85 lines
2.8 KiB
Plaintext
85 lines
2.8 KiB
Plaintext
[[cluster-nodes-reload-secure-settings]]
|
|
=== Nodes reload secure settings API
|
|
++++
|
|
<titleabbrev>Nodes reload secure settings</titleabbrev>
|
|
++++
|
|
|
|
|
|
The cluster nodes reload secure settings API is used to re-load the keystore on each node.
|
|
|
|
[source,console]
|
|
--------------------------------------------------
|
|
POST _nodes/reload_secure_settings
|
|
POST _nodes/nodeId1,nodeId2/reload_secure_settings
|
|
--------------------------------------------------
|
|
// TEST[setup:node]
|
|
// TEST[s/nodeId1,nodeId2/*/]
|
|
|
|
The first command reloads the keystore on each node. The seconds allows
|
|
to selectively target `nodeId1` and `nodeId2`. The node selection options are
|
|
detailed <<cluster-nodes,here>>.
|
|
|
|
NOTE: {es} requires consistent secure settings across the cluster nodes, but this consistency is not enforced.
|
|
Hence, reloading specific nodes is not standard. It is only justifiable when retrying failed reload operations.
|
|
|
|
==== Reload Password Protected Secure Settings
|
|
|
|
When the {es} keystore is password protected and not simply obfuscated, the password for the keystore needs
|
|
to be provided in the request to reload the secure settings.
|
|
Reloading the settings for the whole cluster assumes that all nodes' keystores are protected with the same password
|
|
and is only allowed when {ref}/configuring-tls.html#tls-transport[node to node communications are encrypted]
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
POST _nodes/reload_secure_settings
|
|
{
|
|
"reload_secure_settings": "s3cr3t" <1>
|
|
}
|
|
--------------------------------------------------
|
|
// NOTCONSOLE
|
|
|
|
<1> The common password that the {es} keystore is encrypted with in every node of the cluster.
|
|
|
|
Alternatively the secure settings can be reloaded on a per node basis, locally accessing the API and passing the
|
|
node-specific {es} keystore password.
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
POST _nodes/_local/reload_secure_settings
|
|
{
|
|
"reload_secure_settings": "s3cr3t" <1>
|
|
}
|
|
--------------------------------------------------
|
|
// NOTCONSOLE
|
|
|
|
<1> The password that the {es} keystore is encrypted with on the local node.
|
|
|
|
|
|
[float]
|
|
[[rest-reload-secure-settings]]
|
|
==== REST Reload Secure Settings Response
|
|
|
|
The response contains the `nodes` object, which is a map, keyed by the
|
|
node id. Each value has the node `name` and an optional `reload_exception`
|
|
field. The `reload_exception` field is a serialization of the exception
|
|
that was thrown during the reload process, if any.
|
|
|
|
[source,console-result]
|
|
--------------------------------------------------
|
|
{
|
|
"_nodes": {
|
|
"total": 1,
|
|
"successful": 1,
|
|
"failed": 0
|
|
},
|
|
"cluster_name": "my_cluster",
|
|
"nodes": {
|
|
"pQHNt5rXTTWNvUgOrdynKg": {
|
|
"name": "node-0"
|
|
}
|
|
}
|
|
}
|
|
--------------------------------------------------
|
|
// TESTRESPONSE[s/"my_cluster"/$body.cluster_name/]
|
|
// TESTRESPONSE[s/"pQHNt5rXTTWNvUgOrdynKg"/\$node_name/]
|