[7.x] [DOCS] Add supported ESS settings to ES docs (#57953) (#58981)

* Adding ESS icons to supported ES settings.

* Adding new file for supported ESS settings.

* Adding supported ESS settings for HTTP and disk-based shard allocation.

* Adding more supported settings for ESS.

* Adding descriptions for each Cloud section, plus additional settings.

* Adding new warehouse file for Cloud, plus additional settings.

* Adding node settings for Cloud.

* Adding audit settings for Cloud.

* Resolving merge conflict.

* Adding SAML settings (part 1).

* Adding SAML realm encryption and signing settings.

* Adding SAML SSL settings.

* Adding Kerberos realm settings.

* Adding OpenID Connect Realm settings.

* Adding OpenID Connect SSL settings.

* Resolving leftover Git merge markers.

* Removing Cloud settings page and link to it.

* Add link to mapping source

* Update docs/reference/docs/reindex.asciidoc

* Incorporate edit of HTTP settings

* Remove "cloud" from tag and ID

* Remove "cloud" from tag and update description

* Remove "cloud" from tag and ID

* Change "whitelists" to "specifies"

* Remove "cloud" from end tag

* Removing cloud from IDs and tags.

* Changing link reference to fix build issue.

* Adding index management page for missing settings.

* Removing warehouse file for Cloud and moving settings elsewhere.

* Clarifying true/false usage of http.detailed_errors.enabled.

* Changing underscore to dash in link to fix ci build.
This commit is contained in:
Adam Locke 2020-07-02 19:40:45 -04:00 committed by GitHub
parent 9d1bf383d0
commit 20d04081ec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 862 additions and 517 deletions

View File

@ -180,7 +180,7 @@ automatic creation of indices that match specified patterns, or set it to
comma-separated list of patterns you want to allow, or prefix each pattern with
`+` or `-` to indicate whether it should be allowed or blocked. When a list is
specified, the default behaviour is to disallow.
+
IMPORTANT: The `action.auto_create_index` setting only affects the automatic
creation of indices. It does not affect the creation of data streams.

View File

@ -7,7 +7,7 @@
Copies documents from a _source_ to a _destination_.
The source and destination can be any pre-existing index, index alias, or
<<data-streams,data stream>>. However, the source and destination must be
<<data-streams,data stream>>. However, the source and destination must be
different. For example, you cannot reindex a data stream into itself.
[IMPORTANT]
@ -16,7 +16,8 @@ Reindex requires <<mapping-source-field,`_source`>> to be enabled for
all documents in the source.
The destination must exist and should be configured as wanted before calling `_reindex`.
Reindex does not copy the settings from the source or its associated template.
Reindex does not copy the settings from the source or its associated template.
Mappings, shard counts, replicas, and so on must be configured ahead of time.
=================================================
@ -70,8 +71,11 @@ POST _reindex
[[docs-reindex-api-desc]]
==== {api-description-title}
Extracts the <<mapping-source-field,document source>> from the reindex request's source and indexes the documents into the destination.
You can copy all documents to the destination, or reindex a subset of the documents.
// tag::docs-reindex-api-desc-tag[]
Extracts the <<mapping-source-field,document source>> from the source index and indexes the documents into the destination index.
You can copy all documents to the destination index, or reindex a subset of the documents.
// end::docs-reindex-api-desc-tag[]
Just like <<docs-update-by-query,`_update_by_query`>>, `_reindex` gets a
snapshot of the source but its destination must be **different** so
@ -95,8 +99,8 @@ any reindex request to a destination data stream must have an `op_type`
of`create`. A reindex can only add new documents to a destination data stream.
It cannot update existing documents in a destination data stream.
By default, version conflicts abort the `_reindex` process.
To continue reindexing if there are conflicts, set the `"conflicts"` request body parameter to `proceed`.
By default, version conflicts abort the `_reindex` process.
To continue reindexing if there are conflicts, set the `"conflicts"` request body parameter to `proceed`.
In this case, the response includes a count of the version conflicts that were encountered.
Note that the handling of other error types is unaffected by the `"conflicts"` parameter.
@ -105,9 +109,9 @@ Note that the handling of other error types is unaffected by the `"conflicts"` p
If the request contains `wait_for_completion=false`, {es}
performs some preflight checks, launches the request, and returns a
<<tasks,`task`>> you can use to cancel or get the status of the task.
{es} creates a record of this task as a document at `.tasks/task/${taskId}`.
When you are done with a task, you should delete the task document so
<<tasks,`task`>> you can use to cancel or get the status of the task.
{es} creates a record of this task as a document at `.tasks/task/${taskId}`.
When you are done with a task, you should delete the task document so
{es} can reclaim the space.
[[docs-reindex-from-multiple-sources]]
@ -141,7 +145,7 @@ done
Set `requests_per_second` to any positive decimal number (`1.4`, `6`,
`1000`, etc.) to throttle the rate at which `_reindex` issues batches of index
operations. Requests are throttled by padding each batch with a wait time.
operations. Requests are throttled by padding each batch with a wait time.
To disable throttling, set `requests_per_second` to `-1`.
The throttling is done by waiting between batches so that the `scroll` that `_reindex`
@ -156,7 +160,7 @@ target_time = 1000 / 500 per second = 2 seconds
wait_time = target_time - write_time = 2 seconds - .5 seconds = 1.5 seconds
--------------------------------------------------
Since the batch is issued as a single `_bulk` request, large batch sizes
Since the batch is issued as a single `_bulk` request, large batch sizes
cause Elasticsearch to create many requests and then wait for a while before
starting the next set. This is "bursty" instead of "smooth".
@ -447,13 +451,13 @@ include::{es-repo-dir}/rest-api/common-parms.asciidoc[tag=max_docs]
==== {api-request-body-title}
`conflicts`::
(Optional, enum) Set to `proceed` to continue reindexing even if there are conflicts.
(Optional, enum) Set to `proceed` to continue reindexing even if there are conflicts.
Defaults to `abort`.
`source`::
`index`:::
(Required, string) The name of the data stream, index, or index alias you are copying _from_.
Also accepts a comma-separated list to reindex from multiple sources.
(Required, string) The name of the data stream, index, or index alias you are copying _from_.
Also accepts a comma-separated list to reindex from multiple sources.
`max_docs`:::
(Optional, integer) The maximum number of documents to reindex.
@ -468,22 +472,22 @@ Required when indexing from remote.
`username`::::
(Optional, string) The username to use for authentication with the remote host.
`password`::::
(Optional, string) The password to use for authentication with the remote host.
`socket_timeout`::::
(Optional, string) The password to use for authentication with the remote host.
`socket_timeout`::::
(Optional, <<time-units, time units>>) The remote socket read timeout. Defaults to 30 seconds.
`connect_timeout`::::
`connect_timeout`::::
(Optional, <<time-units, time units>>) The remote connection timeout. Defaults to 30 seconds.
`size`:::
{Optional, integer) The number of documents to index per batch.
Use when indexing from remote to ensure that the batches fit within the on-heap buffer,
which defaults to a maximum size of 100 MB.
{Optional, integer) The number of documents to index per batch.
Use when indexing from remote to ensure that the batches fit within the on-heap buffer,
which defaults to a maximum size of 100 MB.
`slice`:::
`id`::::
(Optional, integer) Slice ID for <<docs-reindex-manual-slice, manual slicing>>.
(Optional, integer) Slice ID for <<docs-reindex-manual-slice, manual slicing>>.
`max`::::
(Optional, integer) Total number of slices.
(Optional, integer) Total number of slices.
`sort`:::
+
@ -495,21 +499,21 @@ deprecated::[7.6, Sort in reindex is deprecated. Sorting in reindex was never gu
--
`_source`:::
(Optional, string) If `true` reindexes all source fields.
Set to a list to reindex select fields.
Defaults to `true`.
(Optional, string) If `true` reindexes all source fields.
Set to a list to reindex select fields.
Defaults to `true`.
`dest`::
`index`:::
(Required, string) The name of the data stream, index, or index alias you are copying _to_.
`version_type`:::
(Optional, enum) The versioning to use for the indexing operation.
Valid values: `internal`, `external`, `external_gt`, `external_gte`.
(Optional, enum) The versioning to use for the indexing operation.
Valid values: `internal`, `external`, `external_gt`, `external_gte`.
See <<index-version-types>> for more information.
`op_type`:::
(Optional, enum) Set to create to only index documents that do not already exist (put if absent).
`op_type`:::
(Optional, enum) Set to create to only index documents that do not already exist (put if absent).
Valid values: `index`, `create`. Defaults to `index`.
+
IMPORTANT: To reindex to a data stream destination, this argument must be
@ -530,11 +534,10 @@ the special value `_doc`. See <<removal-of-types>> for further details.
====
`script`::
`source`:::
(Optional, string) The script to run to update the document source or metadata when reindexing.
`source`:::
(Optional, string) The script to run to update the document source or metadata when reindexing.
`lang`:::
(Optional, enum) The script language: `painless`, `expression`, `mustache`, `java`.
(Optional, enum) The script language: `painless`, `expression`, `mustache`, `java`.
For more information, see <<modules-scripting>>.
@ -638,7 +641,7 @@ POST _reindex
[[docs-reindex-select-max-docs]]
===== Reindex select documents with `max_docs`
You can limit the number of processed documents by setting `max_docs`.
You can limit the number of processed documents by setting `max_docs`.
For example, this request copies a single document from `twitter` to
`new_twitter`:
@ -660,7 +663,7 @@ POST _reindex
[[docs-reindex-multiple-sources]]
===== Reindex from multiple sources
The `index` attribute in `source` can be a list, allowing you to copy from lots
The `index` attribute in `source` can be a list, allowing you to copy from lots
of sources in one request. This will copy documents from the
`twitter` and `blog` indices:
@ -1047,7 +1050,7 @@ It is not possible to configure SSL in the body of the `_reindex` request.
The following settings are supported:
`reindex.ssl.certificate_authorities`::
List of paths to PEM encoded certificate files that should be trusted.
List of paths to PEM encoded certificate files that should be trusted.
You cannot specify both `reindex.ssl.certificate_authorities` and
`reindex.ssl.truststore.path`.
@ -1072,7 +1075,7 @@ or "pkcs12", this setting defaults to `PKCS12`. Otherwise, it defaults to `jks`.
`reindex.ssl.verification_mode`::
Indicates the type of verification to protect against man in the middle attacks
and certificate forgery.
and certificate forgery.
One of `full` (verify the hostname and the certificate path), `certificate`
(verify the certificate path, but not the hostname) or `none` (perform no
verification - this is strongly discouraged in production environments).
@ -1092,12 +1095,12 @@ You cannot specify both `reindex.ssl.key` and `reindex.ssl.keystore.path`.
`reindex.ssl.key_passphrase`::
Specifies the passphrase to decrypt the PEM encoded private key
(`reindex.ssl.key`) if it is encrypted.
Cannot be used with `reindex.ssl.secure_key_passphrase`.
Cannot be used with `reindex.ssl.secure_key_passphrase`.
`reindex.ssl.secure_key_passphrase` (<<secure-settings,Secure>>)::
Specifies the passphrase to decrypt the PEM encoded private key
(`reindex.ssl.key`) if it is encrypted.
Cannot be used with `reindex.ssl.key_passphrase`.
Cannot be used with `reindex.ssl.key_passphrase`.
`reindex.ssl.keystore.path`::
Specifies the path to the keystore that contains a private key and certificate
@ -1107,11 +1110,11 @@ You cannot specify both `reindex.ssl.key` and `reindex.ssl.keystore.path`.
`reindex.ssl.keystore.type`::
The type of the keystore (`reindex.ssl.keystore.path`). Must be either `jks` or `PKCS12`.
If the keystore path ends in ".p12", ".pfx" or "pkcs12", this setting defaults
If the keystore path ends in ".p12", ".pfx" or "pkcs12", this setting defaults
to `PKCS12`. Otherwise, it defaults to `jks`.
`reindex.ssl.keystore.password`::
The password to the keystore (`reindex.ssl.keystore.path`). This setting cannot be used
The password to the keystore (`reindex.ssl.keystore.path`). This setting cannot be used
with `reindex.ssl.keystore.secure_password`.
`reindex.ssl.keystore.secure_password` (<<secure-settings,Secure>>)::
@ -1120,10 +1123,10 @@ This setting cannot be used with `reindex.ssl.keystore.password`.
`reindex.ssl.keystore.key_password`::
The password for the key in the keystore (`reindex.ssl.keystore.path`).
Defaults to the keystore password. This setting cannot be used with
Defaults to the keystore password. This setting cannot be used with
`reindex.ssl.keystore.secure_key_password`.
`reindex.ssl.keystore.secure_key_password` (<<secure-settings,Secure>>)::
The password for the key in the keystore (`reindex.ssl.keystore.path`).
Defaults to the keystore password. This setting cannot be used with
Defaults to the keystore password. This setting cannot be used with
`reindex.ssl.keystore.key_password`.

