From 8ae2249e43d109fae488ab9d1bbfe5e9a4b5c19a Mon Sep 17 00:00:00 2001
From: Alexander Reelsen <alexander@reelsen.net>
Date: Wed, 5 Sep 2018 09:13:51 +0200
Subject: [PATCH 1/2] Docs: Add password keystore setting for email account
 passwords

---
 x-pack/docs/en/watcher/actions/email.asciidoc | 40 +++++++++++++++++--
 1 file changed, 36 insertions(+), 4 deletions(-)

diff --git a/x-pack/docs/en/watcher/actions/email.asciidoc b/x-pack/docs/en/watcher/actions/email.asciidoc
index 0da028fcc7b1e..5a6d6450b2e3a 100644
--- a/x-pack/docs/en/watcher/actions/email.asciidoc
+++ b/x-pack/docs/en/watcher/actions/email.asciidoc
@@ -318,7 +318,15 @@ xpack.notification.email.account:
             host: smtp.gmail.com
             port: 587
             user: <username>
-            password: <password>
+--------------------------------------------------
+
+In order to not store the account SMTP password as plaintext in the
+elasticsearch yaml file, you should use the keystore instead (you can still
+store the password in the elasticsearch configuration file, if you need to)
+
+[source,yaml]
+--------------------------------------------------
+bin/elasticsearch-keystore xpack.notification.email.account.gmail_account.smtp.secure_password
 --------------------------------------------------
 
 If you get an authentication error that indicates that you need to continue the
@@ -349,9 +357,18 @@ xpack.notification.email.account:
             host: smtp-mail.outlook.com
             port: 587
             user: <email.address>
-            password: <password>
 --------------------------------------------------
 
+In order to not store the account SMTP password as plaintext in the
+elasticsearch yaml file, you should use the keystore instead (you can still
+store the password in the elasticsearch configuration file, if you need to)
+
+[source,yaml]
+--------------------------------------------------
+bin/elasticsearch-keystore xpack.notification.email.account.outlook_account.smtp.secure_password
+--------------------------------------------------
+
+
 When sending emails, you have to provide a from address, either a default one
 in your account configuration or as part of the email action in the watch.
 
@@ -377,10 +394,18 @@ xpack.notification.email.account:
             host: email-smtp.us-east-1.amazonaws.com <1>
             port: 587
             user: <username>
-            password: <password>
 --------------------------------------------------
 <1> `smtp.host` varies depending on the region
 
+In order to not store the account SMTP password as plaintext in the
+elasticsearch yaml file, you should use the keystore instead (you can still
+store the password in the elasticsearch configuration file, if you need to)
+
+[source,yaml]
+--------------------------------------------------
+bin/elasticsearch-keystore xpack.notification.email.account.ses_account.smtp.secure_password
+--------------------------------------------------
+
 NOTE:   You need to use your Amazon SES SMTP credentials to send email through
         Amazon SES. For more information, see
         http://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html[Obtaining
@@ -409,7 +434,6 @@ xpack.notification.email.account:
             host: <your exchange server>
             port: 587
             user: <email address of service account> <2>
-            password: <password>
 --------------------------------------------------
 <1> Some organizations configure Exchange to validate that the `from` field is a
     valid local email account.
@@ -417,6 +441,14 @@ xpack.notification.email.account:
     it is a good idea to check with your system administrator if you receive
     authentication-related failures.
 
+In order to not store the account SMTP password as plaintext in the
+elasticsearch yaml file, you should use the keystore instead (you can still
+store the password in the elasticsearch configuration file, if you need to)
+
+[source,yaml]
+--------------------------------------------------
+bin/elasticsearch-keystore xpack.notification.email.account.exchange_account.smtp.secure_password
+--------------------------------------------------
 
 [float]
 [[email-html-sanitization]]

From 4f148073baad016a61e65f0171f4dd2715b4d71e Mon Sep 17 00:00:00 2001
From: Alexander Reelsen <alexander@reelsen.net>
Date: Thu, 6 Sep 2018 10:48:13 +0200
Subject: [PATCH 2/2] review comment: remove cleartext setting mention, refer
 to secure settings

---
 x-pack/docs/en/watcher/actions/email.asciidoc | 20 ++++++++-----------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/x-pack/docs/en/watcher/actions/email.asciidoc b/x-pack/docs/en/watcher/actions/email.asciidoc
index 5a6d6450b2e3a..465df0d179754 100644
--- a/x-pack/docs/en/watcher/actions/email.asciidoc
+++ b/x-pack/docs/en/watcher/actions/email.asciidoc
@@ -320,9 +320,8 @@ xpack.notification.email.account:
             user: <username>
 --------------------------------------------------
 
-In order to not store the account SMTP password as plaintext in the
-elasticsearch yaml file, you should use the keystore instead (you can still
-store the password in the elasticsearch configuration file, if you need to)
+In order to store the account SMTP password, use the keystore command
+(see {ref}/secure-settings.html[secure settings])
 
 [source,yaml]
 --------------------------------------------------
@@ -359,9 +358,8 @@ xpack.notification.email.account:
             user: <email.address>
 --------------------------------------------------
 
-In order to not store the account SMTP password as plaintext in the
-elasticsearch yaml file, you should use the keystore instead (you can still
-store the password in the elasticsearch configuration file, if you need to)
+In order to store the account SMTP password, use the keystore command
+(see {ref}/secure-settings.html[secure settings])
 
 [source,yaml]
 --------------------------------------------------
@@ -397,9 +395,8 @@ xpack.notification.email.account:
 --------------------------------------------------
 <1> `smtp.host` varies depending on the region
 
-In order to not store the account SMTP password as plaintext in the
-elasticsearch yaml file, you should use the keystore instead (you can still
-store the password in the elasticsearch configuration file, if you need to)
+In order to store the account SMTP password, use the keystore command
+(see {ref}/secure-settings.html[secure settings])
 
 [source,yaml]
 --------------------------------------------------
@@ -441,9 +438,8 @@ xpack.notification.email.account:
     it is a good idea to check with your system administrator if you receive
     authentication-related failures.
 
-In order to not store the account SMTP password as plaintext in the
-elasticsearch yaml file, you should use the keystore instead (you can still
-store the password in the elasticsearch configuration file, if you need to)
+In order to store the account SMTP password, use the keystore command
+(see {ref}/secure-settings.html[secure settings])
 
 [source,yaml]
 --------------------------------------------------