honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-07 21:48:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/docs/reference/migration/migrate_7_0/settings.asciidoc
Albert Zaharovits 5308746270
Remove Watcher Account "unsecure" settings (#36736) 
Removes all sensitive settings (passwords, auth tokens, urls, etc...) for
watcher notifications accounts. These settings were deprecated (and
herein removed) in favor of their secure sibling that is set inside the
elasticsearch keystore. For example:
`xpack.notification.email.account.<id>.smtp.password`
is no longer a valid setting, and it is replaced by
`xpack.notification.email.account.<id>.smtp.secure_password`
2019-01-20 12:51:24 +02:00

157 lines
6.4 KiB
Plaintext
Raw Blame History

[float]
[[breaking_70_settings_changes]]
=== Settings changes
[float]
==== The default for `node.name` is now the hostname
`node.name` now defaults to the hostname at the time when Elasticsearch
is started. Previously the default node name was the first eight characters
of the node id. It can still be configured explicitly in `elasticsearch.yml`.
[float]
==== Percolator
* The deprecated `index.percolator.map_unmapped_fields_as_string` setting has been removed in favour of
the `index.percolator.map_unmapped_fields_as_text` setting.
[float]
==== Index thread pool
* Internally, single-document index/delete/update requests are executed as bulk
requests with a single-document payload. This means that these requests are
executed on the bulk thread pool. As such, the indexing thread pool is no
longer needed and has been removed. As such, the settings
`thread_pool.index.size` and `thread_pool.index.queue_size` have been removed.
[float]
[[write-thread-pool-fallback]]
==== Write thread pool fallback
* The bulk thread pool was replaced by the write thread pool in 6.3.0. However,
for backwards compatibility reasons the name `bulk` was still usable as fallback
settings `thread_pool.bulk.size` and `thread_pool.bulk.queue_size` for
`thread_pool.write.size` and `thread_pool.write.queue_size`, respectively, and
the system property `es.thread_pool.write.use_bulk_as_display_name` was
available to keep the display output in APIs as `bulk` instead of `write`.
These fallback settings and this system property have been removed.
[float]
==== Disabling memory-mapping
* The setting `node.store.allow_mmapfs` has been renamed to `node.store.allow_mmap`.
[float]
[[remove-http-enabled]]
==== Http enabled setting removed
* The setting `http.enabled` previously allowed disabling binding to HTTP, only allowing
use of the transport client. This setting has been removed, as the transport client
will be removed in the future, thus requiring HTTP to always be enabled.
[float]
[[remove-http-pipelining-setting]]
==== Http pipelining setting removed
* The setting `http.pipelining` previously allowed disabling HTTP pipelining support.
This setting has been removed, as disabling http pipelining support on the server
provided little value. The setting `http.pipelining.max_events` can still be used to
limit the number of pipelined requests in-flight.
[float]
==== Cross-cluster search settings renamed
The cross-cluster search remote cluster connection infrastructure is also used
in cross-cluster replication. This means that the setting names
`search.remote.*` used for configuring cross-cluster search belie the fact that
they also apply to other situations where a connection to a remote cluster as
used. Therefore, these settings have been renamed from `search.remote.*` to
`cluster.remote.*`. For backwards compatibility purposes, we will fallback to
`search.remote.*` if `cluster.remote.*` is not set. For any such settings stored
in the cluster state, or set on dynamic settings updates, we will automatically
upgrade the setting from `search.remote.*` to `cluster.remote.*`. The fallback
settings will be removed in 8.0.0.
[float]
[[audit-logfile-local-node-info]]
==== Audit logfile local node info
The following settings have been removed:
- `xpack.security.audit.logfile.prefix.emit_node_host_address`, instead use
`xpack.security.audit.logfile.emit_node_host_address`
- `xpack.security.audit.logfile.prefix.emit_node_host_name`, instead use
`xpack.security.audit.logfile.emit_node_host_name`
- `xpack.security.audit.logfile.prefix.emit_node_name`, instead use
`xpack.security.audit.logfile.emit_node_name`
The new settings have the same meaning as the removed ones, but the `prefix`
name component is no longer meaningful as logfile audit entries are structured
JSON documents and are not prefixed by anything.
Moreover, `xpack.security.audit.logfile.emit_node_name` has changed its default
from `true` to `false`. All other settings mentioned before, have kept their
default value of `false`.
[float]
[[include-realm-type-in-setting]]
==== Security realms settings
The settings for all security realms must now include the realm type as part
of the setting name, and the explicit `type` setting has been removed.
A realm that was previous configured as:
[source,yaml]
--------------------------------------------------
xpack.security.authc.realms:
ldap1:
type: ldap
order: 1
url: "ldaps://ldap.example.com/"
--------------------------------------------------
Must be migrated to:
[source,yaml]
--------------------------------------------------
xpack.security.authc.realms:
ldap.ldap1:
order: 1
url: "ldaps://ldap.example.com/"
--------------------------------------------------
Any realm specific secure settings that have been stored in the elasticsearch
keystore (such as ldap bind passwords, or passwords for ssl keys) must be updated
in a similar way.
[float]
[[tls-setting-fallback]]
==== TLS/SSL settings
The default TLS/SSL settings, which were prefixed by `xpack.ssl`, have been removed.
The removal of these default settings also removes the ability for a component to
fallback to a default configuration when using TLS. Each component (realm, transport, http,
http client, etc) must now be configured with their own settings for TLS if it is being
used.
[float]
[[watcher-notifications-account-settings]]
==== Watcher notifications account settings
The following settings have been removed in favor of the secure variants.
The <<secure-settings, secure settings>> have to be defined inside each cluster
node's keystore, i.e., they are not to be specified via the cluster settings API.
- `xpack.notification.email.account.<id>.smtp.password`, instead use
`xpack.notification.email.account.<id>.smtp.secure_password`
- `xpack.notification.hipchat.account.<id>.auth_token`, instead use
`xpack.notification.hipchat.account.<id>.secure_auth_token`
- `xpack.notification.jira.account.<id>.url`, instead use
`xpack.notification.jira.account.<id>.secure_url`
- `xpack.notification.jira.account.<id>.user`, instead use
`xpack.notification.jira.account.<id>.secure_user`
- `xpack.notification.jira.account.<id>.password`, instead use
`xpack.notification.jira.account.<id>.secure_password`
- `xpack.notification.pagerduty.account.<id>.service_api_key`, instead use
`xpack.notification.pagerduty.account.<id>.secure_service_api_key`
- `xpack.notification.slack.account.<id>.url`, instead use
`xpack.notification.slack.account.<id>.secure_url`
Reference in New Issue View Git Blame Copy Permalink