ansible-role-elasticsearch/tasks/xpack/security/elasticsearch-security.yml

---
#Security specific configuration done here

#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6

#Ensure x-pack conf directory is created if necessary
- name: Ensure x-pack conf directory exists (file)
  file: path={{ conf_dir }}/x-pack state=directory owner={{ es_user }} group={{ es_group }}
  changed_when: False
  when:
    - es_enable_xpack and "security" in es_xpack_features
    - (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined)

#-----------------------------Create Bootstrap User-----------------------------------
- name: Check if bootstrap password is set
  command: >
   {{es_home}}/bin/elasticsearch-keystore list
  register: list_keystore
  changed_when: False
  environment:
    ES_PATH_CONF: "{{ conf_dir }}"
  when:
    - (es_enable_xpack and "security" in es_xpack_features) and (es_version | version_compare('6.0.0', '>'))

- name: Create Bootstrap password for elastic user
  shell: echo "{{es_api_basic_auth_password}}" | {{es_home}}/bin/elasticsearch-keystore add -x 'bootstrap.password'
  when:
    - (es_enable_xpack and "security" in es_xpack_features) and (es_version | version_compare('6.0.0', '>')) and es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_lines
  environment:
    ES_PATH_CONF: "{{ conf_dir }}"
  no_log: true

#-----------------------------FILE BASED REALM----------------------------------------

- include: elasticsearch-security-file.yml
  when: (es_enable_xpack and "security" in es_xpack_features) and ((es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined))

#-----------------------------ROLE MAPPING ----------------------------------------

#Copy Roles files
- name: Copy role_mapping.yml File for Instance
  become: yes
  template: src=security/role_mapping.yml.j2 dest={{conf_dir}}/x-pack/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
  when: es_role_mapping is defined

#-----------------------------AUTH FILE----------------------------------------

- name: Copy message auth key to elasticsearch
  become: yes
  copy: src={{ es_message_auth_file }} dest={{conf_dir}}/x-pack/system_key owner={{ es_user }} group={{ es_group }} mode=0600 force=yes
  when: es_message_auth_file is defined

#------------------------------------------------------------------------------------

#Ensure security conf directory is created
- name: Ensure security conf directory exists
  become: yes
  file: path={{ conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }}
  changed_when: False
  when: es_enable_xpack and "security" in es_xpack_features
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00			`---`
			`#Security specific configuration done here`

			`#TODO: 1. Skip users with no password defined or error 2. Passwords \| length > 6`

Moved up the x-pack directory logic to include role_mappings Signed-off-by: Russell Snyder <russell@redowl.com> 2017-04-18 13:26:16 -04:00			`#Ensure x-pack conf directory is created if necessary`
			`- name: Ensure x-pack conf directory exists (file)`
			`file: path={{ conf_dir }}/x-pack state=directory owner={{ es_user }} group={{ es_group }}`
			`changed_when: False`
			`when:`
Fix conditionals introduced in #408 2018-02-16 16:37:00 -05:00			`- es_enable_xpack and "security" in es_xpack_features`
Fix for issue 368 2017-09-19 12:21:46 +01:00			`- (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined)`
Moved up the x-pack directory logic to include role_mappings Signed-off-by: Russell Snyder <russell@redowl.com> 2017-04-18 13:26:16 -04:00
Adding 6.x support with Bootstrap user addition 2018-01-08 16:59:44 -08:00			`#-----------------------------Create Bootstrap User-----------------------------------`
			`- name: Check if bootstrap password is set`
			`command: >`
			`{{es_home}}/bin/elasticsearch-keystore list`
			`register: list_keystore`
Fix idempotency test when listing the current users 2018-01-31 13:03:51 +01:00			`changed_when: False`
Adding 6.x support with Bootstrap user addition 2018-01-08 16:59:44 -08:00			`environment:`
			`ES_PATH_CONF: "{{ conf_dir }}"`
Bootstrap changes only for ES 6.x and with xpack 2018-01-10 09:49:24 -08:00			`when:`
Fix conditionals introduced in #408 2018-02-16 16:37:00 -05:00			`- (es_enable_xpack and "security" in es_xpack_features) and (es_version \| version_compare('6.0.0', '>'))`
Adding 6.x support with Bootstrap user addition 2018-01-08 16:59:44 -08:00
			`- name: Create Bootstrap password for elastic user`
			`shell: echo "{{es_api_basic_auth_password}}" \| {{es_home}}/bin/elasticsearch-keystore add -x 'bootstrap.password'`
			`when:`
Fix conditionals introduced in #408 2018-02-16 16:37:00 -05:00			`- (es_enable_xpack and "security" in es_xpack_features) and (es_version \| version_compare('6.0.0', '>')) and es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_lines`
Adding 6.x support with Bootstrap user addition 2018-01-08 16:59:44 -08:00			`environment:`
			`ES_PATH_CONF: "{{ conf_dir }}"`
			`no_log: true`

Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00			`#-----------------------------FILE BASED REALM----------------------------------------`

			`- include: elasticsearch-security-file.yml`
Fix conditionals introduced in #408 2018-02-16 16:37:00 -05:00			`when: (es_enable_xpack and "security" in es_xpack_features) and ((es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined))`
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00
			`#-----------------------------ROLE MAPPING ----------------------------------------`

			`#Copy Roles files`
			`- name: Copy role_mapping.yml File for Instance`
use become: yes when root is needed 2017-05-12 13:31:50 -07:00			`become: yes`
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00			`template: src=security/role_mapping.yml.j2 dest={{conf_dir}}/x-pack/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes`
			`when: es_role_mapping is defined`

			`#-----------------------------AUTH FILE----------------------------------------`

			`- name: Copy message auth key to elasticsearch`
use become: yes when root is needed 2017-05-12 13:31:50 -07:00			`become: yes`
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00			`copy: src={{ es_message_auth_file }} dest={{conf_dir}}/x-pack/system_key owner={{ es_user }} group={{ es_group }} mode=0600 force=yes`
			`when: es_message_auth_file is defined`

			`#------------------------------------------------------------------------------------`

			`#Ensure security conf directory is created`
			`- name: Ensure security conf directory exists`
use become: yes when root is needed 2017-05-12 13:31:50 -07:00			`become: yes`
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00			`file: path={{ conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }}`
			`changed_when: False`
Fix conditionals introduced in #408 2018-02-16 16:37:00 -05:00			`when: es_enable_xpack and "security" in es_xpack_features`