View File

@ -12,6 +12,8 @@ an index.
[[index-modules-settings]]
== Index Settings
[[index-modules-settings-description]]
// tag::index-modules-settings-description-tag[]
Index level settings can be set per-index. Settings may be:
_static_::
@ -23,6 +25,7 @@ _dynamic_::
They can be changed on a live index using the
<<indices-update-settings,update-index-settings>> API.
// end::index-modules-settings-description-tag[]
WARNING: Changing static or dynamic index settings on a closed index could
result in incorrect settings that are impossible to rectify without deleting
@ -34,15 +37,14 @@ and recreating the index.
Below is a list of all _static_ index settings that are not associated with any
specific index module:
`index.number_of_shards`::
[[index-number-of-shards]]
// tag::index-number-of-shards-tag[]
`index.number_of_shards` {ess-icon}::
The number of primary shards that an index should have. Defaults to `1`. This setting can only be set at index creation time. It cannot be changed on a closed index.
+
NOTE: The number of shards are limited to `1024` per index. This limitation is a safety limit to prevent accidental creation of indices that can destabilize a cluster due to resource allocation. The limit can be modified by specifying `export ES_JAVA_OPTS="-Des.index.max_number_of_shards=128"` system property on every node that is part of the cluster.
The number of primary shards that an index should have. Defaults to 1.
This setting can only be set at index creation time. It cannot be
changed on a closed index. Note: the number of shards are limited to `1024` per
index. This limitation is a safety limit to prevent accidental creation of indices
that can destabilize a cluster due to resource allocation. The limit can be modified
by specifying `export ES_JAVA_OPTS="-Des.index.max_number_of_shards=128"` system property on every node that is
part of the cluster.
// end::index-number-of-shards-tag[]
`index.shard.check_on_startup`::

