From 197cf05a0e7e94aedb0214e27776d64e14a1854c Mon Sep 17 00:00:00 2001 From: Dale McDiarmid Date: Wed, 11 Jan 2017 13:02:23 +0000 Subject: [PATCH] Shield to Security and other X-Pack clear up --- README.md | 13 +++-- handlers/elasticsearch-templates.yml | 4 +- handlers/main.yml | 6 +-- .../elasticsearch-security-native.yml} | 14 ++--- .../elasticsearch-security.yml} | 4 +- .../elasticsearch-xpack-activation.yml | 8 +-- tasks/elasticsearch-config.yml | 4 +- tasks/elasticsearch-parameters.yml | 6 +-- tasks/xpack/elasticsearch-xpack.yml | 4 +- ...le.yml => elasticsearch-security-file.yml} | 26 ++++----- tasks/xpack/shield/elasticsearch-security.yml | 36 +++++++++++++ tasks/xpack/shield/elasticsearch-shield.yml | 36 ------------- .../{shield => security}/role_mapping.yml.j2 | 0 templates/{shield => security}/roles.yml.j2 | 0 templates/{shield => security}/users_roles.j2 | 0 .../helpers/serverspec/xpack_spec.rb | 54 +++++++++---------- test/integration/xpack.yml | 8 +-- vars/main.yml | 2 +- 18 files changed, 112 insertions(+), 113 deletions(-) rename handlers/{shield/elasticsearch-shield-native.yml => security/elasticsearch-security-native.yml} (82%) rename handlers/{shield/elasticsearch-shield.yml => security/elasticsearch-security.yml} (78%) rename handlers/{shield => security}/elasticsearch-xpack-activation.yml (82%) rename tasks/xpack/shield/{elasticsearch-shield-file.yml => elasticsearch-security-file.yml} (62%) create mode 100644 tasks/xpack/shield/elasticsearch-security.yml delete mode 100644 tasks/xpack/shield/elasticsearch-shield.yml rename templates/{shield => security}/role_mapping.yml.j2 (100%) rename templates/{shield => security}/roles.yml.j2 (100%) rename templates/{shield => security}/users_roles.j2 (100%) diff --git a/README.md b/README.md index 3d7831e..848804c 100644 --- a/README.md +++ b/README.md @@ -119,7 +119,6 @@ A more complex example: es_plugins_reinstall: false es_plugins: - plugin: license - - plugin: marvel-agent - plugin: lmenezes/elasticsearch-kopf version: master proxy_host: proxy.example.com @@ -214,7 +213,7 @@ ansible-playbook -i hosts ./your-playbook.yml X-Pack features, such as Security, are supported. This feature is currently experimental. To enable X-Pack set the parameter `es_enable_xpack` to true and list the required features in the parameter `es_xpack_features`. The following additional parameters allow X-Pack to be configured: * ```es_message_auth_file``` System Key field to allow message authentication. This file should be placed in the 'files' directory. -* ```es_role_mapping``` Role mappings file declared as yml as described [here](https://www.elastic.co/guide/en/shield/current/mapping-roles.html) +* ```es_role_mapping``` Role mappings file declared as yml as described [here](https://www.elastic.co/guide/en/x-pack/current/mapping-roles.html) ``` es_role_mapping: @@ -247,7 +246,7 @@ es_users: ``` -* ```es_roles``` - Elasticsearch roles can be declared here as yml. Two sub keys 'native' and 'file' determine how the role is created i.e. either through a file or http(native) call. Beneath each key list the roles with appropriate permissions, using the file based format described [here] (https://www.elastic.co/guide/en/shield/current/_file_based_roles.html) e.g. +* ```es_roles``` - Elasticsearch roles can be declared here as yml. Two sub keys 'native' and 'file' determine how the role is created i.e. either through a file or http(native) call. Beneath each key list the roles with appropriate permissions, using the file based format described [here] (https://www.elastic.co/guide/en/x-pack/current/file-realm.html) e.g. ``` es_roles: @@ -312,7 +311,7 @@ Following variables affect the versions installed: * ```es_version``` (e.g. "5.1.1"). * ```es_api_host``` The host name used for actions requiring HTTP e.g. installing templates. Defaults to "localhost". * ```es_api_port``` The port used for actions requiring HTTP e.g. installing templates. Defaults to 9200. -* ```es_api_basic_auth_username``` The Elasticsearch username for making admin changing actions. Used if Shield is enabled. Ensure this user is