234 lines
8.4 KiB
Plaintext
234 lines
8.4 KiB
Plaintext
[[elasticsearch-keystore]]
|
|
== elasticsearch-keystore
|
|
|
|
The `elasticsearch-keystore` command manages <<secure-settings,secure settings>>
|
|
in the {es} keystore.
|
|
|
|
[discrete]
|
|
[[elasticsearch-keystore-synopsis]]
|
|
=== Synopsis
|
|
|
|
[source,shell]
|
|
--------------------------------------------------
|
|
bin/elasticsearch-keystore
|
|
([add <settings>] [-f] [--stdin] |
|
|
[add-file (<setting> <path>)+] | [create] [-p] |
|
|
[list] | [passwd] | [remove <setting>] | [upgrade])
|
|
[-h, --help] ([-s, --silent] | [-v, --verbose])
|
|
--------------------------------------------------
|
|
|
|
[discrete]
|
|
[[elasticsearch-keystore-description]]
|
|
=== Description
|
|
|
|
IMPORTANT: This command should be run as the user that will run {es}.
|
|
|
|
Currently, all secure settings are node-specific settings that must have the
|
|
same value on every node. Therefore you must run this command on every node.
|
|
|
|
When the keystore is password-protected, you must supply the password each time
|
|
{es} starts.
|
|
|
|
Modifications to the keystore do not take effect until you restart {es}.
|
|
|
|
Only some settings are designed to be read from the keystore. However, there
|
|
is no validation to block unsupported settings from the keystore and they can
|
|
cause {es} to fail to start. To see whether a setting is supported in the
|
|
keystore, see the setting reference.
|
|
|
|
[discrete]
|
|
[[elasticsearch-keystore-parameters]]
|
|
=== Parameters
|
|
|
|
`add <settings>`:: Adds settings to the keystore. Multiple setting names can be
|
|
specified as arguments to the `add` command. By default, you are prompted for
|
|
the values of the settings. If the keystore is password protected, you are also
|
|
prompted to enter the password. If a setting already exists in the keystore, you
|
|
must confirm that you want to overwrite the current value. If the keystore does
|
|
not exist, you must confirm that you want to create a keystore. To avoid these
|
|
two confirmation prompts, use the `-f` parameter.
|
|
|
|
`add-file (<setting> <path>)+`:: Adds files to the keystore.
|
|
|
|
`create`:: Creates the keystore.
|
|
|
|
`-f, --force`:: When used with the `add` parameter, the command no longer prompts you
|
|
before overwriting existing entries in the keystore. Also, if you haven't
|
|
created a keystore yet, it creates a keystore that is obfuscated but not
|
|
password protected.
|
|
|
|
`-h, --help`:: Returns all of the command parameters.
|
|
|
|
`list`:: Lists the settings in the keystore. If the keystore is password
|
|
protected, you are prompted to enter the password.
|
|
|
|
`-p`:: When used with the `create` parameter, the command prompts you to enter a
|
|
keystore password. If you don't specify the `-p` flag or if you enter an empty
|
|
password, the keystore is obfuscated but not password protected.
|
|
|
|
`passwd`:: Changes or sets the keystore password. If the keystore is password
|
|
protected, you are prompted to enter the current password and the new one. You
|
|
can optionally use an empty string to remove the password. If the keystore is
|
|
not password protected, you can use this command to set a password.
|
|
|
|
`remove <settings>`:: Removes settings from the keystore. Multiple setting
|
|
names can be specified as arguments to the `remove` command.
|
|
|
|
`-s, --silent`:: Shows minimal output.
|
|
|
|
`-x, --stdin`:: When used with the `add` parameter, you can pass the settings values
|
|
through standard input (stdin). Separate multiple values with carriage returns
|
|
or newlines. See <<add-string-to-keystore>>.
|
|
|
|
`upgrade`:: Upgrades the internal format of the keystore.
|
|
|
|
`-v, --verbose`:: Shows verbose output.
|
|
|
|
[discrete]
|
|
[[elasticsearch-keystore-examples]]
|
|
=== Examples
|
|
|
|
[discrete]
|
|
[[creating-keystore]]
|
|
==== Create the keystore
|
|
|
|
To create the `elasticsearch.keystore`, use the `create` command:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/elasticsearch-keystore create -p
|
|
----------------------------------------------------------------
|
|
|
|
You are prompted to enter the keystore password. A password-protected
|
|
`elasticsearch.keystore` file is created alongside the `elasticsearch.yml` file.
