ansible-role-elasticsearch/tasks/xpack/security/elasticsearch-security.yml

---
#Security specific configuration done here

#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6

#-----------------------------Create Bootstrap User-----------------------------------
### START BLOCK elasticsearch keystore ###
- name: create the elasticsearch keystore
  block:
  - name: create the keystore if it doesn't exist yet
    become: yes
    command: >
     {{es_home}}/bin/elasticsearch-keystore create
    args:
      creates: "{{ es_conf_dir }}/elasticsearch.keystore"
    environment:
      ES_PATH_CONF: "{{ es_conf_dir }}"

  - name: Check if bootstrap password is set
    become: yes
    command: >
     {{es_home}}/bin/elasticsearch-keystore list
    register: list_keystore
    changed_when: False
    environment:
      ES_PATH_CONF: "{{ es_conf_dir }}"
    check_mode: no

  - name: Create Bootstrap password for elastic user
    become: yes
    shell: echo {{ es_api_basic_auth_password | quote }} | {{ es_home }}/bin/elasticsearch-keystore add -x 'bootstrap.password'
    when:
      - es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_lines
    environment:
      ES_PATH_CONF: "{{ es_conf_dir }}"
    no_log: true

  - name: Remove keystore entries
    become: yes
    command: >
     echo {{ es_api_basic_auth_password | quote }} | {{ es_home }}/bin/elasticsearch-keystore remove '{{ item.key }}'
    with_items: "{{ es_keystore_entries }}"
    when:
      - es_keystore_entries is defined and es_keystore_entries | length > 0
      - item.state is defined and item.state == 'absent'
      - item.key in list_keystore.stdout_lines
      - ('bootstrap.password' not in item.key)
    no_log: true

  - name: Reload keystore entries
    become: yes
    command: >
     {{es_home}}/bin/elasticsearch-keystore list
    register: list_keystore
    changed_when: False
    environment:
      ES_PATH_CONF: "{{ es_conf_dir }}"
    check_mode: no

  - name: Add keystore entries
    become: yes
    shell: echo {{ item.value | quote }} | {{ es_home }}/bin/elasticsearch-keystore add -x -f {{ item.key }}
    with_items: "{{ es_keystore_entries }}"
    when:
      - es_keystore_entries is defined and es_keystore_entries | length > 0
      - item.state is undefined or item.state == 'present'
      - item.force|default(False) or ( not item.force|default(False) and item.key not in list_keystore.stdout_lines )
      - ('bootstrap.password' not in item.key)
    no_log: true


### END BLOCK elasticsearch keystore ###

#-----------------------------FILE BASED REALM----------------------------------------

- include: elasticsearch-security-file.yml
  when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined)

#-----------------------------ROLE MAPPING ----------------------------------------

#Copy Roles files
- name: Copy role_mapping.yml file for instance
  become: yes
  template: 
    src: security/role_mapping.yml.j2
    dest: "{{ es_conf_dir }}/role_mapping.yml"
    owner: root
    group: "{{ es_group }}"
    mode: "0660"
    force: yes
  when: es_role_mapping is defined
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00			`---`
			`#Security specific configuration done here`

			`#TODO: 1. Skip users with no password defined or error 2. Passwords \| length > 6`

