Some settings are sensitive, and relying on filesystem permissions to protect
their values is not sufficient. For this use case, Elasticsearch provides a
keystore and the elasticsearch-keystore tool to manage the settings in the keystore.
|
Note
|
All commands here should be run as the user which will run Elasticsearch. |
|
Note
|
Only some settings are designed to be read from the keystore. See documentation for each setting to see if it is supported as part of the keystore. |
|
Note
|
All the modifications to the keystore take affect only after restarting Elasticsearch. |
|
Note
|
The elasticsearch keystore currently only provides obfuscation. In the future, password protection will be added. |
These settings, just like the regular ones in the elasticsearch.yml config file,
need to be specified on each node in the cluster. Currently, all secure settings
are node-specific settings that must have the same value on every node.
To create the elasticsearch.keystore, use the create command:
bin/elasticsearch-keystore createThe file elasticsearch.keystore will be created alongside elasticsearch.yml.
A list of the settings in the keystore is available with the list command:
bin/elasticsearch-keystore listSensitive string settings, like authentication credentials for cloud
plugins, can be added using the add command:
bin/elasticsearch-keystore add the.setting.name.to.setThe tool will prompt for the value of the setting. To pass the value
through stdin, use the --stdin flag:
cat /file/containing/setting/value | bin/elasticsearch-keystore add --stdin the.setting.name.to.setTo remove a setting from the keystore, use the remove command:
bin/elasticsearch-keystore remove the.setting.name.to.remove