Elasticsearch.keystore

Jockj · October 25, 2018, 5:55pm

does anyone have one list of supported keys/values in elasticsearch.keystore? I'm trying to leverage elasticsearch.keystore, but I cannot find a document to know which keys/values of the settings is supported.

rjernst · October 25, 2018, 6:20pm

There is no central listing keys that may be used within the elasticsearch keystore. Rather, each setting that must be specified in the keystore explicitly notes this. So, look at documentation for whatever you are trying to configure, and see if it mentions it as a "secure setting".

Jockj · October 25, 2018, 10:13pm

Thanks Ryan.

I try to "secure" the password used to connect to the central monitoring, so I try something like below, it doesn't work, does it mean it is not supported yet.

in elasticsearch.yml
xpack.monitoring.exporters:
idhttp:
type: http
host: ["https://10.224.244.170:9200"]
auth.username: clp_monitoring
auth.password: ${xpack.monitoring.exporters.idhttp.auth.password}
ssl.certificate_authorities: "/etc/elasticsearch/x-pack/es_xpack_ca.crt"

I put xpack.monitoring.exporters.idhttp.auth.password in the keystore, it has error
Exception in thread "main" java.lang.IllegalArgumentException: Circular placeholder reference 'xpack.monitoring.exporters.idhttp.auth.password' in property definitions

I try to use auth.password: ${auth.password}, it has error
Exception in thread "main" java.lang.IllegalArgumentException: Could not resolve placeholder 'auth.password'

I try to remove the line auth.password from the elasticsearch.yml, there is no error but it will not load the password from the keystore.

jetnet · October 30, 2018, 9:55pm

+1!
it's not clear how to reference the properties from keystore, especially on Windows:

bin\elasticsearch-keystore create
bin\elasticsearch-keystore add pw

elasticsearch.yml:

    bind_password: "${pw}"

Exception: Exception in thread "main" java.lang.IllegalArgumentException: Could not resolve placeholder 'pw'

elasticsearch.yml:

    bind_password: "$pw"

Exception: uncaught exception in thread [main] org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: unknown secure setting [pw] please check that any required plugins are installed, or check the breaking changes documentation for removed settings

Please update the documentation by adding examples (unix & win). Thanks a lot!

Update: oops, sorry:

Only some settings are designed to be read from the keystore. See documentation for each setting to see if it is supported as part of the keystore.

ok, works as designed...

jetnet · October 30, 2018, 10:27pm

works:

          bind_dn: "CN=user,OU=People,DC=company,DC=com"
          # secure_bind_password: "use the keystore: bin\elasticsearch-keystore add xpack.security.authc.realms.company_ad.secure_bind_password"

rjernst · October 31, 2018, 4:21pm

@jetnet Properties are not meant to be referenced. The keystore key is the secure setting.

@Jockj The monitoring http exporter does not yet have keystore variants of its username/password. Each setting that supports keystore must be manually migrated, and this is an ongoing effort.

Jockj · October 31, 2018, 4:52pm

@rjernst, Thanks a lot for your update.

jetnet · October 31, 2018, 8:50pm

@rjernst, thanks for the details. I didn't use the ES keystore before, in LS keystore you can reference props, that's why I tried to do the same with ES one. One stack - different approaches?

system · November 28, 2018, 8:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.