Adding 6.x support with Bootstrap user addition 2018-01-08 16:59:44 -08:00			`#-----------------------------Create Bootstrap User-----------------------------------`
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`### START BLOCK elasticsearch keystore ###`
			`- name: create the elasticsearch keystore`
			`block:`
			`- name: create the keystore if it doesn't exist yet`
add missing become: yes 2018-06-26 15:13:19 -04:00			`become: yes`
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`command: >`
			`{{es_home}}/bin/elasticsearch-keystore create`
Abstract 6.3 changes into a separate task to reduce all of the jinja one liner complexity Set ES_PATH_CONF when installing so upgrading from 6.2 to 6.3 works as expected 2018-06-14 14:44:31 +02:00			`args:`
Remove multi instances support (#566) * remove multi instances support The goal is to stop supporting installation of more than one node in the same host. This commit update the Ansible role README documentation and remove the multi instances kitchen test. * remove systemd and init.d templates As we no more need to support more than one node on the same host, we no more need to override init files provided by elasticsearch official packages. * remove file script feature File scripts have been removed since elasticsearch 6.0 (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_scripting_changes.html#_file_scripts_removed) * remove custom user and custom group ES_USER and ES_GROUP settings are no longer supported (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_packaging_changes.html#_configuring_custom_user_and_group_for_package_is_no_longer_allowed) * add upgrade procedure * use same task for license activation with and without authentication 2019-06-03 14:18:09 +02:00			`creates: "{{ es_conf_dir }}/elasticsearch.keystore"`
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`environment:`
Remove multi instances support (#566) * remove multi instances support The goal is to stop supporting installation of more than one node in the same host. This commit update the Ansible role README documentation and remove the multi instances kitchen test. * remove systemd and init.d templates As we no more need to support more than one node on the same host, we no more need to override init files provided by elasticsearch official packages. * remove file script feature File scripts have been removed since elasticsearch 6.0 (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_scripting_changes.html#_file_scripts_removed) * remove custom user and custom group ES_USER and ES_GROUP settings are no longer supported (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_packaging_changes.html#_configuring_custom_user_and_group_for_package_is_no_longer_allowed) * add upgrade procedure * use same task for license activation with and without authentication 2019-06-03 14:18:09 +02:00			`ES_PATH_CONF: "{{ es_conf_dir }}"`
add missing become: yes 2018-06-26 15:13:19 -04:00
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`- name: Check if bootstrap password is set`
add missing become: yes 2018-06-26 15:13:19 -04:00			`become: yes`
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`command: >`
			`{{es_home}}/bin/elasticsearch-keystore list`
			`register: list_keystore`
			`changed_when: False`
			`environment:`
Remove multi instances support (#566) * remove multi instances support The goal is to stop supporting installation of more than one node in the same host. This commit update the Ansible role README documentation and remove the multi instances kitchen test. * remove systemd and init.d templates As we no more need to support more than one node on the same host, we no more need to override init files provided by elasticsearch official packages. * remove file script feature File scripts have been removed since elasticsearch 6.0 (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_scripting_changes.html#_file_scripts_removed) * remove custom user and custom group ES_USER and ES_GROUP settings are no longer supported (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_packaging_changes.html#_configuring_custom_user_and_group_for_package_is_no_longer_allowed) * add upgrade procedure * use same task for license activation with and without authentication 2019-06-03 14:18:09 +02:00			`ES_PATH_CONF: "{{ es_conf_dir }}"`
add a few more 'check_mode:no' props for compatiblity with --check mode of ansible 2019-03-14 09:23:24 +01:00			`check_mode: no`
Adding 6.x support with Bootstrap user addition 2018-01-08 16:59:44 -08:00
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`- name: Create Bootstrap password for elastic user`
add missing become: yes 2018-06-26 15:13:19 -04:00			`become: yes`
Properly quote password in shell command (#715) 2020-08-25 23:42:43 -07:00			`shell: echo {{ es_api_basic_auth_password \| quote }} \| {{ es_home }}/bin/elasticsearch-keystore add -x 'bootstrap.password'`
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`when:`
			`- es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_lines`
			`environment:`
Remove multi instances support (#566) * remove multi instances support The goal is to stop supporting installation of more than one node in the same host. This commit update the Ansible role README documentation and remove the multi instances kitchen test. * remove systemd and init.d templates As we no more need to support more than one node on the same host, we no more need to override init files provided by elasticsearch official packages. * remove file script feature File scripts have been removed since elasticsearch 6.0 (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_scripting_changes.html#_file_scripts_removed) * remove custom user and custom group ES_USER and ES_GROUP settings are no longer supported (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_packaging_changes.html#_configuring_custom_user_and_group_for_package_is_no_longer_allowed) * add upgrade procedure * use same task for license activation with and without authentication 2019-06-03 14:18:09 +02:00			`ES_PATH_CONF: "{{ es_conf_dir }}"`
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`no_log: true`
Ad support for elasticsearch-keystore entries (#769) 2021-02-03 18:37:52 +01:00
			`- name: Remove keystore entries`
			`become: yes`
			`command: >`
			`echo {{ es_api_basic_auth_password \| quote }} \| {{ es_home }}/bin/elasticsearch-keystore remove '{{ item.key }}'`
			`with_items: "{{ es_keystore_entries }}"`
			`when:`
			`- es_keystore_entries is defined and es_keystore_entries \| length > 0`
			`- item.state is defined and item.state == 'absent'`
			`- item.key in list_keystore.stdout_lines`
			`- ('bootstrap.password' not in item.key)`
			`no_log: true`

			`- name: Reload keystore entries`
			`become: yes`
			`command: >`
			`{{es_home}}/bin/elasticsearch-keystore list`
			`register: list_keystore`
			`changed_when: False`
			`environment:`
			`ES_PATH_CONF: "{{ es_conf_dir }}"`
			`check_mode: no`

			`- name: Add keystore entries`
			`become: yes`
			`shell: echo {{ item.value \| quote }} \| {{ es_home }}/bin/elasticsearch-keystore add -x -f {{ item.key }}`
			`with_items: "{{ es_keystore_entries }}"`
			`when:`
			`- es_keystore_entries is defined and es_keystore_entries \| length > 0`
			`- item.state is undefined or item.state == 'present'`
			`- item.force\|default(False) or ( not item.force\|default(False) and item.key not in list_keystore.stdout_lines )`
			`- ('bootstrap.password' not in item.key)`
			`no_log: true`


Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`### END BLOCK elasticsearch keystore ###`
Adding 6.x support with Bootstrap user addition 2018-01-08 16:59:44 -08:00
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00			`#-----------------------------FILE BASED REALM----------------------------------------`

			`- include: elasticsearch-security-file.yml`
[xpack] use elasticsearch default xpack features (#560) - Stop forcing es_xpack_features variable in order to let elasticsearch install default features described in http://localhost:9200/_xpack - Change xpack test scope to be able to test default xpack install - xpack scenario will test xpack install with default features - xpack upgrade scenario will fully test security feature - oss-to-xpack-upgrade will test installing only other specific features - Cleanup some duplicate serverspec tests - Remove `system_key`feature (deprecated in 5.6 and removed in 6.0 - [Breaking Changes 6.0.0](https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking-6.0.0-xes.html)) - Cleanup some ansible code (especially in `when` conditions) 2019-05-29 12:10:11 +02:00			`when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined)`
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00
			`#-----------------------------ROLE MAPPING ----------------------------------------`

			`#Copy Roles files`
Update elasticsearch-security.yml Refactor template task for copying roles files 2020-03-06 15:15:28 +08:00			`- name: Copy role_mapping.yml file for instance`
use become: yes when root is needed 2017-05-12 13:31:50 -07:00			`become: yes`
Update elasticsearch-security.yml Refactor template task for copying roles files 2020-03-06 15:15:28 +08:00			`template:`
			`src: security/role_mapping.yml.j2`
			`dest: "{{ es_conf_dir }}/role_mapping.yml"`
			`owner: root`
			`group: "{{ es_group }}"`
			`mode: "0660"`
			`force: yes`
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00			`when: es_role_mapping is defined`