admin. +* ```es_api_basic_auth_username``` The Elasticsearch username for making admin changing actions. Used if Security is enabled. Ensure this user is admin. * ```es_api_basic_auth_password``` The password associated with the user declared in `es_api_basic_auth_username` * ```es_start_service``` (true (default) or false) * ```es_plugins_reinstall``` (true or false (default) ) @@ -331,9 +330,9 @@ es_java_opts: - "-Djava.io.tmpdir=/data/tmp/elasticsearch" ``` -Earlier examples illustrate the installation of plugins using `es_plugins`. For officially supported plugins no version or source delimiter is required. The plugin script will determine the appropriate plugin version based on the target Elasticsearch version. For community based plugins include the full path e.g. "lmenezes/elasticsearch-kopf" and the appropriate version for the target version of Elasticsearch. This approach should NOT be used for X-Pack related plugins e.g. Shield. See X-Pack below for details here. +Earlier examples illustrate the installation of plugins using `es_plugins`. For officially supported plugins no version or source delimiter is required. The plugin script will determine the appropriate plugin version based on the target Elasticsearch version. For community based plugins include the full path e.g. "lmenezes/elasticsearch-kopf" and the appropriate version for the target version of Elasticsearch. This approach should NOT be used for X-Pack related plugins e.g. Security. See X-Pack below for details here. -If installing Marvel or Watcher, ensure the license plugin is also specified. Shield configuration is currently not supported but planned for later versions. +If installing Monitoring or Alerting, ensure the license plugin is also specified. Security configuration is currently not supported but planned for later versions. * ```es_user``` - defaults to elasticsearch. * ```es_group``` - defaults to elasticsearch. @@ -385,7 +384,7 @@ all supported platforms. * The role aims to be idempotent. Running the role multiple times, with no changes, should result in no state change on the server. If the configuration is changed, these will be applied and Elasticsearch restarted where required. * Systemd is used for Ubuntu versions >= 15, Debian >=8, Centos >=7. All other versions use init for service scripts. -* In order to run x-pack tests a license file with shield enabled is required. A trial license is appropriate. Set the environment variable `ES_XPACK_LICENSE_FILE` to the full path of the license file prior to running tests. +* In order to run x-pack tests a license file with security enabled is required. A trial license is appropriate. Set the environment variable `ES_XPACK_LICENSE_FILE` to the full path of the license file prior to running tests. ## IMPORTANT NOTES RE PLUGIN MANAGEMENT diff --git a/handlers/elasticsearch-templates.yml b/handlers/elasticsearch-templates.yml index 4595ef6..68160e6 100644 --- a/handlers/elasticsearch-templates.yml +++ b/handlers/elasticsearch-templates.yml @@ -17,7 +17,7 @@ status_code: 200 body_format: json body: "{{ lookup('file', item.path) }}" - when: not es_enable_xpack or not es_xpack_features is defined or not '"shield" in es_xpack_features' + when: not es_enable_xpack or not es_xpack_features is defined or not '"security" in es_xpack_features' with_items: "{{ templates.files }}" - name: Install templates with auth @@ -30,5 +30,5 @@ force_basic_auth: yes body_format: json body: "{{ lookup('file', item.path) }}" - when: es_enable_xpack and es_xpack_features is defined and '"shield" in es_xpack_features' + when: es_enable_xpack and es_xpack_features is defined and '"security" in es_xpack_features' with_items: "{{ templates.files }}" diff --git a/handlers/main.yml b/handlers/main.yml index 00df18e..ff07a08 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -7,10 +7,10 @@ when: es_restart_on_change and es_start_service and ((plugin_installed is defined and plugin_installed.changed) or (config_updated is defined and config_updated.changed) or (xpack_state.changed) or (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed)) # All