View File

@ -22,6 +22,16 @@ index:
Set to `true` to make the index and index metadata read only, `false` to
allow writes and metadata changes.
`index.blocks.read_only_allow_delete`::
Similar to `index.blocks.read_only`, but also allows deleting the index to
make more resources available. The <<disk-based-shard-allocation,disk-based shard
allocator>> may add and remove this block automatically.
+
Deleting documents from an index to release resources - rather than deleting the index itself - can increase the index size over time. When `index.blocks.read_only_allow_delete` is set to `true`, deleting documents is not permitted. However, deleting the index itself releases the read-only index block and makes resources available almost immediately.
+
IMPORTANT: {es} adds and removes the read-only index block automatically when the disk utilization falls below the high watermark, controlled by <<cluster-routing-flood-stage,cluster.routing.allocation.disk.watermark.flood_stage>>.
`index.blocks.read`::
Set to `true` to disable read operations against the index.
@ -51,7 +61,7 @@ disk space. When you delete an index the data is removed from disk almost
immediately, freeing the space it consumes.
IMPORTANT: {es} adds the read-only-allow-delete index block automatically when
disk utilisation exceeds the <<cluster-routing-flood_stage,flood-stage
disk utilisation exceeds the <<cluster-routing-flood-stage,flood-stage
watermark>> and removes it again when disk utilisation is below the
<<cluster-routing-watermark-high,high watermark>>. You should not apply this
block yourself.
@ -148,4 +158,3 @@ The API returns following response:
} ]
}
--------------------------------------------------

View File

@ -1,6 +1,7 @@
[[disk-based-shard-allocation]]
==== Disk-based shard allocation settings
[[disk-based-shard-allocation-description]]
// tag::disk-based-shard-allocation-description-tag[]
{es} considers the available disk space on a node before deciding
whether to allocate new shards to that node or to actively relocate shards away
from that node.
@ -13,43 +14,42 @@ file or updated dynamically on a live cluster with the
Defaults to `true`. Set to `false` to disable the disk allocation decider.
[[cluster-routing-watermark-low]]
`cluster.routing.allocation.disk.watermark.low`::
[[cluster-routing-disk-threshold]]
// tag::cluster-routing-disk-threshold-tag[]
`cluster.routing.allocation.disk.threshold_enabled` {ess-icon}::
+
Defaults to `true`. Set to `false` to disable the disk allocation decider.
// end::cluster-routing-disk-threshold-tag[]
Controls the low watermark for disk usage. It defaults to `85%`, meaning
that {es} will not allocate shards to nodes that have more than
85% disk used. It can also be set to an absolute byte value (like `500mb`)
to prevent {es} from allocating shards if less than the specified
amount of space is available. This setting has no effect on the primary
shards of newly-created indices but will prevent their replicas from being allocated.
[[cluster-routing-watermark-low]]
// tag::cluster-routing-watermark-low-tag[]
`cluster.routing.allocation.disk.watermark.low` {ess-icon}::
+
Controls the low watermark for disk usage. It defaults to `85%`, meaning that {es} will not allocate shards to nodes that have more than 85% disk used. It can also be set to an absolute byte value (like `500mb`) to prevent {es} from allocating shards if less than the specified amount of space is available. This setting has no effect on the primary shards of newly-created indices but will prevent their replicas from being allocated.
// end::cluster-routing-watermark-low-tag[]
[[cluster-routing-watermark-high]]
`cluster.routing.allocation.disk.watermark.high`::
// tag::cluster-routing-watermark-high-tag[]
`cluster.routing.allocation.disk.watermark.high` {ess-icon}::
+
Controls the high watermark. It defaults to `90%`, meaning that {es} will attempt to relocate shards away from a node whose disk usage is above 90%. It can also be set to an absolute byte value (similarly to the low watermark) to relocate shards away from a node if it has less than the specified amount of free space. This setting affects the allocation of all shards, whether previously allocated or not.
// end::cluster-routing-watermark-high-tag[]
Controls the high watermark. It defaults to `90%`, meaning that
{es} will attempt to relocate shards away from a node whose disk
usage is above 90%. It can also be set to an absolute byte value (similarly
to the low watermark) to relocate shards away from a node if it has less
than the specified amount of free space. This setting affects the
allocation of all shards, whether previously allocated or not.
`cluster.routing.allocation.disk.watermark.enable_for_single_data_node`::
For a single data node, the default is to disregard disk watermarks when
making an allocation decision. This is deprecated behavior and will be
changed in 8.0. This setting can be set to `true` to enable the
disk watermarks for a single data node cluster (will become default in 8.0).
[[cluster-routing-flood_stage]]
`cluster.routing.allocation.disk.watermark.flood_stage`::
[[cluster-routing-flood-stage]]
// tag::cluster-routing-flood-stage-tag[]
`cluster.routing.allocation.disk.watermark.flood_stage` {ess-icon}::
+
--
Controls the flood stage watermark, which defaults to 95%. {es} enforces a read-only index block
(`index.blocks.read_only_allow_delete`) on every index that has one or more
shards allocated on the node, and that has at least one disk exceeding the flood
stage. This setting is a last resort to prevent nodes from running out of disk space.
The index block is automatically released when the disk utilization falls below
the high watermark.
Controls the flood stage watermark, which defaults to 95%. {es} enforces a read-only index block (`index.blocks.read_only_allow_delete`) on every index that has one or more shards allocated on the node, and that has at least one disk exceeding the flood stage. This setting is a last resort to prevent nodes from running out of disk space. The index block is automatically released when the disk utilization falls below the high watermark.
NOTE: You cannot mix the usage of percentage values and byte values within
these settings. Either all values are set to percentage values, or all are set to byte
values. This enforcement is so that {es} can validate that the settings are internally
consistent, ensuring that the low disk threshold is less than the high disk
threshold, and the high disk threshold is less than the flood stage
threshold.
these settings. Either all values are set to percentage values, or all are set to byte values. This enforcement is so that {es} can validate that the settings are internally consistent, ensuring that the low disk threshold is less than the high disk threshold, and the high disk threshold is less than the flood stage threshold.
An example of resetting the read-only index block on the `twitter` index:
@ -62,6 +62,7 @@ PUT /twitter/_settings
--------------------------------------------------
// TEST[setup:twitter]
--
// end::cluster-routing-flood-stage-tag[]
`cluster.info.update.interval`::

