Release notesV1.4

Version 1.4 release notes

The Grafana Enterprise Logs (GEL) team is excited to announce the release of GEL 1.4.

GEL 1.4 is built off of Loki 2.5.0, so it inherits all the features, enhancements, and bug fixes of the upstream project. Refer to the Loki v2.5 release notes for more information.

Features and enhancements

  • GEL 1.4 includes version 3 of the Admin API. It removes the ability to delete tenants, access policies, and tokens via the API. Instead, when users no longer want a tenant, access policy, or token, they are expected to soft delete it by marking it “disabled”. Moving to soft deletes allows us to eliminate race conditions and cache invalidation problems that caused unexpected behavior with hard deletes. For more information about the v3 API, refer to Admin API.

Upgrade considerations

  • After upgrading to GEL 1.4, we suggest you upgrade your GEL plugin for Grafana Enterprise to version 2.4.0 or a more recent version. This ensures that the plugin uses v3 of the Admin API, and it contains a few other small fixes, all of which are detailed in the plugin Changelog.

Bug fixes

1.4.1 bug fixes

  • Revised the YAML configuration option to support the license type option required for switching to AWS Marketplace-based licensing. Not relevant for customers.

1.4.0 bug fixes

  • Fixed a bug in which the common configuration block for setting up a shared cloud storage client also required setting type within the Admin client’s storage block. The Admin client’s type will now be correctly inferred from the parameters in the common block.
  • Fixed a bug in which a user with a label-based access policy could see label names and label values (but not actual log content) that their access policy did not grant to them. With this bug fix, the GEL label names and label values API endpoints properly enforce to label-based access controls.
  • [SECURITY] Fix of enterprise authentication bypass in Grafana Enterprise Logs component “querier”. (CVE-2022-28660)
    • When Grafana Enterprise Logs is deployed in microservices mode and enterprise authentication is used (-auth.type=enterprise), the querier component is not enforcing authentication and can be queried just specifying the tenant ID in the X-Scope-OrgID header, when its HTTP port is exposed. The HTTP port should not be exposed to external traffic.