Shield to Security and other X-Pack clear up

handlers/security/elasticsearch-security-native.yml

@@ -0,0 +1,118 @@
+---
+
+- set_fact: manage_native_users=false
+
+- set_fact: manage_native_users=true
+  when: es_users is defined and es_users.native is defined
+
+- set_fact: manage_native_roles=false
+
+- set_fact: manage_native_roles=true
+  when: es_roles is defined and es_roles.native is defined
+
+# If playbook runs too fast, Native commands could fail as the Native Realm is not yet up
+- name: Wait 15 seconds for the Native Relm to come up
+  pause: seconds=15
+
+#If the node has just has security installed it maybe either stopped or started 1. if stopped, we need to start to load native realms 2. if started, we need to restart to load
+
+#List current users
+- name: List Native Users
+  uri:
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user
+    method: GET
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+    status_code: 200
+  register: user_list_response
+  when: manage_native_users
+
+
+- set_fact: current_users={{user_list_response.json.keys() | list}}
+  when: manage_native_users
+
+#Identify non declared users
+
+- set_fact: users_to_remove={{ current_users | difference ( es_users.native.keys() ) }}
+  when: manage_native_users
+
+#Delete all non required users
+- name: Delete Native Users
+  uri:
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}
+    method: DELETE
+    status_code: 200
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+  when: manage_native_users and users_to_remove | length > 0
+  with_items: "{{users_to_remove}}"
+
+
+#Overwrite all other users
+- name: Update Native Users
+  uri:
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/{{item.key}}
+    method: POST
+    body_format: json
+    body: "{{item.value | to_json}}"
+    status_code: 200
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+  when: manage_native_users and es_users.native.keys() > 0
+  no_log: True
+  with_dict: "{{es_users.native}}"
+
+#List current roles
+
+- name: List Native Roles
+  uri:
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role
+    method: GET
+    body_format: json
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+    status_code: 200
+  register: role_list_response
+  when: manage_native_roles
+
+#Identify undeclared roles
+
+- set_fact: current_roles={{role_list_response.json.keys() | list}}
+  when: manage_native_users
+
+- debug: msg="{{current_roles}}"
+
+- set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys()  ) }}
+  when: manage_native_roles
+
+
+#Delete all non required roles
+- name: Delete Native Roles
+  uri:
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}}
+    method: DELETE
+    status_code: 200
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+  when: manage_native_roles and roles_to_remove | length > 0
+  with_items: "{{roles_to_remove}}"
+
+
+#Update other roles
+- name: Update Native Roles
+  uri:
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item.key}}
+    method: POST
+    body_format: json
+    body: "{{item.value | to_json}}"
+    status_code: 200
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+  when: manage_native_roles and es_roles.native.keys() > 0
+  with_dict: "{{es_roles.native}}"