security specific actions should go in here -- name: activate-shield - include: ./handlers/shield/elasticsearch-shield.yml +- name: activate-security + include: ./handlers/security/elasticsearch-security.yml -#Templates are a handler as they need to come after a restart e.g. suppose user removes shield on a running node and doesn't +#Templates are a handler as they need to come after a restart e.g. suppose user removes security on a running node and doesn't #specify es_api_basic_auth_username and es_api_basic_auth_password. The templates will subsequently not be removed if we don't wait for the node to restart. #Templates done after restart therefore - as a handler. diff --git a/handlers/shield/elasticsearch-shield-native.yml b/handlers/security/elasticsearch-security-native.yml similarity index 82% rename from handlers/shield/elasticsearch-shield-native.yml rename to handlers/security/elasticsearch-security-native.yml index d545394..53df16e 100644 --- a/handlers/shield/elasticsearch-shield-native.yml +++ b/handlers/security/elasticsearch-security-native.yml @@ -14,12 +14,12 @@ - name: Wait 15 seconds for the Native Relm to come up pause: seconds=15 -#If the node has just has shield installed it maybe either stopped or started 1. if stopped, we need to start to load native realms 2. if started, we need to restart to load +#If the node has just has security installed it maybe either stopped or started 1. if stopped, we need to start to load native realms 2. if started, we need to restart to load #List current users - name: List Native Users uri: - url: http://{{es_api_host}}:{{es_api_port}}/_shield/user + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user method: GET user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" @@ -40,7 +40,7 @@ #Delete all non required users - name: Delete Native Users uri: - url: http://{{es_api_host}}:{{es_api_port}}/_shield/user/{{item}} + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}} method: DELETE status_code: 200 user: "{{es_api_basic_auth_username}}" @@ -53,7 +53,7 @@ #Overwrite all other users - name: Update Native Users uri: - url: http://{{es_api_host}}:{{es_api_port}}/_shield/user/{{item.key}} + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/{{item.key}} method: POST body_format: json body: "{{item.value | to_json}}" @@ -69,7 +69,7 @@ - name: List Native Roles uri: - url: http://{{es_api_host}}:{{es_api_port}}/_shield/role + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role method: GET body_format: json user: "{{es_api_basic_auth_username}}" @@ -93,7 +93,7 @@ #Delete all non required roles - name: Delete Native Roles uri: - url: http://{{es_api_host}}:{{es_api_port}}/_shield/role/{{item}} + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}} method: DELETE status_code: 200 user: "{{es_api_basic_auth_username}}" @@ -106,7 +106,7 @@ #Update other roles - name: Update Native Roles uri: - url: http://{{es_api_host}}:{{es_api_port}}/_shield/role/{{item.key}} + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item.key}} method: POST body_format: json body: "{{item.value | to_json}}" diff --git a/handlers/shield/elasticsearch-shield.yml b/handlers/security/elasticsearch-security.yml similarity index 78% rename from handlers/shield/elasticsearch-shield.yml rename to handlers/security/elasticsearch-security.yml index 61620b3..af52976 100644 --- a/handlers/shield/elasticsearch-shield.yml +++ b/handlers/security/elasticsearch-security.yml @@ -6,9 +6,9 @@ wait_for: host={{es_api_host}} port={{es_api_port}} delay=10 - name: activate-license - include: ./handlers/shield/elasticsearch-xpack-activation.yml + include: ./handlers/security/elasticsearch-xpack-activation.yml when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != '' - name: load-native-realms - include: ./handlers/shield/elasticsearch-shield-native.yml + include: ./handlers/security/elasticsearch-security-native.yml when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined) \ No newline at end of file diff --git a/handlers/shield/elasticsearch-xpack-activation.yml b/handlers/security/elasticsearch-xpack-activation.yml similarity index 82% rename from handlers/shield/elasticsearch-xpack-activation.yml rename to handlers/security/elasticsearch-xpack-activation.yml index 948bd83..afdec99 100644 --- a/handlers/shield/elasticsearch-xpack-activation.yml +++ b/handlers/security/elasticsearch-xpack-activation.yml @@ -1,6 +1,6 @@ --- -- name: Activate ES license (without shield authentication) +- name: Activate ES license (without security authentication) uri: method: PUT url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true" @@ -9,13 +9,13 @@ return_content: yes register: license_activated no_log: True - when: not '"shield" in es_xpack_features' + when: not '"security" in es_xpack_features' failed_when: > license_activated.status != 200 or license_activated.json.license_status is not defined or license_activated.json.license_status != 'valid' -- name: Activate ES license (with shield authentication) +- name: Activate ES license (with security authentication) uri: method: PUT url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true" @@ -27,7 +27,7 @@ return_content: yes register: license_activated no_log: True - when: '"shield" in es_xpack_features' + when: '"security" in es_xpack_features' failed_when: > license_activated.status != 200 or license_activated.json.license_status is not defined or diff --git a/tasks/elasticsearch-config.yml b/tasks/elasticsearch-config.yml index 8b16414..98d80ea 100644 --- a/tasks/elasticsearch-config.yml +++ b/tasks/elasticsearch-config.yml @@ -79,8 +79,8 @@ - name: Delete Default Logging File file: dest=/etc/elasticsearch/logging.yml state=absent -- name: Delete Default Logging File (5.x) +- name: Delete Default Logging File file: dest=/etc/elasticsearch/log4j2.properties state=absent -- name: Delete Default JVM Options File (5.x) +- name: Delete Default JVM Options File file: dest=/etc/elasticsearch/jvm.options state=absent diff --git a/tasks/elasticsearch-parameters.yml b/tasks/elasticsearch-parameters.yml index b3f0146..56800b3 100644 --- a/tasks/elasticsearch-parameters.yml +++ b/tasks/elasticsearch-parameters.yml @@ -19,9 +19,9 @@ - fail: msg="If locking memory with bootstrap.mlockall (or bootstrap.memory_lock) a heap size must be specified" when: (es_config['bootstrap.mlockall'] is defined or es_config['bootstrap.memory_lock'] is defined) and es_config['bootstrap.mlockall'] == True and es_heap_size is not defined -#Check if working with shield we have an es_api_basic_auth_username and es_api_basic_auth_username - otherwise any http calls wont work -- fail: msg="Enabling shield requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations" - when: es_enable_xpack and ("shield" in es_xpack_features) and es_api_basic_auth_username is not defined and es_api_basic_auth_password is not defined +#Check if working with security we have an es_api_basic_auth_username and es_api_basic_auth_username - otherwise any http calls wont work +- fail: msg="Enabling security requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations" + when: es_enable_xpack and ("security" in es_xpack_features) and es_api_basic_auth_username is not defined and es_api_basic_auth_password is not defined - set_fact: instance_default_file={{default_file | dirname}}/{{es_instance_name}}_{{default_file | basename}} - set_fact: instance_init_script={{init_script | dirname }}/{{es_instance_name}}_{{init_script | basename}} diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index 4dac838..343245b 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -46,8 +46,8 @@ - include: elasticsearch-xpack-install.yml with_items: "{{supported_xpack_features}}" -#Shield configuration -- include: shield/elasticsearch-shield.yml +#Security configuration +- include: security/elasticsearch-security.yml #Add any feature specific configuration here - name: Set Plugin Directory Permissions diff --git a/tasks/xpack/shield/elasticsearch-shield-file.yml b/tasks/xpack/shield/elasticsearch-security-file.yml similarity index 62% rename from tasks/xpack/shield/elasticsearch-shield-file.yml rename to tasks/xpack/shield/elasticsearch-security-file.yml