ansible-role-elasticsearch/tasks/xpack/security/elasticsearch-security.yml

---
#Security specific configuration done here

#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6

#Ensure x-pack conf directory is created if necessary
- name: Ensure x-pack conf directory exists (file)
  file: path={{ es_conf_dir }}{{ es_xpack_conf_subdir }} state=directory owner={{ es_user }} group={{ es_group }}
  changed_when: False
  when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined)

#-----------------------------Create Bootstrap User-----------------------------------
### START BLOCK elasticsearch keystore ###
- name: create the elasticsearch keystore
  block:
  - name: create the keystore if it doesn't exist yet
    become: yes
    command: >
     {{es_home}}/bin/elasticsearch-keystore create
    args:
      creates: "{{ es_conf_dir }}/elasticsearch.keystore"
    environment:
      ES_PATH_CONF: "{{ es_conf_dir }}"

  - name: Check if bootstrap password is set
    become: yes
    command: >
     {{es_home}}/bin/elasticsearch-keystore list
    register: list_keystore
    changed_when: False
    environment:
      ES_PATH_CONF: "{{ es_conf_dir }}"
    check_mode: no

  - name: Create Bootstrap password for elastic user
    become: yes
    shell: echo "{{es_api_basic_auth_password}}" | {{es_home}}/bin/elasticsearch-keystore add -x 'bootstrap.password'
    when:
      - es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_lines
    environment:
      ES_PATH_CONF: "{{ es_conf_dir }}"
    no_log: true
### END BLOCK elasticsearch keystore ###

#-----------------------------FILE BASED REALM----------------------------------------

- include: elasticsearch-security-file.yml
  when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined)

#-----------------------------ROLE MAPPING ----------------------------------------

#Copy Roles files
- name: Copy role_mapping.yml File for Instance
  become: yes
  template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
  when: es_role_mapping is defined

#------------------------------------------------------------------------------------

#Ensure security conf directory is created
- name: Ensure security conf directory exists
  become: yes
  file: path={{ es_conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }}
  changed_when: False
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00			`---`
			`#Security specific configuration done here`

			`#TODO: 1. Skip users with no password defined or error 2. Passwords \| length > 6`

