(Jock Jiang) #1

does anyone have one list of supported keys/values in elasticsearch.keystore? I'm trying to leverage elasticsearch.keystore, but I cannot find a document to know which keys/values of the settings is supported.

(Ryan Ernst) #2

There is no central listing keys that may be used within the elasticsearch keystore. Rather, each setting that must be specified in the keystore explicitly notes this. So, look at documentation for whatever you are trying to configure, and see if it mentions it as a "secure setting".

(Jock Jiang) #3

Thanks Ryan.

I try to "secure" the password used to connect to the central monitoring, so I try something like below, it doesn't work, does it mean it is not supported yet.

in elasticsearch.yml
type: http
host: [""]
auth.username: clp_monitoring
auth.password: ${xpack.monitoring.exporters.idhttp.auth.password}
ssl.certificate_authorities: "/etc/elasticsearch/x-pack/es_xpack_ca.crt"

I put xpack.monitoring.exporters.idhttp.auth.password in the keystore, it has error
Exception in thread "main" java.lang.IllegalArgumentException: Circular placeholder reference 'xpack.monitoring.exporters.idhttp.auth.password' in property definitions

I try to use auth.password: ${auth.password}, it has error
Exception in thread "main" java.lang.IllegalArgumentException: Could not resolve placeholder 'auth.password'

I try to remove the line auth.password from the elasticsearch.yml, there is no error but it will not load the password from the keystore.


it's not clear how to reference the properties from keystore, especially on Windows:

bin\elasticsearch-keystore create
bin\elasticsearch-keystore add pw
  1. elasticsearch.yml:
    bind_password: "${pw}"

Exception: Exception in thread "main" java.lang.IllegalArgumentException: Could not resolve placeholder 'pw'

  1. elasticsearch.yml:
    bind_password: "$pw"

Exception: uncaught exception in thread [main] org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: unknown secure setting [pw] please check that any required plugins are installed, or check the breaking changes documentation for removed settings

Please update the documentation by adding examples (unix & win). Thanks a lot!

Update: oops, sorry:

Only some settings are designed to be read from the keystore. See documentation for each setting to see if it is supported as part of the keystore.

ok, works as designed...



          bind_dn: "CN=user,OU=People,DC=company,DC=com"
          # secure_bind_password: "use the keystore: bin\elasticsearch-keystore add xpack.security.authc.realms.company_ad.secure_bind_password"

(Ryan Ernst) #6

@jetnet Properties are not meant to be referenced. The keystore key is the secure setting.

@Jockj The monitoring http exporter does not yet have keystore variants of its username/password. Each setting that supports keystore must be manually migrated, and this is an ongoing effort.

(Jock Jiang) #7

@rjernst, Thanks a lot for your update.


@rjernst, thanks for the details. I didn't use the ES keystore before, in LS keystore you can reference props, that's why I tried to do the same with ES one. One stack - different approaches? :wink:

(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.