index 380f289..5da0d13 100644 --- a/tasks/xpack/shield/elasticsearch-shield-file.yml +++ b/tasks/xpack/shield/elasticsearch-security-file.yml @@ -1,15 +1,15 @@ --- - set_fact: manage_file_users=es_users is defined and es_users.file is defined -#Ensure shield conf directory is created -- name: Ensure shield conf directory exists (file) - file: path={{ conf_dir }}/shield state=directory owner={{ es_user }} group={{ es_group }} +#Ensure x-pack conf directory is created +- name: Ensure x-pack conf directory exists (file) + file: path={{ conf_dir }}/x-pack state=directory owner={{ es_user }} group={{ es_group }} changed_when: False - when: es_enable_xpack and '"shield" in es_xpack_features' + when: es_enable_xpack and '"security" in es_xpack_features' #List current users - name: List Users - shell: cat {{conf_dir}}/shield/users | awk -F':' '{print $1}' + shell: cat {{conf_dir}}/x-pack/users | awk -F':' '{print $1}' register: current_file_users when: manage_file_users changed_when: False @@ -20,7 +20,7 @@ #Remove users - name: Remove Users command: > - {{es_home}}/bin/shield/esusers userdel {{item}} + {{es_home}}/bin/x-pack/users userdel {{item}} when: manage_file_users and (users_to_remove | length > 0) with_items: "{{users_to_remove | default([])}}" environment: @@ -34,7 +34,7 @@ #Add users - name: Add Users command: > - {{es_home}}/bin/shield/esusers useradd {{item}} -p {{es_users.file[item].password}} + {{es_home}}/bin/x-pack/users useradd {{item}} -p {{es_users.file[item].password}} with_items: "{{users_to_add | default([])}}" when: manage_file_users and users_to_add | length > 0 no_log: True @@ -45,7 +45,7 @@ #Set passwords for all users declared - Required as the useradd will not change existing user passwords - name: Set User Passwords command: > - {{es_home}}/bin/shield/esusers passwd {{item.key}} -p {{item.value.password}} + {{es_home}}/bin/x-pack/users passwd {{item.key}} -p {{item.value.password}} with_dict: "{{(es_users | default({'file':{}})).file}}" when: manage_file_users and es_users.file.keys() | length > 0 #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip. @@ -60,14 +60,14 @@ #Copy Roles files - name: Copy roles.yml File for Instance - template: src=shield/roles.yml.j2 dest={{conf_dir}}/shield/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=security/roles.yml.j2 dest={{conf_dir}}/x-pack/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: es_roles is defined and es_roles.file is defined #Overwrite users_roles file - name: Copy User Roles - template: src=shield/users_roles.j2 dest={{conf_dir}}/shield/users_roles mode=0644 force=yes + template: src=security/users_roles.j2 dest={{conf_dir}}/x-pack/users_roles mode=0644 force=yes when: manage_file_users and users_roles | length > 0 -#Set permission on shield directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions. -- name: Set Shield Directory Permissions Recursive - file: state=directory path={{conf_dir}}/shield/ owner={{ es_user }} group={{ es_group }} recurse=yes \ No newline at end of file +#Set permission on security directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions. +- name: Set Security Directory Permissions Recursive + file: state=directory path={{conf_dir}}/x-pack/ owner={{ es_user }} group={{ es_group }} recurse=yes \ No newline at end of file diff --git a/tasks/xpack/shield/elasticsearch-security.yml b/tasks/xpack/shield/elasticsearch-security.yml new file mode 100644 index 0000000..5b483cf --- /dev/null +++ b/tasks/xpack/shield/elasticsearch-security.yml @@ -0,0 +1,36 @@ +--- +#Security specific configuration done here + +#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6 + +#-----------------------------FILE BASED REALM---------------------------------------- + +- include: elasticsearch-security-file.yml + when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.file) or (es_roles is defined and es_roles.file is defined)) + +#-----------------------------NATIVE BASED REALM---------------------------------------- +# The native realm requires the node to be started so we do as a handler +- command: /bin/true + notify: activate-security + when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)) + +#-----------------------------ROLE MAPPING ---------------------------------------- + +#Copy Roles files +- name: Copy role_mapping.yml File for Instance + template: src=security/role_mapping.yml.j2 dest={{conf_dir}}/x-pack/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + when: es_role_mapping is defined + +#-----------------------------AUTH FILE---------------------------------------- + +- name: Copy message auth key to elasticsearch + copy: src={{ es_message_auth_file }} dest={{conf_dir}}/x-pack/system_key owner={{ es_user }} group={{ es_group }} mode=0600 force=yes + when: es_message_auth_file is defined + +#------------------------------------------------------------------------------------ + +#Ensure security conf directory is created +- name: Ensure security conf directory exists + file: path={{ conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }} + changed_when: False + when: es_enable_xpack and '"security" in es_xpack_features' diff --git a/tasks/xpack/shield/elasticsearch-shield.yml b/tasks/xpack/shield/elasticsearch-shield.yml deleted file mode 100644 index e464c76..0000000 --- a/tasks/xpack/shield/elasticsearch-shield.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -#Shield specific configuration done here - -#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6 - -#-----------------------------FILE BASED REALM---------------------------------------- - -- include: elasticsearch-shield-file.yml - when: (es_enable_xpack and '"shield" in es_xpack_features') and ((es_users is defined and es_users.file) or (es_roles is defined and es_roles.file is defined)) - -#-----------------------------NATIVE BASED REALM---------------------------------------- -# The native realm requires the node to be started so we do as a handler -- command: /bin/true - notify: activate-shield - when: (es_enable_xpack and '"shield" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)) - -#-----------------------------ROLE MAPPING ---------------------------------------- - -#Copy Roles files -- name: Copy role_mapping.yml File for Instance - template: src=shield/role_mapping.yml.j2 dest={{conf_dir}}/shield/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes - when: es_role_mapping is defined - -#-----------------------------AUTH FILE---------------------------------------- - -- name: Copy message auth key to elasticsearch - copy: src={{ es_message_auth_file }} dest={{conf_dir}}/shield/system_key owner={{ es_user }} group={{ es_group }} mode=0600 force=yes - when: es_message_auth_file is defined - -#------------------------------------------------------------------------------------ - -#Ensure shield conf directory is created -- name: Ensure shield conf directory exists - file: path={{ conf_dir }}/shield state=directory owner={{ es_user }} group={{ es_group }} - changed_when: False - when: es_enable_xpack and '"shield" in es_xpack_features' diff --git a/templates/shield/role_mapping.yml.j2 b/templates/security/role_mapping.yml.j2 similarity index 100% rename from templates/shield/role_mapping.yml.j2 rename to templates/security/role_mapping.yml.j2 diff --git a/templates/shield/roles.yml.j2 b/templates/security/roles.yml.j2 similarity index 100% rename from templates/shield/roles.yml.j2 rename to templates/security/roles.yml.j2 diff --git a/templates/shield/users_roles.j2 b/templates/security/users_roles.j2 similarity index 100% rename from templates/shield/users_roles.j2 rename to templates/security/users_roles.j2 diff --git a/test/integration/helpers/serverspec/xpack_spec.rb b/test/integration/helpers/serverspec/xpack_spec.rb index 2bc671d..4b17395 100644 --- a/test/integration/helpers/serverspec/xpack_spec.rb +++ b/test/integration/helpers/serverspec/xpack_spec.rb @@ -6,7 +6,7 @@ shared_examples 'xpack::init' do |es_version| it { should exist } end - describe service('shield_node_elasticsearch') do + describe service('security_node_elasticsearch') do it { should be_running } end @@ -14,23 +14,23 @@ shared_examples 'xpack::init' do |es_version| it { should be_installed } end - describe file('/etc/elasticsearch/shield_node/elasticsearch.yml') do + describe file('/etc/elasticsearch/security_node/elasticsearch.yml') do it { should be_file } it { should be_owned_by 'elasticsearch' } end - describe file('/etc/elasticsearch/shield_node/logging.yml') do + describe file('/etc/elasticsearch/security_node/logging.yml') do it { should be_file } it { should be_owned_by 'elasticsearch' } end - describe file('/etc/elasticsearch/shield_node/elasticsearch.yml') do - it { should contain 'node.name: localhost-shield_node' } + describe file('/etc/elasticsearch/security_node/elasticsearch.yml') do + it { should contain 'node.name: localhost-security_node' } it { should contain 'cluster.name: elasticsearch' } - it { should contain 'path.conf: /etc/elasticsearch/shield_node' } - it { should contain 'path.data: /var/lib/elasticsearch/localhost-shield_node' } - it { should contain 'path.work: /tmp/elasticsearch/localhost-shield_node' } - it { should contain 'path.logs: /var/log/elasticsearch/localhost-shield_node' } + it { should contain 'path.conf: /etc/elasticsearch/security_node' } + it { should contain 'path.data: /var/lib/elasticsearch/localhost-security_node' } + it { should contain 'path.work: /tmp/elasticsearch/localhost-security_node' } + it { should contain 'path.logs: /var/log/elasticsearch/localhost-security_node' } end describe 'Node listening' do @@ -78,7 +78,7 @@ shared_examples 'xpack::init' do |es_version| end - #Check shield,watcher and license plugins are installed + #Check security,watcher and license plugins are installed describe file('/usr/share/elasticsearch/plugins/license') do it { should be_directory } it { should be_owned_by 'elasticsearch' } @@ -97,16 +97,16 @@ shared_examples 'xpack::init' do |es_version| end end - describe file('/usr/share/elasticsearch/plugins/shield') do + describe file('/usr/share/elasticsearch/plugins/security') do it { should be_directory } it { should be_owned_by 'elasticsearch' } end - describe command('curl -s localhost:9200/_nodes/plugins?pretty=true -u es_admin:changeMe | grep shield') do + describe command('curl -s localhost:9200/_nodes/plugins?pretty=true -u es_admin:changeMe | grep security') do its(:exit_status) { should eq 0 } end - describe file('/etc/elasticsearch/shield_node/shield') do + describe file('/etc/elasticsearch/security_node/security') do it { should be_directory } it { should be_owned_by 'elasticsearch' } end @@ -149,20 +149,20 @@ shared_examples 'xpack::init' do |es_version| #Test users file, users_roles and roles.yml - describe file('/etc/elasticsearch/shield_node/shield/users_roles') do + describe file('/etc/elasticsearch/security_node/x-pack/users_roles') do it { should be_owned_by 'elasticsearch' } it { should contain 'admin:es_admin' } it { should contain 'power_user:testUser' } end - describe file('/etc/elasticsearch/shield_node/shield/users') do + describe file('/etc/elasticsearch/security_node/x-pack/users') do it { should be_owned_by 'elasticsearch' } it { should contain 'testUser:' } it { should contain 'es_admin:' } end - describe file('/etc/elasticsearch/shield_node/shield/roles.yml') do + describe file('/etc/elasticsearch/security_node/x-pack/roles.yml') do it { should be_owned_by 'elasticsearch' } #Test contents as expected its(:md5sum) { should eq '7800182547287abd480c8b095bf26e9e' } @@ -170,19 +170,19 @@ shared_examples 'xpack::init' do |es_version| #Test native roles and users are loaded - describe command('curl -s localhost:9200/_shield/user -u es_admin:changeMe | md5sum | grep 557a730df7136694131b5b7012a5ffad') do + describe command('curl -s localhost:9200/_xpack/security/user -u es_admin:changeMe | md5sum | grep 557a730df7136694131b5b7012a5ffad') do its(:exit_status) { should eq 0 } end - describe command('curl -s localhost:9200/_shield/user -u es_admin:changeMe | grep "{\"kibana4_server\":{\"username\":\"kibana4_server\",\"roles\":\[\"kibana4_server\"\],\"full_name\":null,\"email\":null,\"metadata\":{}}}"') do + describe command('curl -s localhost:9200/_xpack/security/user -u es_admin:changeMe | grep "{\"kibana4_server\":{\"username\":\"kibana4_server\",\"roles\":\[\"kibana4_server\"\],\"full_name\":null,\"email\":null,\"metadata\":{}}}"') do its(:exit_status) { should eq 0 } end - describe command('curl -s localhost:9200/_shield/role -u es_admin:changeMe | grep "{\"logstash\":{\"cluster\":\[\"manage_index_templates\"\],\"indices\":\[{\"names\":\[\"logstash-\*\"\],\"privileges\":\[\"write\",\"delete\",\"create_index\"\]}\],\"run_as\":\[\]}}"') do + describe command('curl -s localhost:9200/_xpack/security/role -u es_admin:changeMe | grep "{\"logstash\":{\"cluster\":\[\"manage_index_templates\"\],\"indices\":\[{\"names\":\[\"logstash-\*\"\],\"privileges\":\[\"write\",\"delete\",\"create_index\"\]}\],\"run_as\":\[\]}}"') do its(:exit_status) { should eq 0 } end - describe command('curl -s localhost:9200/_shield/role -u es_admin:changeMe | md5sum | grep 6d14f09ef1eea64adf4d4a9c04229629') do + describe command('curl -s localhost:9200/_xpack/security/role -u es_admin:changeMe | md5sum | grep 6d14f09ef1eea64adf4d4a9c04229629') do its(:exit_status) { should eq 0 } end @@ -213,15 +213,15 @@ shared_examples 'xpack::init' do |es_version| end #Test contents of Elasticsearch.yml file - describe file('/etc/elasticsearch/shield_node/elasticsearch.yml') do - it { should contain 'shield.authc.realms.file1.order: 0' } - it { should contain 'shield.authc.realms.file1.type: file' } - it { should contain 'shield.authc.realms.native1.order: 1' } - it { should contain 'shield.authc.realms.native1.type: native' } + describe file('/etc/elasticsearch/security_node/elasticsearch.yml') do + it { should contain 'security.authc.realms.file1.order: 0' } + it { should contain 'security.authc.realms.file1.type: file' } + it { should contain 'security.authc.realms.native1.order: 1' } + it { should contain 'security.authc.realms.native1.type: native' } end #Test contents of role_mapping.yml - describe file('/etc/elasticsearch/shield_node/shield/role_mapping.yml') do + describe file('/etc/elasticsearch/security_node/x-pack/role_mapping.yml') do it { should be_owned_by 'elasticsearch' } it { should contain 'power_user:' } it { should contain '- cn=admins,dc=example,dc=com' } @@ -230,7 +230,7 @@ shared_examples 'xpack::init' do |es_version| end - describe file('/etc/elasticsearch/shield_node/shield/system_key') do + describe file('/etc/elasticsearch/security_node/x-pack/system_key') do it { should be_owned_by 'elasticsearch' } it { should be_writable.by('owner') } it { should be_writable.by_user('elasticsearch') } diff --git a/test/integration/xpack.yml b/test/integration/xpack.yml index 25ece50..4029149 100644 --- a/test/integration/xpack.yml +++ b/test/integration/xpack.yml @@ -3,8 +3,8 @@ hosts: localhost roles: - { role: elasticsearch, es_config: { "http.port": 9200, "transport.tcp.port":9300, discovery.zen.ping.unicast.hosts: "localhost:9300", - "shield.authc.realms.file1.type": "file","shield.authc.realms.file1.order": 0, "shield.authc.realms.native1.type": "native","shield.authc.realms.native1.order": 1 }, - es_instance_name: "shield_node" } + "xpack.security.authc.realms.file1.type": "file","xpack.security.authc.realms.file1.order": 0, "xpack.security.authc.realms.native1.type": "native","xpack.security.authc.realms.native1.order": 1 }, + es_instance_name: "security_node" } vars: es_templates: true es_enable_xpack: true @@ -13,8 +13,8 @@ - plugin: lmenezes/elasticsearch-kopf version: master es_xpack_features: - - shield - - watcher + - security + - alerting es_api_basic_auth_username: es_admin es_api_basic_auth_password: changeMe es_message_auth_file: system_key diff --git a/vars/main.yml b/vars/main.yml index fd29447..3d50db2 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -4,4 +4,4 @@ es_conf_dir: "/etc/elasticsearch" sysd_script: "/usr/lib/systemd/system/elasticsearch.service" init_script: "/etc/init.d/elasticsearch" #add supported features here -supported_xpack_features: ["watcher","marvel-agent","graph","shield"] \ No newline at end of file +supported_xpack_features: ["alerting","monitoring","graph","security"] \ No newline at end of file