Moved up the x-pack directory logic to include role_mappings Signed-off-by: Russell Snyder <russell@redowl.com> 2017-04-18 13:26:16 -04:00			`#Ensure x-pack conf directory is created if necessary`
			`- name: Ensure x-pack conf directory exists (file)`
Remove multi instances support (#566) * remove multi instances support The goal is to stop supporting installation of more than one node in the same host. This commit update the Ansible role README documentation and remove the multi instances kitchen test. * remove systemd and init.d templates As we no more need to support more than one node on the same host, we no more need to override init files provided by elasticsearch official packages. * remove file script feature File scripts have been removed since elasticsearch 6.0 (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_scripting_changes.html#_file_scripts_removed) * remove custom user and custom group ES_USER and ES_GROUP settings are no longer supported (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_packaging_changes.html#_configuring_custom_user_and_group_for_package_is_no_longer_allowed) * add upgrade procedure * use same task for license activation with and without authentication 2019-06-03 14:18:09 +02:00			`file: path={{ es_conf_dir }}{{ es_xpack_conf_subdir }} state=directory owner={{ es_user }} group={{ es_group }}`
Moved up the x-pack directory logic to include role_mappings Signed-off-by: Russell Snyder <russell@redowl.com> 2017-04-18 13:26:16 -04:00			`changed_when: False`
[xpack] use elasticsearch default xpack features (#560) - Stop forcing es_xpack_features variable in order to let elasticsearch install default features described in http://localhost:9200/_xpack - Change xpack test scope to be able to test default xpack install - xpack scenario will test xpack install with default features - xpack upgrade scenario will fully test security feature - oss-to-xpack-upgrade will test installing only other specific features - Cleanup some duplicate serverspec tests - Remove `system_key`feature (deprecated in 5.6 and removed in 6.0 - [Breaking Changes 6.0.0](https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking-6.0.0-xes.html)) - Cleanup some ansible code (especially in `when` conditions) 2019-05-29 12:10:11 +02:00			`when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined)`
Moved up the x-pack directory logic to include role_mappings Signed-off-by: Russell Snyder <russell@redowl.com> 2017-04-18 13:26:16 -04:00
Adding 6.x support with Bootstrap user addition 2018-01-08 16:59:44 -08:00			`#-----------------------------Create Bootstrap User-----------------------------------`
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`### START BLOCK elasticsearch keystore ###`
			`- name: create the elasticsearch keystore`
			`block:`
			`- name: create the keystore if it doesn't exist yet`
add missing become: yes 2018-06-26 15:13:19 -04:00			`become: yes`
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`command: >`
			`{{es_home}}/bin/elasticsearch-keystore create`
Abstract 6.3 changes into a separate task to reduce all of the jinja one liner complexity Set ES_PATH_CONF when installing so upgrading from 6.2 to 6.3 works as expected 2018-06-14 14:44:31 +02:00			`args:`
Remove multi instances support (#566) * remove multi instances support The goal is to stop supporting installation of more than one node in the same host. This commit update the Ansible role README documentation and remove the multi instances kitchen test. * remove systemd and init.d templates As we no more need to support more than one node on the same host, we no more need to override init files provided by elasticsearch official packages. * remove file script feature File scripts have been removed since elasticsearch 6.0 (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_scripting_changes.html#_file_scripts_removed) * remove custom user and custom group ES_USER and ES_GROUP settings are no longer supported (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_packaging_changes.html#_configuring_custom_user_and_group_for_package_is_no_longer_allowed) * add upgrade procedure * use same task for license activation with and without authentication 2019-06-03 14:18:09 +02:00			`creates: "{{ es_conf_dir }}/elasticsearch.keystore"`
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`environment:`
Remove multi instances support (#566) * remove multi instances support The goal is to stop supporting installation of more than one node in the same host. This commit update the Ansible role README documentation and remove the multi instances kitchen test. * remove systemd and init.d templates As we no more need to support more than one node on the same host, we no more need to override init files provided by elasticsearch official packages. * remove file script feature File scripts have been removed since elasticsearch 6.0 (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_scripting_changes.html#_file_scripts_removed) * remove custom user and custom group ES_USER and ES_GROUP settings are no longer supported (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_packaging_changes.html#_configuring_custom_user_and_group_for_package_is_no_longer_allowed) * add upgrade procedure * use same task for license activation with and without authentication 2019-06-03 14:18:09 +02:00			`ES_PATH_CONF: "{{ es_conf_dir }}"`
add missing become: yes 2018-06-26 15:13:19 -04:00
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`- name: Check if bootstrap password is set`
add missing become: yes 2018-06-26 15:13:19 -04:00			`become: yes`
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`command: >`
			`{{es_home}}/bin/elasticsearch-keystore list`
			`register: list_keystore`
			`changed_when: False`
			`environment:`
Remove multi instances support (#566) * remove multi instances support The goal is to stop supporting installation of more than one node in the same host. This commit update the Ansible role README documentation and remove the multi instances kitchen test. * remove systemd and init.d templates As we no more need to support more than one node on the same host, we no more need to override init files provided by elasticsearch official packages. * remove file script feature File scripts have been removed since elasticsearch 6.0 (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_scripting_changes.html#_file_scripts_removed) * remove custom user and custom group ES_USER and ES_GROUP settings are no longer supported (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_packaging_changes.html#_configuring_custom_user_and_group_for_package_is_no_longer_allowed) * add upgrade procedure * use same task for license activation with and without authentication 2019-06-03 14:18:09 +02:00			`ES_PATH_CONF: "{{ es_conf_dir }}"`
add a few more 'check_mode:no' props for compatiblity with --check mode of ansible 2019-03-14 09:23:24 +01:00			`check_mode: no`
Adding 6.x support with Bootstrap user addition 2018-01-08 16:59:44 -08:00
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`- name: Create Bootstrap password for elastic user`
add missing become: yes 2018-06-26 15:13:19 -04:00			`become: yes`
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`shell: echo "{{es_api_basic_auth_password}}" \| {{es_home}}/bin/elasticsearch-keystore add -x 'bootstrap.password'`
			`when:`
			`- es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_lines`
			`environment:`
Remove multi instances support (#566) * remove multi instances support The goal is to stop supporting installation of more than one node in the same host. This commit update the Ansible role README documentation and remove the multi instances kitchen test. * remove systemd and init.d templates As we no more need to support more than one node on the same host, we no more need to override init files provided by elasticsearch official packages. * remove file script feature File scripts have been removed since elasticsearch 6.0 (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_scripting_changes.html#_file_scripts_removed) * remove custom user and custom group ES_USER and ES_GROUP settings are no longer supported (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_packaging_changes.html#_configuring_custom_user_and_group_for_package_is_no_longer_allowed) * add upgrade procedure * use same task for license activation with and without authentication 2019-06-03 14:18:09 +02:00			`ES_PATH_CONF: "{{ es_conf_dir }}"`
Create the keystore if it doesn't already exist 2018-06-13 17:33:23 +02:00			`no_log: true`
			`### END BLOCK elasticsearch keystore ###`
Adding 6.x support with Bootstrap user addition 2018-01-08 16:59:44 -08:00
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00			`#-----------------------------FILE BASED REALM----------------------------------------`