View File

@ -1,6 +1,7 @@
[[modules-http]]
=== HTTP
[[modules-http-description]]
// tag::modules-http-description-tag[]
The HTTP layer exposes {es}'s REST APIs over HTTP.
The HTTP mechanism is completely asynchronous in nature, meaning that
@ -13,105 +14,118 @@ http://en.wikipedia.org/wiki/Keepalive#HTTP_Keepalive[HTTP keep alive]
when connecting for better performance and try to get your favorite
client not to do
http://en.wikipedia.org/wiki/Chunked_transfer_encoding[HTTP chunking].
// end::modules-http-description-tag[]
[http-settings]
==== HTTP settings
The settings in the table below can be configured for HTTP. Note that none of
them are dynamically updatable so for them to take effect they should be set in
the Elasticsearch <<settings, configuration file>>.
The following settings can be configured for HTTP. These settings also use the common <<modules-network,network settings>>.
[cols="<,<",options="header",]
|=======================================================================
|Setting |Description
|`http.port` |A bind port range. Defaults to `9200-9300`.
NOTE: HTTP settings cannot be updated dynamically. You must configure these settings in the {es} <<settings, configuration file>>
and restart {es} for changes to take effect.
|`http.publish_port` |The port that HTTP clients should use when
`http.port`::
A bind port range. Defaults to `9200-9300`.
`http.publish_port`::
The port that HTTP clients should use when
communicating with this node. Useful when a cluster node is behind a
proxy or firewall and the `http.port` is not directly addressable
from the outside. Defaults to the actual port assigned via `http.port`.
|`http.bind_host` |The host address to bind the HTTP service to. Defaults to `http.host` (if set) or `network.bind_host`.
`http.bind_host`::
The host address to bind the HTTP service to. Defaults to `http.host` (if set) or `network.bind_host`.
|`http.publish_host` |The host address to publish for HTTP clients to connect to. Defaults to `http.host` (if set) or `network.publish_host`.
`http.publish_host`::
The host address to publish for HTTP clients to connect to. Defaults to `http.host` (if set) or `network.publish_host`.
|`http.host` |Used to set the `http.bind_host` and the `http.publish_host`.
`http.host`::
Used to set the `http.bind_host` and the `http.publish_host`.
|`http.max_content_length` |The max content of an HTTP request. Defaults to
`100mb`.
`http.max_content_length`::
The max content of an HTTP request. Defaults to `100MB`.
|`http.max_initial_line_length` |The max length of an HTTP URL. Defaults
to `4kb`
`http.max_initial_line_length`::
The max length of an HTTP URL. Defaults to `4KB`.
|`http.max_header_size` | The max size of allowed headers. Defaults to `8kB`
|`http.compression` |Support for compression when possible (with
Accept-Encoding). If HTTPS is enabled, defaults to `false`. Otherwise, defaults
to `true`.
`http.max_header_size`::
The max size of allowed headers. Defaults to `8KB`.
[[http-compression]]
// tag::http-compression-tag[]
`http.compression` {ess-icon}::
Support for compression when possible (with Accept-Encoding). If HTTPS is enabled, defaults to `false`. Otherwise, defaults to `true`.
+
Disabling compression for HTTPS mitigates potential security risks, such as a
https://en.wikipedia.org/wiki/BREACH[BREACH attack]. To compress HTTPS traffic,
you must explicitly set `http.compression` to `true`.
// end::http-compression-tag[]
|`http.compression_level` |Defines the compression level to use for HTTP responses. Valid values are in the range of 1 (minimum compression)
and 9 (maximum compression). Defaults to `3`.
`http.compression_level`::
Defines the compression level to use for HTTP responses. Valid values are in the range of 1 (minimum compression) and 9 (maximum compression). Defaults to `3`.
|`http.cors.enabled` |Enable or disable cross-origin resource sharing,
i.e. whether a browser on another origin can execute requests against
Elasticsearch. Set to `true` to enable Elasticsearch to process pre-flight
[[http-cors-enabled]]
// tag::http-cors-enabled-tag[]
`http.cors.enabled` {ess-icon}::
Enable or disable cross-origin resource sharing, which determines whether a browser on another origin can execute requests against {es}. Set to `true` to enable {es} to process pre-flight
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing[CORS] requests.
Elasticsearch will respond to those requests with the `Access-Control-Allow-Origin` header
if the `Origin` sent in the request is permitted by the `http.cors.allow-origin`
list. Set to `false` (the default) to make Elasticsearch ignore the `Origin`
request header, effectively disabling CORS requests because Elasticsearch will
never respond with the `Access-Control-Allow-Origin` response header. Note that
if the client does not send a pre-flight request with an `Origin` header or it
does not check the response headers from the server to validate the
{es} will respond to those requests with the `Access-Control-Allow-Origin` header if the `Origin` sent in the request is permitted by the `http.cors.allow-origin` list. Set to `false` (the default) to make {es} ignore the `Origin` request header, effectively disabling CORS requests because {es} will never respond with the `Access-Control-Allow-Origin` response header.
+
NOTE: If the client does not send a pre-flight request with an `Origin` header or it does not check the response headers from the server to validate the
`Access-Control-Allow-Origin` response header, then cross-origin security is
compromised. If CORS is not enabled on Elasticsearch, the only way for the client
to know is to send a pre-flight request and realize the required response headers
are missing.
compromised. If CORS is not enabled on {es}, the only way for the client to know is to send a pre-flight request and realize the required response headers are missing.
|`http.cors.allow-origin` |Which origins to allow. Defaults to no origins
allowed. If you prepend and append a `/` to the value, this will
be treated as a regular expression, allowing you to support HTTP and HTTPs.
for example using `/https?:\/\/localhost(:[0-9]+)?/` would return the
request header appropriately in both cases. `*` is a valid value but is
considered a *security risk* as your Elasticsearch instance is open to cross origin
requests from *anywhere*.
// end::http-cors-enabled-tag[]
|`http.cors.max-age` |Browsers send a "preflight" OPTIONS-request to
determine CORS settings. `max-age` defines how long the result should
be cached for. Defaults to `1728000` (20 days)
[[http-cors-allow-origin]]
// tag::http-cors-allow-origin-tag[]
`http.cors.allow-origin` {ess-icon}::
Which origins to allow. If you prepend and append a forward slash (`/`) to the value, this will be treated as a regular expression, allowing you to support HTTP and HTTPs. For example, using `/https?:\/\/localhost(:[0-9]+)?/` would return the request header appropriately in both cases. Defaults to no origins allowed.
+
IMPORTANT: A wildcard (`*`) is a valid value but is considered a security risk, as your {es} instance is open to cross origin requests from *anywhere*.
|`http.cors.allow-methods` |Which methods to allow. Defaults to
`OPTIONS, HEAD, GET, POST, PUT, DELETE`.
// end::http-cors-allow-origin-tag[]
|`http.cors.allow-headers` |Which headers to allow. Defaults to
`X-Requested-With, Content-Type, Content-Length`.
[[http-cors-max-age]]
// tag::http-cors-max-age-tag[]
`http.cors.max-age` {ess-icon}::
Browsers send a "preflight" OPTIONS-request to determine CORS settings. `max-age` defines how long the result should be cached for. Defaults to `1728000` (20 days).
// end::http-cors-max-age-tag[]
|`http.cors.allow-credentials` | Whether the `Access-Control-Allow-Credentials`
header should be returned. Note: This header is only returned, when the setting is
set to `true`. Defaults to `false`
[[http-cors-allow-methods]]
// tag::http-cors-allow-methods-tag[]
`http.cors.allow-methods` {ess-icon}::
Which methods to allow. Defaults to `OPTIONS, HEAD, GET, POST, PUT, DELETE`.
// end::http-cors-allow-methods-tag[]
|`http.detailed_errors.enabled` |Enables or disables the output of detailed error messages
and stack traces in response output. Note: When set to `false` and the `error_trace` request
parameter is specified, an error will be returned; when `error_trace` is not specified, a
simple message will be returned. Defaults to `true`
[[http-cors-allow-headers]]
// tag::http-cors-allow-headers-tag[]
`http.cors.allow-headers` {ess-icon}::
Which headers to allow. Defaults to `X-Requested-With, Content-Type, Content-Length`.
// end::http-cors-allow-headers-tag[]
|`http.pipelining.max_events` |The maximum number of events to be queued up in memory before an HTTP connection is closed, defaults to `10000`.
[[http-cors-allow-credentials]]
// tag::http-cors-allow-credentials-tag[]
`http.cors.allow-credentials` {ess-icon}::
Whether the `Access-Control-Allow-Credentials` header should be returned. Defaults to `false`.
+
NOTE: This header is only returned when the setting is set to `true`.
|`http.max_warning_header_count` |The maximum number of warning headers in
client HTTP responses, defaults to unbounded.
// end::http-cors-allow-credentials-tag[]
|`http.max_warning_header_size` |The maximum total size of warning headers in
client HTTP responses, defaults to unbounded.
`http.detailed_errors.enabled`::
If `true`, enables the output of detailed error messages and stack traces in the response output. Defaults to `true`.
+
If `false`, use the `error_trace` parameter to <<common-options-error-options,enable stack traces>> and return detailed error messages. Otherwise, only a simple message will be returned.
|=======================================================================
`http.pipelining.max_events`::
The maximum number of events to be queued up in memory before an HTTP connection is closed, defaults to `10000`.
It also uses the common
<<modules-network,network settings>>.
`http.max_warning_header_count`::
The maximum number of warning headers in client HTTP responses. Defaults to `unbounded`.
`http.max_warning_header_size`::
The maximum total size of warning headers in client HTTP responses. Defaults to `unbounded`.
[http-rest-request-tracer]
==== REST request tracer
@ -141,4 +155,4 @@ PUT _cluster/settings
"http.tracer.exclude" : ""
}
}
--------------------------------------------------
--------------------------------------------------

