTransportParameters (#5122)
• Format SSLConfigConstants.java and fix typos (#5145)
• Remove typo in AbstractAuditlogUnitTest (#5130)
• Update Andriy Redko's affiliation (#5133)
• Upgrade common-utils version to 3.0.0.0-alpha1-SNAPSHOT (#5137)
• Bump Spring version (#5173)
• Bump org.checkerframework:checker-qual from 3.49.0 to 3.49.2 (#5162) (#5247)
• Bump org.mockito:mockito-core from 5.15.2 to 5.17.0 (#5161) (#5248)
• Bump org.apache.camel:camel-xmlsecurity from 3.22.3 to 3.22.4 (#5163)
• Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17 (#5149)
• Bump org.awaitility:awaitility from 4.2.2 to 4.3.0 (#5126)
• Bump org.springframework.kafka:spring-kafka-test from 3.3.2 to 3.3.4 (#5125) (#5201)
• Bump org.junit.jupiter:junit-jupiter from 5.11.4 to 5.12.2 (#5127) (#5269)
• Bump Gradle to 8.13 (#5148)
• Bump Spring version to fix CVE-2024-38827 (#5173)
• Bump com.google.guava:guava from 33.4.0-jre to 33.4.6-jre (#5205) (#5228)
• Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18 (#5204)
• Bump spring_version from 6.2.4 to 6.2.5 (#5203)
• Bump bouncycastle_version from 1.78 to 1.80 (#5202)
• remove java version check for reflection args in build.gradle (#5218)
• Improve coverage: Adding tests for ConfigurationRepository class (#5206)
• Refactor InternalAuditLogTest to use Awaitility (#5214)
• Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.26.0 (#5231)
• Bump open_saml_shib_version from 9.1.3 to 9.1.4 (#5230)
• Bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.8.2 to 2.8.3 (#5229)
• Bump open_saml_version from 5.1.3 to 5.1.4 (#5227)
• Bump org.ow2.asm:asm from 9.7.1 to 9.8 (#5244)
• Bump com.netflix.nebula.ospackage from 11.11.1 to 11.11.2 (#5246)
• Bump com.google.errorprone:error_prone_annotations from 2.36.0 to 2.37.0 (#5245)
• More tests for FLS and field masking (#5237)
• Migrate from com.amazon.dlic to org.opensearch.security package (#5223)
• Fix compilation issue after Secure gRPC PR (#17796) merged into core (#5263)
• Bump commons-io:commons-io from 2.18.0 to 2.19.0 (#5267)
• Bump org.apache.commons:commons-text from 1.13.0 to 1.13.1 (#5266)
• Bump org.junit.jupiter:junit-jupiter-api from 5.12.1 to 5.12.2 (#5268)
• Bump com.google.guava:failureaccess from 1.0.2 to 1.0.3 (#5265)

3.0.0.0-beta1

Version 3.0.0-beta1 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.0.0-beta1

Breaking Changes

• Fix Blake2b hash implementation (#5089)
• Remove OpenSSL provider (#5220)
• Remove whitelist settings in favor of allowlist (#5224)

Enhancements

• Optimized Privilege Evaluation (#4380)
• Add support for CIDR ranges in ignore_hosts setting (#5099)
• Add 'good' as a valid value for plugins.security.restapi.password_score_based_validation_strength (#5119)
• Adding stop-replication permission to index_management_full_access (#5160)
• Replace password generator step with a secure password generator action (#5153)
• Run Security build on image from opensearch-build (#4966)

Bug Fixes

• Fix version matcher string in demo config installer (#5157
• Escape pipe character for injected users (#5175)
• Assume default of v7 models if _meta portion is not present (#5193)
• Fixed IllegalArgumentException when building stateful index privileges (#5217
• DlsFlsFilterLeafReader::termVectors implementation causes assertion errors for users with FLS/FM active (#5243

