Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 703908ad7f
Branches Tags
elasticsearch
/
docs
/
reference
/
setup
/
secure-settings.asciidoc

secure-settings.asciidoc 3.9 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105 
  1. [[secure-settings]]
    2. 

  2. === Secure settings
    3. 

  3. 

  4. Some settings are sensitive, and relying on filesystem permissions to protect
    5. 

  5. their values is not sufficient. For this use case, Elasticsearch provides a
    6. 

  6. keystore and the `elasticsearch-keystore` tool to manage the settings in the keystore.
    7. 

  7. 

  8. NOTE: All commands here should be run as the user which will run Elasticsearch.
    9. 

  9. 

  10. NOTE: Only some settings are designed to be read from the keystore. See
    11. 

  11. documentation for each setting to see if it is supported as part of the keystore.
    12. 

  12. 

  13. NOTE: All the modifications to the keystore take affect only after restarting
    14. 

  14. Elasticsearch.
    15. 

  15. 

  16. NOTE: The elasticsearch keystore currently only provides obfuscation. In the future,
    17. 

  17. password protection will be added.
    18. 

  18. 

  19. These settings, just like the regular ones in the `elasticsearch.yml` config file,
    20. 

  20. need to be specified on each node in the cluster. Currently, all secure settings
    21. 

  21. are node-specific settings that must have the same value on every node.
    22. 

  22. 

  23. [float]
    24. 

  24. [[creating-keystore]]
    25. 

  25. === Creating the keystore
    26. 

  26. 

  27. To create the `elasticsearch.keystore`, use the `create` command:
    28. 

  28. 

  29. [source,sh]
    30. 

  30. ----------------------------------------------------------------
    31. 

  31. bin/elasticsearch-keystore create
    32. 

  32. ----------------------------------------------------------------
    33. 

  33. 

  34. The file `elasticsearch.keystore` will be created alongside `elasticsearch.yml`.
    35. 

  35. 

  36. [float]
    37. 

  37. [[list-settings]]
    38. 

  38. === Listing settings in the keystore
    39. 

  39. 

  40. A list of the settings in the keystore is available with the `list` command:
    41. 

  41. 

  42. [source,sh]
    43. 

  43. ----------------------------------------------------------------
    44. 

  44. bin/elasticsearch-keystore list
    45. 

  45. ----------------------------------------------------------------
    46. 

  46. 

  47. [float]
    48. 

  48. [[add-string-to-keystore]]
    49. 

  49. === Adding string settings
    50. 

  50. 

  51. Sensitive string settings, like authentication credentials for cloud
    52. 

  52. plugins, can be added using the `add` command:
    53. 

  53. 

  54. [source,sh]
    55. 

  55. ----------------------------------------------------------------
    56. 

  56. bin/elasticsearch-keystore add the.setting.name.to.set
    57. 

  57. ----------------------------------------------------------------
    58. 

  58. 

  59. The tool will prompt for the value of the setting. To pass the value
    60. 

  60. through stdin, use the `--stdin` flag:
    61. 

  61. 

  62. [source,sh]
    63. 

  63. ----------------------------------------------------------------
    64. 

  64. cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set
    65. 

  65. ----------------------------------------------------------------
    66. 

  66. 

  67. [float]
    68. 

  68. [[remove-settings]]
    69. 

  69. === Removing settings
    70. 

  70. 

  71. To remove a setting from the keystore, use the `remove` command:
    72. 

  72. 

  73. [source,sh]
    74. 

  74. ----------------------------------------------------------------
    75. 

  75. bin/elasticsearch-keystore remove the.setting.name.to.remove
    76. 

  76. ----------------------------------------------------------------
    77. 

  77. 

  78. [float]
    79. 

  79. [[reloadable-secure-settings]]
    80. 

  80. === Reloadable secure settings
    81. 

  81. 

  82. Just like the settings values in `elasticsearch.yml`, changes to the
    83. 

  83. keystore contents are not automatically applied to the running
    84. 

  84. elasticsearch node. Re-reading settings requires a node restart.
    85. 

  85. However, certain secure settings are marked as *reloadable*. Such settings
    86. 

  86. can be re-read and applied on a running node.
    87. 

  87. 

  88. The values of all secure settings, *reloadable* or not, must be identical
    89. 

  89. across all cluster nodes. After making the desired secure settings changes,
    90. 

  90. using the `bin/elasticsearch-keystore add` command, call:
    91. 

  91. [source,js]
    92. 

  92. ----
    93. 

  93. POST _nodes/reload_secure_settings
    94. 

  94. ----
    95. 

  95. // CONSOLE
    96. 

  96. This API will decrypt and re-read the entire keystore, on every cluster node,
    97. 

  97. but only the *reloadable* secure settings will be applied. Changes to other
    98. 

  98. settings will not go into effect until the next restart. Once the call returns,
    99. 

  99. the reload has been completed, meaning that all internal datastructures dependent
    100. 

  100. on these settings have been changed. Everything should look as if the settings
    101. 

  101. had the new value from the start.
    102. 

  102. 

  103. When changing multiple *reloadable* secure settings, modify all of them, on
    104. 

  104. each cluster node, and then issue a `reload_secure_settings` call, instead
    105. 

  105. of reloading after each modification.
    106.