ansible-role-elasticsearch/tasks/xpack/security/elasticsearch-security-file.yml

---
- set_fact: manage_file_users=es_users is defined and es_users.file is defined and es_users.file.keys() | length > 0

#List current users
- name: List Users
  shell: cat {{conf_dir}}/x-pack/users | awk -F':' '{print $1}'
  register: current_file_users
  when: manage_file_users
  changed_when: False

- set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys()) }}
  when: manage_file_users

#Remove users
- name: Remove Users
  command: >
    {{es_home}}/bin/x-pack/users userdel {{item}}
  with_items: "{{users_to_remove | default([])}}"
  when: manage_file_users and (users_to_remove | length > 0)
  environment:
    CONF_DIR: "{{ conf_dir }}"
    ES_HOME: "{{es_home}}"

- set_fact: users_to_add={{ es_users.file.keys() | difference (current_file_users.stdout_lines) | difference (reserved_xpack_users) | default([]) }}
  when: manage_file_users

- set_fact: users_to_ignore={{ es_users.file.keys() | difference (current_file_users.stdout_lines) | intersect (reserved_xpack_users) }}
  when: manage_file_users

- debug:
     msg: "WARNING: YOU CANNOT CHANGE RESERVED USERS THROUGH THE FILE REALM. THE FOLLOWING WILL BE IGNORED: {{users_to_ignore}}"
  when: manage_file_users and users_to_ignore | length > 0

#Add users
- name: Add Users
  command: >
    {{es_home}}/bin/x-pack/users useradd {{item}} -p {{es_users.file[item].password}}
  with_items: "{{ users_to_add }}"
  when: manage_file_users and users_to_add | length > 0
  no_log: True
  environment:
    CONF_DIR: "{{ conf_dir }}"
    ES_HOME: "{{es_home}}"

- set_fact: users_to_modify={{ es_users.file.keys() | difference (reserved_xpack_users) | default([]) }}
  when: manage_file_users

#Set passwords for all users declared - Required as the useradd will not change existing user passwords
- name: Set User Passwords
  command: >
    {{es_home}}/bin/x-pack/users passwd {{ item }} -p {{es_users.file[item].password}}
  with_items: "{{ users_to_modify }}"
  when: manage_file_users and users_to_modify | length > 0
  #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip.
  changed_when: False
  no_log: True
  environment:
    CONF_DIR: "{{ conf_dir }}"
    ES_HOME: "{{es_home}}"

- set_fact: users_roles={{es_users.file | extract_role_users (reserved_xpack_users) }}
  when: manage_file_users

#Copy Roles files
- name: Copy roles.yml File for Instance
  template: src=security/roles.yml.j2 dest={{conf_dir}}/x-pack/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
  when: es_roles is defined and es_roles.file is defined

#Overwrite users_roles file
- name: Copy User Roles
  template: src=security/users_roles.j2 dest={{conf_dir}}/x-pack/users_roles mode=0644 force=yes
  when: manage_file_users and users_roles | length > 0

#Set permission on security directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions.
- name: Set Security Directory Permissions Recursive
  file: state=directory path={{conf_dir}}/x-pack/ owner={{ es_user }} group={{ es_group }} recurse=yes