|
|
|
|
[discrete]
|
|
[[changing-keystore-password]]
|
|
==== Change the password of the keystore
|
|
|
|
To change the password of the `elasticsearch.keystore`, use the `passwd` command:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/elasticsearch-keystore passwd
|
|
----------------------------------------------------------------
|
|
|
|
If the {es} keystore is password protected, you are prompted to enter the
|
|
current password and then enter the new one. If it is not password protected,
|
|
you are prompted to set a password.
|
|
|
|
[discrete]
|
|
[[list-settings]]
|
|
==== List settings in the keystore
|
|
|
|
To list the settings in the keystore, use the `list` command.
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/elasticsearch-keystore list
|
|
----------------------------------------------------------------
|
|
|
|
If the {es} keystore is password protected, you are prompted to enter the
|
|
password.
|
|
|
|
[discrete]
|
|
[[add-string-to-keystore]]
|
|
==== Add settings to the keystore
|
|
|
|
Sensitive string settings, like authentication credentials for Cloud plugins,
|
|
can be added with the `add` command:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/elasticsearch-keystore add the.setting.name.to.set
|
|
----------------------------------------------------------------
|
|
|
|
You are prompted to enter the value of the setting. If the {es} keystore is
|
|
password protected, you are also prompted to enter the password.
|
|
|
|
You can also add multiple settings with the `add` command:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/elasticsearch-keystore add \
|
|
the.setting.name.to.set \
|
|
the.other.setting.name.to.set
|
|
----------------------------------------------------------------
|
|
|
|
You are prompted to enter the values of the settings. If the {es} keystore is
|
|
password protected, you are also prompted to enter the password.
|
|
|
|
To pass the settings values through standard input (stdin), use the `--stdin`
|
|
flag:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set
|
|
----------------------------------------------------------------
|
|
|
|
Values for multiple settings must be separated by carriage returns or newlines.
|
|
|
|
[discrete]
|
|
[[add-file-to-keystore]]
|
|
==== Add files to the keystore
|
|
|
|
You can add sensitive files, like authentication key files for Cloud plugins,
|
|
using the `add-file` command. Settings and file paths are specified in pairs
|
|
consisting of `setting path`.
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/elasticsearch-keystore add-file the.setting.name.to.set /path/example-file.json
|
|
----------------------------------------------------------------
|
|
|
|
You can add multiple files with the `add-file` command:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/elasticsearch-keystore add-file \
|
|
the.setting.name.to.set /path/example-file.json \
|
|
the.other.setting.name.to.set /path/other-example-file.json
|
|
----------------------------------------------------------------
|
|
|
|
If the {es} keystore is password protected, you are prompted to enter the
|
|
password.
|
|
|
|
[discrete]
|
|
[[remove-settings]]
|
|
==== Remove settings from the keystore
|
|
|
|
To remove a setting from the keystore, use the `remove` command:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/elasticsearch-keystore remove the.setting.name.to.remove
|
|
----------------------------------------------------------------
|
|
|
|
You can also remove multiple settings with the `remove` command:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/elasticsearch-keystore remove \
|
|
the.setting.name.to.remove \
|
|
the.other.setting.name.to.remove
|
|
----------------------------------------------------------------
|
|
|
|
If the {es} keystore is password protected, you are prompted to enter the
|
|
password.
|
|
|
|
[discrete]
|
|
[[keystore-upgrade]]
|
|
==== Upgrade the keystore
|
|
|
|
Occasionally, the internal format of the keystore changes. When {es} is
|
|
installed from a package manager, an upgrade of the on-disk keystore to the new
|
|
format is done during package upgrade. In other cases, {es} performs the upgrade
|
|
during node startup. This requires that {es} has write permissions to the
|
|
directory that contains the keystore. Alternatively, you can manually perform
|
|
such an upgrade by using the `upgrade` command:
|
|
|
|
[source,sh]
|
|
----------------------------------------------------------------
|
|
bin/elasticsearch-keystore upgrade
|
|
----------------------------------------------------------------
|