Maintenance

• Update AuditConfig.DEPRECATED_KEYS deprecation message to match 4.0 (#5155)
• Update deprecation message for _opendistro/_security/kibanainfo API (#5156)
• Update DlsFlsFilterLeafReader to reflect Apache Lucene 10 API changes (#5123)
• Adapt to core changes in SecureTransportParameters (#5122)
• Format SSLConfigConstants.java and fix typos (#5145)
• Remove typo in AbstractAuditlogUnitTest (#5130)
• Update Andriy Redko's affiliation (#5133)
• Upgrade common-utils version to 3.0.0.0-alpha1-SNAPSHOT (#5137)
• Bump Spring version (#5173)
• Bump org.checkerframework:checker-qual from 3.49.0 to 3.49.2 (#5162) (#5247)
• Bump org.mockito:mockito-core from 5.15.2 to 5.17.0 (#5161) (#5248)
• Bump org.apache.camel:camel-xmlsecurity from 3.22.3 to 3.22.4 (#5163)
• Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17 (#5149)
• Bump org.awaitility:awaitility from 4.2.2 to 4.3.0 (#5126)
• Bump org.springframework.kafka:spring-kafka-test from 3.3.2 to 3.3.4 (#5125) (#5201)
• Bump org.junit.jupiter:junit-jupiter from 5.11.4 to 5.12.0 (#5127)
• Bump Gradle to 8.13 (#5148)
• Bump Spring version to fix CVE-2024-38827 (#5173)
• Bump com.google.guava:guava from 33.4.0-jre to 33.4.6-jre (#5205) (#5228)
• Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18 (#5204)
• Bump spring_version from 6.2.4 to 6.2.5 (#5203)
• Bump bouncycastle_version from 1.78 to 1.80 (#5202)
• remove java version check for reflection args in build.gradle (#5218)
• Improve coverage: Adding tests for ConfigurationRepository class (#5206)
• Refactor InternalAuditLogTest to use Awaitility (#5214)
• Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.26.0 (#5231)
• Bump open_saml_shib_version from 9.1.3 to 9.1.4 (#5230)
• Bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.8.2 to 2.8.3 (#5229)
• Bump open_saml_version from 5.1.3 to 5.1.4 (#5227)
• Bump org.ow2.asm:asm from 9.7.1 to 9.8 (#5244)
• Bump com.netflix.nebula.ospackage from 11.11.1 to 11.11.2 (#5246)
• Bump com.google.errorprone:error_prone_annotations from 2.36.0 to 2.37.0 (#5245)
• More tests for FLS and field masking (#5237)
• Migrate from com.amazon.dlic to org.opensearch.security package (#5223)

3.0.0.0-alpha1

Version 3.0.0-alpha1 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.0.0-alpha1

Breaking Changes

• Optimized Privilege Evaluation (#4380)
• Fix Blake2b hash implementation (#5089)

Enhancements

• Add support for CIDR ranges in ignore_hosts setting (#5099)
• Add 'good' as a valid value for plugins.security.restapi.password_score_based_validation_strength (#5119)
• Adding stop-replication permission to index_management_full_access (#5160)
• Replace password generator step with a secure password generator action (#5153)

Bug Fixes

• Fix version matcher string in demo config installer (#5157)

Maintenance

• Update AuditConfig.DEPRECATED_KEYS deprecation message to match 4.0 (#5155)
• Update deprecation message for _opendistro/_security/kibanainfo API (#5156)
• Update DlsFlsFilterLeafReader to reflect Apache Lucene 10 API changes (#5123)
• Adapt to core changes in SecureTransportParameters (#5122)
• Format SSLConfigConstants.java and fix typos (#5145)
• Remove typo in AbstractAuditlogUnitTest (#5130)
• Update Andriy Redko's affiliation (#5133)
• Upgrade common-utils version to 3.0.0.0-alpha1-SNAPSHOT (#5137)
• Bump Spring version (#5173)
• Bump org.checkerframework:checker-qual from 3.49.0 to 3.49.1 (#5162)
• Bump org.mockito:mockito-core from 5.15.2 to 5.16.0 (#5161)
• Bump org.apache.camel:camel-xmlsecurity from 3.22.3 to 3.22.4 (#5163)
• Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17 (#5149)
• Bump org.awaitility:awaitility from 4.2.2 to 4.3.0 (#5126)
• Bump org.springframework.kafka:spring-kafka-test from 3.3.2 to 3.3.3 (#5125)
• Bump org.junit.jupiter:junit-jupiter from 5.11.4 to 5.12.0 (#5127)
• Bump Gradle to 8.13 (#5148)
• Bump Spring version to fix CVE-2024-38827 (#5173)