2017-01-30 17:56:45 -05:00
|
|
|
[[secure-settings]]
|
|
|
|
== Secure Settings
|
|
|
|
|
|
|
|
Some settings are sensitive, and relying on filesystem permissions to protect
|
|
|
|
their values is not sufficient. For this use case, elasticsearch provides a
|
|
|
|
keystore, which may be password protected, and the `elasticsearch-keystore`
|
|
|
|
tool to manage the settings in the keystore.
|
|
|
|
|
|
|
|
NOTE: All commands here should be run as the user which will run elasticsearch.
|
|
|
|
|
2017-06-14 00:04:16 -04:00
|
|
|
NOTE: Only some settings are designed to be read from the keystore. See
|
|
|
|
documentation for each setting to see if it is supported as part of the keystore.
|
|
|
|
|
2017-01-30 17:56:45 -05:00
|
|
|
[float]
|
|
|
|
[[creating-keystore]]
|
|
|
|
=== Creating the keystore
|
|
|
|
|
|
|
|
To create the `elasticsearch.keystore`, use the `create` command:
|
|
|
|
|
|
|
|
[source,sh]
|
|
|
|
----------------------------------------------------------------
|
|
|
|
bin/elasticsearch-keystore create
|
|
|
|
----------------------------------------------------------------
|
|
|
|
|
|
|
|
The file `elasticsearch.keystore` will be created alongside `elasticsearch.yml`.
|
|
|
|
|
|
|
|
[float]
|
|
|
|
[[list-settings]]
|
|
|
|
=== Listing settings in the keystore
|
|
|
|
|
|
|
|
A list of the settings in the keystore is available with the `list` command:
|
|
|
|
|
|
|
|
[source,sh]
|
|
|
|
----------------------------------------------------------------
|
|
|
|
bin/elasticsearch-keystore list
|
|
|
|
----------------------------------------------------------------
|
|
|
|
|
|
|
|
[float]
|
|
|
|
[[add-string-to-keystore]]
|
|
|
|
=== Adding string settings
|
|
|
|
|
|
|
|
Sensitive string settings, like authentication credentials for cloud
|
2017-04-05 05:15:08 -04:00
|
|
|
plugins, can be added using the `add` command:
|
2017-01-30 17:56:45 -05:00
|
|
|
|
|
|
|
[source,sh]
|
|
|
|
----------------------------------------------------------------
|
|
|
|
bin/elasticsearch-keystore add the.setting.name.to.set
|
|
|
|
----------------------------------------------------------------
|
|
|
|
|
|
|
|
The tool will prompt for the value of the setting. To pass the value
|
|
|
|
through stdin, use the `--stdin` flag:
|
|
|
|
|
|
|
|
[source,sh]
|
|
|
|
----------------------------------------------------------------
|
|
|
|
cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set
|
|
|
|
----------------------------------------------------------------
|
|
|
|
|
|
|
|
[float]
|
|
|
|
[[remove-settings]]
|
|
|
|
=== Removing settings
|
|
|
|
|
|
|
|
To remove a setting from the keystore, use the `remove` command:
|
|
|
|
|
|
|
|
[source,sh]
|
|
|
|
----------------------------------------------------------------
|
|
|
|
bin/elasticsearch-keystore remove the.setting.name.to.remove
|
|
|
|
----------------------------------------------------------------
|
|
|
|
|