secure-settings.asciidoc 2.3 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071
  1. [[secure-settings]]
  2. === Secure Settings
  3. Some settings are sensitive, and relying on filesystem permissions to protect
  4. their values is not sufficient. For this use case, Elasticsearch provides a
  5. keystore, which may be password protected, and the `elasticsearch-keystore`
  6. tool to manage the settings in the keystore.
  7. NOTE: All commands here should be run as the user which will run Elasticsearch.
  8. NOTE: Only some settings are designed to be read from the keystore. See
  9. documentation for each setting to see if it is supported as part of the keystore.
  10. NOTE: All the modifications to the keystore take affect only after restarting
  11. Elasticsearch.
  12. [float]
  13. [[creating-keystore]]
  14. === Creating the keystore
  15. To create the `elasticsearch.keystore`, use the `create` command:
  16. [source,sh]
  17. ----------------------------------------------------------------
  18. bin/elasticsearch-keystore create
  19. ----------------------------------------------------------------
  20. The file `elasticsearch.keystore` will be created alongside `elasticsearch.yml`.
  21. [float]
  22. [[list-settings]]
  23. === Listing settings in the keystore
  24. A list of the settings in the keystore is available with the `list` command:
  25. [source,sh]
  26. ----------------------------------------------------------------
  27. bin/elasticsearch-keystore list
  28. ----------------------------------------------------------------
  29. [float]
  30. [[add-string-to-keystore]]
  31. === Adding string settings
  32. Sensitive string settings, like authentication credentials for cloud
  33. plugins, can be added using the `add` command:
  34. [source,sh]
  35. ----------------------------------------------------------------
  36. bin/elasticsearch-keystore add the.setting.name.to.set
  37. ----------------------------------------------------------------
  38. The tool will prompt for the value of the setting. To pass the value
  39. through stdin, use the `--stdin` flag:
  40. [source,sh]
  41. ----------------------------------------------------------------
  42. cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.set
  43. ----------------------------------------------------------------
  44. [float]
  45. [[remove-settings]]
  46. === Removing settings
  47. To remove a setting from the keystore, use the `remove` command:
  48. [source,sh]
  49. ----------------------------------------------------------------
  50. bin/elasticsearch-keystore remove the.setting.name.to.remove
  51. ----------------------------------------------------------------