			`- include: elasticsearch-security-file.yml`
[xpack] use elasticsearch default xpack features (#560) - Stop forcing es_xpack_features variable in order to let elasticsearch install default features described in http://localhost:9200/_xpack - Change xpack test scope to be able to test default xpack install - xpack scenario will test xpack install with default features - xpack upgrade scenario will fully test security feature - oss-to-xpack-upgrade will test installing only other specific features - Cleanup some duplicate serverspec tests - Remove `system_key`feature (deprecated in 5.6 and removed in 6.0 - [Breaking Changes 6.0.0](https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking-6.0.0-xes.html)) - Cleanup some ansible code (especially in `when` conditions) 2019-05-29 12:10:11 +02:00			`when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined)`
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00
			`#-----------------------------ROLE MAPPING ----------------------------------------`

			`#Copy Roles files`
			`- name: Copy role_mapping.yml File for Instance`
use become: yes when root is needed 2017-05-12 13:31:50 -07:00			`become: yes`
Remove multi instances support (#566) * remove multi instances support The goal is to stop supporting installation of more than one node in the same host. This commit update the Ansible role README documentation and remove the multi instances kitchen test. * remove systemd and init.d templates As we no more need to support more than one node on the same host, we no more need to override init files provided by elasticsearch official packages. * remove file script feature File scripts have been removed since elasticsearch 6.0 (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_scripting_changes.html#_file_scripts_removed) * remove custom user and custom group ES_USER and ES_GROUP settings are no longer supported (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_packaging_changes.html#_configuring_custom_user_and_group_for_package_is_no_longer_allowed) * add upgrade procedure * use same task for license activation with and without authentication 2019-06-03 14:18:09 +02:00			`template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes`
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00			`when: es_role_mapping is defined`

			`#------------------------------------------------------------------------------------`

			`#Ensure security conf directory is created`
			`- name: Ensure security conf directory exists`
use become: yes when root is needed 2017-05-12 13:31:50 -07:00			`become: yes`
Remove multi instances support (#566) * remove multi instances support The goal is to stop supporting installation of more than one node in the same host. This commit update the Ansible role README documentation and remove the multi instances kitchen test. * remove systemd and init.d templates As we no more need to support more than one node on the same host, we no more need to override init files provided by elasticsearch official packages. * remove file script feature File scripts have been removed since elasticsearch 6.0 (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_scripting_changes.html#_file_scripts_removed) * remove custom user and custom group ES_USER and ES_GROUP settings are no longer supported (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_packaging_changes.html#_configuring_custom_user_and_group_for_package_is_no_longer_allowed) * add upgrade procedure * use same task for license activation with and without authentication 2019-06-03 14:18:09 +02:00			`file: path={{ es_conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }}`
Shield to Security and other X-Pack clear up 2017-01-11 13:02:23 +00:00			`changed_when: False`