View File

@ -1,13 +1,12 @@
[[circuit-breaker]]
=== Circuit breaker settings
Elasticsearch contains multiple circuit breakers used to prevent operations from
causing an OutOfMemoryError. Each breaker specifies a limit for how much memory
it can use. Additionally, there is a parent-level breaker that specifies the
total amount of memory that can be used across all breakers.
[[circuit-breaker-description]]
// tag::circuit-breaker-description-tag[]
{es} contains multiple circuit breakers used to prevent operations from causing an OutOfMemoryError. Each breaker specifies a limit for how much memory it can use. Additionally, there is a parent-level breaker that specifies the total amount of memory that can be used across all breakers.
Except where noted otherwise, these settings can be dynamically updated on a
live cluster with the <<cluster-update-settings,cluster-update-settings>> API.
// end::circuit-breaker-description-tag[]
[[parent-circuit-breaker]]
[float]
@ -21,11 +20,14 @@ The parent-level breaker can be configured with the following settings:
memory usage into account (`true`) or only consider the amount that is
reserved by child circuit breakers (`false`). Defaults to `true`.
`indices.breaker.total.limit`::
[[indices-breaker-total-limit]]
// tag::indices-breaker-total-limit-tag[]
`indices.breaker.total.limit` {ess-icon}::
Starting limit for overall parent breaker, defaults to 70% of JVM heap if
Starting limit for overall parent breaker. Defaults to 70% of JVM heap if
`indices.breaker.total.use_real_memory` is `false`. If `indices.breaker.total.use_real_memory`
is `true`, defaults to 95% of the JVM heap.
// end::indices-breaker-total-limit-tag[]
[[fielddata-circuit-breaker]]
[float]
@ -36,14 +38,20 @@ field data loading by raising an exception. By default the limit is configured
to 40% of the maximum JVM heap. It can be configured with the following
parameters:
`indices.breaker.fielddata.limit`::
[[fielddata-circuit-breaker-limit]]
// tag::fielddata-circuit-breaker-limit-tag[]
`indices.breaker.fielddata.limit` {ess-icon}::
Limit for fielddata breaker, defaults to 40% of JVM heap
Limit for fielddata breaker. Defaults to 40% of JVM heap.
// end::fielddata-circuit-breaker-limit-tag[]
`indices.breaker.fielddata.overhead`::
[[fielddata-circuit-breaker-overhead]]
// tag::fielddata-circuit-breaker-overhead-tag[]
`indices.breaker.fielddata.overhead` {ess-icon}::
A constant that all field data estimations are multiplied with to determine a
final estimation. Defaults to 1.03
final estimation. Defaults to `1.03`.
// end::fielddata-circuit-breaker-overhead-tag[]
[[request-circuit-breaker]]
[float]
@ -53,14 +61,20 @@ The request circuit breaker allows Elasticsearch to prevent per-request data
structures (for example, memory used for calculating aggregations during a
request) from exceeding a certain amount of memory.
`indices.breaker.request.limit`::
[[request-breaker-limit]]
// tag::request-breaker-limit-tag[]
`indices.breaker.request.limit` {ess-icon}::
Limit for request breaker, defaults to 60% of JVM heap
Limit for request breaker, defaults to 60% of JVM heap.
// end::request-breaker-limit-tag[]
`indices.breaker.request.overhead`::
[[request-breaker-overhead]]
// tag::request-breaker-overhead-tag[]
`indices.breaker.request.overhead` {ess-icon}::
A constant that all request estimations are multiplied with to determine a
final estimation. Defaults to 1
final estimation. Defaults to `1`.
// end::request-breaker-overhead-tag[]
[[in-flight-circuit-breaker]]
[float]

View File

@ -0,0 +1,29 @@
[[index-management-settings]]
=== Index management settings
You can configure these index settings in the `elasticsearch.yml` file.
[[auto-create-index]]
// tag::auto-create-index-tag[]
`action.auto_create_index` {ess-icon}::
<<index-creation,Automatically create an index>> if it doesn't already exist and apply any configured index templates. Default: `true`.
// end::auto-create-index-tag[]
[[action-destructive-requires-name]]
// tag::action-destructive-requires-name-tag[]
`action.destructive_requires_name` {ess-icon}::
When set to `true`, you must specify the index name to <<indices-delete-index,delete an index>>. It is not possible to delete all indices with `_all` or use wildcards.
// end::action-destructive-requires-name-tag[]
[[cluster-indices-close-enable]]
// tag::cluster-indices-close-enable-tag[]
`cluster.indices.close.enable` {ess-icon}::
Enables <<indices-open-close,opening of closed indices>> in {es}. You might enable this setting temporarily to change the analyzer configuration for an existing index. We strongly recommend leaving this set to `false` (the default) otherwise.
+
IMPORTANT: Closed indices are a data loss risk because they are not included when you make cluster configuration changes, such as scaling to a different capacity, failover, and many other operations. Additionally, closed indices can lead to inaccurate disk space counts.
[[reindex-remote-whitelist]]
// tag::reindex-remote-whitelist[]
`reindex.remote.whitelist` {ess-icon}::
Specifies the hosts that can be <<reindex-from-remote,reindexed from remotely>>. Expects a YAML array of `host:port` strings. Consists of a comma-delimited list of `host:port` entries. Defaults to `["\*.io:*", "\*.com:*"]`.
// end::reindex-remote-whitelist[]

View File

@ -9,13 +9,14 @@ Every node in the cluster can handle <<modules-http,HTTP>> and
<<modules-transport,Transport>> traffic by default. The transport layer is used
exclusively for communication between nodes; the HTTP layer is used by REST
clients.
[[modules-node-description]]
// tag::modules-node-description-tag[]
All nodes know about all the other nodes in the cluster and can forward client
requests to the appropriate node.
By default, a node is all of the following types: master-eligible, data, ingest,
and (if available) machine learning and transform.
// end::modules-node-description-tag[]
TIP: As the cluster grows and in particular if you have large {ml} jobs or
{ctransforms}, consider separating dedicated master-eligible nodes from
dedicated data nodes, {ml} nodes, and {transform} nodes.
@ -30,7 +31,7 @@ A node that has the `master` role (default), which makes it eligible to be
A node that has the `data` role (default). Data nodes hold data and perform data
related operations such as CRUD, search, and aggregations.
<<ingest,Ingest node>>::
<<node-ingest-node,Ingest node>>::
A node that has the `ingest` role (default). Ingest nodes are able to apply an
<<pipeline,ingest pipeline>> to a document in order to transform and enrich the
@ -199,6 +200,12 @@ To create a dedicated ingest node, set:
node.roles: [ ingest ]
-------------------
[[node-ingest-node-setting]]
// tag::node-ingest-tag[]
`node.ingest` {ess-icon}::
Determines whether a node is an ingest node. <<ingest,Ingest nodes>> can apply an ingest pipeline to transform and enrich a document before indexing. Default: `true`.
// end::node-ingest-tag[]
[[coordinating-only-node]]
==== Coordinating only node

