Managing Your License
editManaging Your License
editWhen you initially install Shield, a 30 day trial license is installed that allows access to all features. At the end of the trial period, you can purchase a subscription to keep using the full functionality of Shield along with Marvel and Watcher.
When your license expires, Shield operates in a degraded mode where access to the Elasticsearch cluster health, cluster stats, and index stats APIs is blocked. Shield keeps on protecting your cluster, but you won’t be able to monitor its operation until you update your license. For more information, see License Expiration.
Updating Your License
editYou can update your license at runtime without shutting down your nodes. License updates take
effect immediately. The license is provided as a JSON file that you install with the license
API. You need cluster admin privileges to install the license.
The endpoint for the license API changed to _license in Elasticsearch 2.0. If you are still
running Elasticsearch 1.x, use the _licenses endpoint to update your license. For more information about
managing licenses on 1.x, see the Shield 1.3 Reference.
To update your license:
-
Send a request to the
licenseAPI and specify the file that contains your new license:curl -XPUT -u admin 'http://<host>:<port>/_license' -d @license.json
Where:
-
<host>is the hostname of the Elasticsearch node (localhostif executing locally) -
<port>is the http port (defaults to9200) -
license.jsonis the license JSON file
When Shield is enabled, you need cluster admin privileges to install the license.
-
-
If the license you are installing does not support all of the features available with your previous license, you will be notified in the response. To complete the license installation, you must resubmit the license update request and set the
acknowledgeparameter totrueto indicate that you are aware of the changes.curl -XPUT -u admin 'http://<host>:<port>/_license?acknowledge=true' -d @license.json
Viewing the Installed License
editYou can also use the license API to retrieve the currently installed license:
curl -XGET -u admin:password 'http://<host>:<port>/_license'
{
"license" : {
"status" : "active",
"uid" : "0a98411f-73f4-4c67-954c-724874ed5488",
"type" : "trial",
"issue_date" : "2015-10-13T18:18:20.709Z",
"issue_date_in_millis" : 1444760300709,
"expiry_date" : "2015-11-12T18:18:20.709Z",
"expiry_date_in_millis" : 1447352300709,
"max_nodes" : 1000,
"issued_to" : "elasticsearch",
"issuer" : "elasticsearch"
}
}
You need cluster admin privileges to retrieve the license.
License Expiration
editLicense expiration should never be a surprise. If you’re using Marvel, a license expiration warning is displayed prominently if your license expires within 30 days. Warnings are also displayed on startup and written to the Elasticsearch log starting 30 days from the expiration date. These error messages tell you when the license expires and what features will be disabled if you fail to update it:
# License will expire on [Thursday, November 12, 2015]. If you have a new license, please update it. # Otherwise, please reach out to your support contact. # # Commercial plugins operate with reduced functionality on license expiration: # - marvel # - The agent will stop collecting cluster and indices metrics # - shield # - Cluster health, cluster stats and indices stats operations are blocked # - All data operations (read and write) continue to work
Once the license expires, calls to the cluster health, cluster stats, and index stats APIs
fail with a ElasticsearchSecurityException and return a 401 HTTP status code:
{
"error": {
"root_cause": [{
"type": "security_exception",
"reason": "current license is non-compliant for [shield]",
"license.expired.feature": "shield"
}],
"type": "security_exception",
"reason": "current license is non-compliant for [shield]",
"license.expired.feature": "shield"
},
"status": 401
}
This enables automatic monitoring systems to easily detect the license failure without immediately impacting other users.
You should update your license as soon as possible. You’re essentially flying blind when running with an expired license. Access to the cluster health and stats APIs is critical for monitoring and managing an Elasticsearch cluster.