View File

@ -4,17 +4,21 @@
++++
<titleabbrev>Auditing settings</titleabbrev>
++++
[[auditing-settings-description]]
// tag::auditing-settings-description-tag[]
You configure security auditing settings in the `elasticsearch.yml` configuration file
on each node in the cluster. For more information, see <<enable-audit-logging>>.
// end::auditing-settings-description-tag[]
[[general-audit-settings]]
==== General Auditing Settings
`xpack.security.audit.enabled`::
[[xpack-security-audit-enabled]]
// tag::xpack-security-audit-enabled-tag[]
`xpack.security.audit.enabled` {ess-icon}::
Set to `true` to enable auditing on the node. The default value is `false`.
This puts the auditing events in a dedicated file named `<clustername>_audit.json`
on each node.
on each node.
// end::xpack-security-audit-enabled-tag[]
[[event-audit-settings]]
==== Audited Event Settings
@ -22,16 +26,24 @@ on each node.
The events and some other information about what gets logged can be controlled
by using the following settings:
`xpack.security.audit.logfile.events.include`::
[[xpack-sa-lf-events-include]]
// tag::xpack-sa-lf-events-include-tag[]
`xpack.security.audit.logfile.events.include` {ess-icon}::
Specifies which events to include in the auditing output. The default value is:
`access_denied, access_granted, anonymous_access_denied, authentication_failed,
connection_denied, tampered_request, run_as_denied, run_as_granted`.
// end::xpack-sa-lf-events-include-tag[]
`xpack.security.audit.logfile.events.exclude`::
[[xpack-sa-lf-events-exclude]]
// tag::xpack-sa-lf-events-exclude-tag[]
`xpack.security.audit.logfile.events.exclude` {ess-icon}::
Excludes the specified events from the output. By default, no events are
excluded.
// end::xpack-sa-lf-events-exclude-tag[]
`xpack.security.audit.logfile.events.emit_request_body`::
[[xpack-sa-lf-events-emit-request]]
// tag::xpack-sa-lf-events-emit-request-tag[]
`xpack.security.audit.logfile.events.emit_request_body` {ess-icon}::
Specifies whether to include the request body from REST requests on certain
event types such as `authentication_failed`. The default value is `false`.
+
@ -40,22 +52,35 @@ IMPORTANT: No filtering is performed when auditing, so sensitive data may be
audited in plain text when including the request body in audit events.
--
// end::xpack-sa-lf-events-emit-request-tag[]
[[node-audit-settings]]
==== Local Node Info Settings
`xpack.security.audit.logfile.emit_node_name`::
[[xpack-sa-lf-emit-node-name]]
// tag::xpack-sa-lf-emit-node-name-tag[]
`xpack.security.audit.logfile.emit_node_name` {ess-icon}::
Specifies whether to include the <<node.name,node name>> as a field in
each audit event. The default value is `false`.
// end::xpack-sa-lf-emit-node-name-tag[]
`xpack.security.audit.logfile.emit_node_host_address`::
[[xpack-sa-lf-emit-node-host-address]]
// tag::xpack-sa-lf-emit-node-host-address-tag[]
`xpack.security.audit.logfile.emit_node_host_address` {ess-icon}::
Specifies whether to include the node's IP address as a field in each audit event.
The default value is `false`.
// end::xpack-sa-lf-emit-node-host-address-tag[]
`xpack.security.audit.logfile.emit_node_host_name`::
[[xpack-sa-lf-emit-node-host-name]]
// tag::xpack-sa-lf-emit-node-host-name-tag[]
`xpack.security.audit.logfile.emit_node_host_name` {ess-icon}::
Specifies whether to include the node's host name as a field in each audit event.
The default value is `false`.
// end::xpack-sa-lf-emit-node-host-name-tag[]
`xpack.security.audit.logfile.emit_node_id`::
[[xpack-sa-lf-emit-node-id]]
// tag::xpack-sa-lf-emit-node-id-tag[]
`xpack.security.audit.logfile.emit_node_id` {ess-icon}::
Specifies whether to include the node id as a field in each audit event.
This is available for the new format only. That is to say, this information
does not exist in the `<clustername>_access.log` file.
@ -63,6 +88,7 @@ Unlike <<node.name,node name>>, whose value might change if the administrator
changes the setting in the config file, the node id will persist across cluster
restarts and the administrator cannot change it.
The default value is `true`.
// end::xpack-sa-lf-emit-node-id-tag[]
[[audit-event-ignore-policies]]
==== Audit Logfile Event Ignore Policies
@ -70,25 +96,37 @@ The default value is `true`.
These settings affect the <<audit-log-ignore-policy,ignore policies>>
that enable fine-grained control over which audit events are printed to the log file.
All of the settings with the same policy name combine to form a single policy.
If an event matches all of the conditions for a specific policy, it is ignored
If an event matches all of the conditions for a specific policy, it is ignored
and not printed.
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users`::
[[xpack-sa-lf-events-ignore-users]]
// tag::xpack-sa-lf-events-ignore-users-tag[]
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users` {ess-icon}::
A list of user names or wildcards. The specified policy will
not print audit events for users matching these values.
// end::xpack-sa-lf-events-ignore-users-tag[]
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realms`::
[[xpack-sa-lf-events-ignore-realms]]
// tag::xpack-sa-lf-events-ignore-realms-tag[]
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realms` {ess-icon}::
A list of authentication realm names or wildcards. The specified policy will
not print audit events for users in these realms.
// end::xpack-sa-lf-events-ignore-realms-tag[]
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles`::
[[xpack-sa-lf-events-ignore-roles]]
// tag::xpack-sa-lf-events-ignore-roles-tag[]
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles` {ess-icon}::
A list of role names or wildcards. The specified policy will
not print audit events for users that have these roles. If the user has several
roles, some of which are *not* covered by the policy, the policy will
*not* cover this event.
// end::xpack-sa-lf-events-ignore-roles-tag[]
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices`::
[[xpack-sa-lf-events-ignore-indices]]
// tag::xpack-sa-lf-events-ignore-indices-tag[]
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices` {ess-icon}::
A list of index names or wildcards. The specified policy will
not print audit events when all the indices in the event match
these values. If the event concerns several indices, some of which are
*not* covered by the policy, the policy will *not* cover this event.
// end::xpack-sa-lf-events-ignore-indices-tag[]

View File

@ -1,27 +1,44 @@
tag::ssl-certificate[]
Specifies the path for the PEM encoded certificate (or certificate chain) that is
associated with the key.
//TBD: This setting can be used only if `ssl.key` is set.
+
This setting can be used only if `ssl.key` is set.
end::ssl-certificate[]
tag::ssl-certificate-authorities[]
List of paths to PEM encoded certificate files that should be trusted.
//TBD: You cannot use this setting and `ssl.truststore.path` at the same time.
+
This setting and `ssl.truststore.path` cannot be used at the same time.
end::ssl-certificate-authorities[]
tag::ssl-cipher-suites-values[]
include::{es-repo-dir}/settings/common-defs.asciidoc[tag=ssl-cipher-suites-values-java11]
Supported cipher suites vary depending on which version of Java you use. For
example, for version 12 the default value is `TLS_AES_256_GCM_SHA384`,
`TLS_AES_128_GCM_SHA256`, `TLS_CHACHA20_POLY1305_SHA256`,
`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`,
`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`,
`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`,
`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`,
`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
`TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_AES_128_GCM_SHA256`,
`TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA256`,
`TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA`.
+
For more information, see Oracle's
https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation].
end::ssl-cipher-suites-values[]
tag::ssl-cipher-suites-values-java11[]
Supported cipher suites vary depending on which version of Java you use. For
example, for version 11 the default value is `TLS_AES_256_GCM_SHA384`,
`TLS_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`,
`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`,
`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`,
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`,
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`,
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,
example, for version 11 the default value is `TLS_AES_256_GCM_SHA384`,
`TLS_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`,
`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`,
`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`,
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`,
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`,
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_256_GCM_SHA384`,
`TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA256`,
`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`,
@ -44,17 +61,22 @@ end::ssl-cipher-suites-values-java11[]
tag::ssl-key-pem[]
Path to a PEM encoded file containing the private key.
//TBD: You cannot use this setting and `ssl.keystore.path` at the same time.
+
If HTTP client authentication is required, it uses this file. You cannot use
this setting and `ssl.keystore.path` at the same time.
end::ssl-key-pem[]
tag::ssl-key-passphrase[]
The passphrase that is used to decrypt the private key. Since the key might not
be encrypted, this value is optional.
//TBD: You cannot use this setting and `ssl.secure_key_passphrase` at the same time.
+
You cannot use this setting and `ssl.secure_key_passphrase` at the same time.
end::ssl-key-passphrase[]
tag::ssl-keystore-key-password[]
The password for the key in the keystore. The default is the keystore password.
+
You cannot use this setting and `ssl.keystore.secure_password` at the same time.
//TBD: You cannot use this setting and `ssl.keystore.secure_key_password` at the same time.
end::ssl-keystore-key-password[]
@ -65,6 +87,9 @@ end::ssl-keystore-password[]
tag::ssl-keystore-path[]
The path for the keystore file that contains a private key and certificate.
+
It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this
setting and `ssl.key` at the same time.
//TBD: It must be either a Java keystore (jks) or a PKCS#12 file.
//TBD: You cannot use this setting and `ssl.key` at the same time.
end::ssl-keystore-path[]
@ -81,13 +106,13 @@ end::ssl-keystore-secure-password[]
tag::ssl-keystore-type-pkcs12[]
The format of the keystore file. It must be either `jks` or `PKCS12`. If the
keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults
keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults
to `PKCS12`. Otherwise, it defaults to `jks`.
end::ssl-keystore-type-pkcs12[]
tag::ssl-secure-key-passphrase[]
The passphrase that is used to decrypt the private key. Since the key might not
be encrypted, this value is optional.
be encrypted, this value is optional.
//TBD: You cannot use this setting and `ssl.key_passphrase` at the same time.
end::ssl-secure-key-passphrase[]
@ -98,7 +123,7 @@ the default is `TLSv1.3,TLSv1.2,TLSv1.1`. Otherwise, the default is
`TLSv1.2,TLSv1.1`.
+
--
NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hello`
NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hello`
or `SSLv3`. See <<fips-140-compliance>>.
--
@ -106,12 +131,17 @@ end::ssl-supported-protocols[]
tag::ssl-truststore-password[]
The password for the truststore.
+
You cannot use this setting and `ssl.truststore.secure_password` at the same
time.
//TBD: You cannot use this setting and `ssl.truststore.secure_password` at the same time.
end::ssl-truststore-password[]
tag::ssl-truststore-path[]
The path for the keystore that contains the certificates to trust. It must be
either a Java keystore (jks) or a PKCS#12 file.
+
You cannot use this setting and `ssl.certificate_authorities` at the same time.
//TBD: You cannot use this setting and `ssl.certificate_authorities` at the same time.
end::ssl-truststore-path[]
@ -133,13 +163,16 @@ PKCS#12 files, use `PKCS12`. For a PKCS#11 token, use `PKCS11`. The default is
end::ssl-truststore-type-pkcs11[]
tag::ssl-verification-mode-values[]
Controls the verification of certificates.
+
Valid values are:
- `full`, which verifies that the provided certificate is signed by a trusted
* `full`, which verifies that the provided certificate is signed by a trusted
authority (CA) and also verifies that the server's hostname (or IP address)
matches the names identified within the certificate.
- `certificate`, which verifies that the provided certificate is signed by a
* `certificate`, which verifies that the provided certificate is signed by a
trusted authority (CA), but does not perform any hostname verification.
- `none`, which performs _no verification_ of the server's certificate. This
* `none`, which performs _no verification_ of the server's certificate. This
mode disables many of the security benefits of SSL/TLS and should only be used
after very careful consideration. It is primarily intended as a temporary
diagnostic mechanism when attempting to resolve TLS errors; its use on

View File

@ -6,6 +6,8 @@
<titleabbrev>Machine learning settings</titleabbrev>
++++
[[ml-settings-description]]
// tag::ml-settings-description-tag[]
You do not need to configure any settings to use {ml}. It is enabled by default.
IMPORTANT: {ml-cap} uses SSE4.2 instructions, so will only work on machines whose
@ -13,13 +15,15 @@ CPUs https://en.wikipedia.org/wiki/SSE4#Supporting_CPUs[support] SSE4.2. If you
run {es} on older hardware you must disable {ml} (by setting `xpack.ml.enabled`
to `false`).
All of these settings can be added to the `elasticsearch.yml` configuration file.
The dynamic settings can also be updated across a cluster with the
All of these settings can be added to the `elasticsearch.yml` configuration file.
The dynamic settings can also be updated across a cluster with the
<<cluster-update-settings,cluster update settings API>>.
TIP: Dynamic settings take precedence over settings in the `elasticsearch.yml`
TIP: Dynamic settings take precedence over settings in the `elasticsearch.yml`
file.
// end::ml-settings-description-tag[]
[float]
[[general-ml-settings]]
==== General machine learning settings
@ -58,13 +62,16 @@ heap on each ingest node. The cache affords faster processing times for the
or a percentage of total allocated heap. The default is "40%".
See also <<model-inference-circuit-breaker>>.
`xpack.ml.inference_model.time_to_live`::
[[xpack-interference-model-ttl]]
// tag::interference-model-ttl-tag[]
`xpack.ml.inference_model.time_to_live` {ess-icon}::
The time to live (TTL) for models in the inference model cache. The TTL is
calculated from last access. The `inference` processor attempts to load the
model from cache. If the `inference` processor does not receive any documents
for the duration of the TTL, the referenced model is flagged for eviction from
the cache. If a document is processed later, the model is again loaded into the
cache. Defaults to `5m`.
// end::interference-model-ttl-tag[]
`xpack.ml.max_inference_processors` (<<cluster-update-settings,Dynamic>>)::
The total number of `inference` type processors allowed across all ingest
@ -88,12 +95,12 @@ affected when you update this setting. For more information about the
[[xpack.ml.max_open_jobs]]
`xpack.ml.max_open_jobs` (<<cluster-update-settings,Dynamic>>)::
The maximum number of jobs that can run simultaneously on a node. Defaults to
`20`. In this context, jobs include both {anomaly-jobs} and {dfanalytics-jobs}.
The maximum number of jobs is also constrained by memory usage. Thus if the
estimated memory usage of the jobs would be higher than allowed, fewer jobs will
run on a node. Prior to version 7.1, this setting was a per-node non-dynamic
setting. It became a cluster-wide dynamic setting in version 7.1. As a result,
changes to its value after node startup are used only after every node in the
`20`. In this context, jobs include both {anomaly-jobs} and {dfanalytics-jobs}.
The maximum number of jobs is also constrained by memory usage. Thus if the
estimated memory usage of the jobs would be higher than allowed, fewer jobs will
run on a node. Prior to version 7.1, this setting was a per-node non-dynamic
setting. It became a cluster-wide dynamic setting in version 7.1. As a result,
changes to its value after node startup are used only after every node in the
cluster is running version 7.1 or higher. The maximum permitted value is `512`.
`xpack.ml.node_concurrent_job_allocations` (<<cluster-update-settings,Dynamic>>)::
@ -106,14 +113,14 @@ opening spend more time in the `opening` state. Defaults to `2`.
[[advanced-ml-settings]]
==== Advanced machine learning settings
These settings are for advanced use cases; the default values are generally
These settings are for advanced use cases; the default values are generally
sufficient:
`xpack.ml.enable_config_migration` (<<cluster-update-settings,Dynamic>>)::
Reserved.
`xpack.ml.max_anomaly_records` (<<cluster-update-settings,Dynamic>>)::
The maximum number of records that are output per bucket. The default value is
The maximum number of records that are output per bucket. The default value is
`500`.
`xpack.ml.max_lazy_ml_nodes` (<<cluster-update-settings,Dynamic>>)::

View File

@ -34,9 +34,12 @@ This deprecated setting has no effect.
[[monitoring-collection-settings]]
==== Monitoring Collection Settings
[[monitoring-settings-description]]
// tag::monitoring-settings-description-tag[]
The `xpack.monitoring.collection` settings control how data is collected from
your Elasticsearch nodes. You can dynamically change all monitoring collection
settings using the <<cluster-update-settings,cluster update settings API>>.
// end::monitoring-settings-description-tag[]
`xpack.monitoring.collection.enabled` (<<cluster-update-settings,Dynamic>>)::
@ -45,7 +48,9 @@ this setting is `false` (default), {es} monitoring data is not collected and
all monitoring data from other sources such as {kib}, Beats, and Logstash is
ignored.
`xpack.monitoring.collection.interval` (<<cluster-update-settings,Dynamic>>)::
[[xpack-monitoring-collection-interval]]
// tag::monitoring-collection-interval-tag[]
`xpack.monitoring.collection.interval` (<<cluster-update-settings,Dynamic>>) {ess-icon}::
Setting to `-1` to disable data collection is no longer supported beginning with
7.0.0. deprecated[6.3.0, Use `xpack.monitoring.collection.enabled` set to `false` instead.]
@ -53,6 +58,7 @@ Setting to `-1` to disable data collection is no longer supported beginning with
Controls how often data samples are collected. Defaults to `10s`. If you
modify the collection interval, set the `xpack.monitoring.min_interval_seconds`
option in `kibana.yml` to the same value.
// end::monitoring-collection-interval-tag[]
`xpack.monitoring.elasticsearch.collection.enabled` (<<cluster-update-settings,Dynamic>>)::
@ -92,7 +98,9 @@ collect only active recoveries. Defaults to `false`.
(<<time-units,time value>>) Timeout for collecting the recovery information. Defaults to `10s`.
`xpack.monitoring.history.duration` (<<cluster-update-settings,Dynamic>>)::
[[xpack-monitoring-history-duration]]
// tag::monitoring-history-duration-tag[]
`xpack.monitoring.history.duration` (<<cluster-update-settings,Dynamic>>) {ess-icon}::
(<<time-units,time value>>) Retention duration beyond which the indices created by a Monitoring
exporter are automatically deleted. Defaults to `7d` (7 days).
@ -105,6 +113,8 @@ IMPORTANT: This setting currently only impacts `local`-type exporters. Indices c
the `http` exporter will not be deleted automatically.
--
// end::monitoring-history-duration-tag[]
`xpack.monitoring.exporters`::
Configures where the agent stores monitoring data. By default, the agent uses a

View File

@ -7,6 +7,8 @@
<titleabbrev>{watcher} settings</titleabbrev>
++++
[[notification-settings-description]]
// tag::notification-settings-description-tag[]
You configure {watcher} settings to set up {watcher} and send notifications via
<<email-notification-settings,email>>,
<<slack-notification-settings,Slack>>, and
@ -17,6 +19,7 @@ with the exception of the secure settings, which you add to the {es} keystore.
For more information about creating and updating the {es} keystore, see
<<secure-settings>>. Dynamic settings can also be updated across a cluster with the
<<cluster-update-settings,cluster update settings API>>.
// end::notification-settings-description-tag[]
[float]
[[general-notification-settings]]
@ -24,17 +27,22 @@ For more information about creating and updating the {es} keystore, see
`xpack.watcher.enabled`::
Set to `false` to disable {watcher} on the node.
`xpack.watcher.encrypt_sensitive_data`::
[[xpack-watcher-encrypt-sensitive-data]]
// tag::watcher-encrypt-sensitive-data-tag[]
`xpack.watcher.encrypt_sensitive_data` {ess-icon}::
Set to `true` to encrypt sensitive data. If this setting is enabled, you
must also specify the `xpack.watcher.encryption_key` setting. For more
information, see <<encrypting-data>>.
// end::watcher-encrypt-sensitive-data-tag[]
`xpack.watcher.encryption_key` (<<secure-settings,Secure>>)::
Specifies the path to a file that contains a key for encrypting sensitive data.
If `xpack.watcher.encrypt_sensitive_data` is set to `true`, this setting is
required. For more information, see <<encrypting-data>>.
`xpack.watcher.history.cleaner_service.enabled`::
[[xpack-watcher-history-cleaner-service]]
// tag::watcher-history-cleaner-service-tag[]
`xpack.watcher.history.cleaner_service.enabled` {ess-icon}::
added:[6.3.0,Default changed to `true`.]
deprecated:[7.0.0,Watcher history indices are now managed by the `watch-history-ilm-policy` ILM policy]
+
@ -44,6 +52,7 @@ removes previous versions of {watcher} indices (for example,
{watcher} indices is determined by the `xpack.monitoring.history.duration`
setting, which defaults to 7 days. For more information about that setting,
see <<monitoring-settings>>.
// end::watcher-history-cleaner-service-tag[]
`xpack.http.proxy.host`::
Specifies the address of the proxy server to use to connect to HTTP services.

File diff suppressed because it is too large Load Diff

View File

@ -6,7 +6,7 @@
<titleabbrev>{slm-cap} settings</titleabbrev>
++++
These are the settings available for configuring
These are the settings available for configuring
<<snapshot-lifecycle-management, {slm}>> ({slm-init}).
==== Cluster-level settings
@ -19,7 +19,7 @@ to the `slm-history-*` indices. Defaults to `true`.
[[slm-retention-schedule]]
`slm.retention_schedule`::
(<<cluster-update-settings,Dynamic>>, <<schedule-cron,cron scheduler value>>)
(<<cluster-update-settings,Dynamic>>, <<schedule-cron,cron scheduler value>>)
Controls when the <<slm-retention,retention task>> runs.
Can be a periodic or absolute time schedule.
Supports all values supported by the <<schedule-cron,cron scheduler>>.
@ -31,3 +31,8 @@ Defaults to daily at 1:30am UTC: `0 30 1 * * ?`.
Limits how long {slm-init} should spend deleting old snapshots.
Defaults to one hour: `1h`.
[[repositories-url-allowed]]
// tag::repositories-url-allowed[]
`repositories.url.allowed_urls` {ess-icon}::
Specifies the <<snapshots-read-only-repository,read-only URL repositories>> that snapshots can be restored from.
// end::repositories-url-allowed[]

View File

@ -61,6 +61,8 @@ include::modules/http.asciidoc[]
include::settings/ilm-settings.asciidoc[]
include::modules/indices/index_management.asciidoc[]
include::modules/indices/recovery.asciidoc[]
include::modules/indices/indexing_buffer.asciidoc[]

View File

@ -4,7 +4,8 @@
++++
<titleabbrev>Register repository</titleabbrev>
++++
[[snapshots-register-repository-description]]
// tag::snapshots-register-repository-tag[]
You must register a snapshot repository before you can perform snapshot and
restore operations. We recommend creating a new snapshot repository for each
major version. The valid repository settings depend on the repository type.
@ -12,7 +13,7 @@ major version. The valid repository settings depend on the repository type.
If you register same snapshot repository with multiple clusters, only
one cluster should have write access to the repository. All other clusters
connected to that repository should set the repository to `readonly` mode.
// end::snapshots-register-repository-tag[]
IMPORTANT: The snapshot format can change across major versions, so if you have
clusters on different versions trying to write the same repository, snapshots
written by one version may not be visible to the other and the repository could