Shield to Security and other X-Pack clear up

2017-01-11 13:02:23 +00:00 · 2017-01-11 13:02:23 +00:00 · 197cf05a0e
commit 197cf05a0e
parent 86bc009b60
18 changed files with 112 additions and 113 deletions
--- a/tasks/elasticsearch-config.yml
+++ b/tasks/elasticsearch-config.yml
@ -79,8 +79,8 @@
 - name: Delete Default Logging File
  file: dest=/etc/elasticsearch/logging.yml state=absent

- name: Delete Default Logging File (5.x)
+- name: Delete Default Logging File
  file: dest=/etc/elasticsearch/log4j2.properties state=absent

- name: Delete Default JVM Options File (5.x)
+- name: Delete Default JVM Options File
  file: dest=/etc/elasticsearch/jvm.options state=absent
--- a/tasks/elasticsearch-parameters.yml
+++ b/tasks/elasticsearch-parameters.yml
@ -19,9 +19,9 @@
 - fail: msg="If locking memory with bootstrap.mlockall (or bootstrap.memory_lock) a heap size must be specified"
  when: (es_config['bootstrap.mlockall'] is defined or es_config['bootstrap.memory_lock'] is defined) and es_config['bootstrap.mlockall'] == True and es_heap_size is not defined

-#Check if working with shield we have an es_api_basic_auth_username and es_api_basic_auth_username - otherwise any http calls wont work
- fail: msg="Enabling shield requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations"
-  when: es_enable_xpack and ("shield" in es_xpack_features) and es_api_basic_auth_username is not defined and es_api_basic_auth_password is not defined
+#Check if working with security we have an es_api_basic_auth_username and es_api_basic_auth_username - otherwise any http calls wont work
+- fail: msg="Enabling security requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations"
+  when: es_enable_xpack and ("security" in es_xpack_features) and es_api_basic_auth_username is not defined and es_api_basic_auth_password is not defined

 - set_fact: instance_default_file={{default_file | dirname}}/{{es_instance_name}}_{{default_file | basename}}
 - set_fact: instance_init_script={{init_script | dirname }}/{{es_instance_name}}_{{init_script | basename}}
--- a/tasks/xpack/elasticsearch-xpack.yml
+++ b/tasks/xpack/elasticsearch-xpack.yml
@ -46,8 +46,8 @@
 - include: elasticsearch-xpack-install.yml
  with_items: "{{supported_xpack_features}}"

-#Shield configuration
- include: shield/elasticsearch-shield.yml
+#Security configuration
+- include: security/elasticsearch-security.yml

 #Add any feature specific configuration here
 - name: Set Plugin Directory Permissions
--- a/tasks/xpack/shield/elasticsearch-security-file.yml
+++ b/tasks/xpack/shield/elasticsearch-security-file.yml
@ -1,15 +1,15 @@
 ---
 - set_fact: manage_file_users=es_users is defined and es_users.file is defined

-#Ensure shield conf directory is created
- name: Ensure shield conf directory exists (file)
-  file: path={{ conf_dir }}/shield state=directory owner={{ es_user }} group={{ es_group }}
+#Ensure x-pack conf directory is created
+- name: Ensure x-pack conf directory exists (file)
+  file: path={{ conf_dir }}/x-pack state=directory owner={{ es_user }} group={{ es_group }}
  changed_when: False
-  when: es_enable_xpack and '"shield" in es_xpack_features'
+  when: es_enable_xpack and '"security" in es_xpack_features'

 #List current users
 - name: List Users
-  shell: cat {{conf_dir}}/shield/users | awk -F':' '{print $1}'
+  shell: cat {{conf_dir}}/x-pack/users | awk -F':' '{print $1}'
  register: current_file_users
  when: manage_file_users
  changed_when: False
@ -20,7 +20,7 @@
 #Remove users
 - name: Remove Users
  command: >
-    {{es_home}}/bin/shield/esusers userdel {{item}}
+    {{es_home}}/bin/x-pack/users userdel {{item}}
  when: manage_file_users and (users_to_remove | length > 0)
  with_items: "{{users_to_remove | default([])}}"
  environment:
@ -34,7 +34,7 @@
 #Add users
 - name: Add Users
  command: >
-    {{es_home}}/bin/shield/esusers useradd {{item}} -p {{es_users.file[item].password}}
+    {{es_home}}/bin/x-pack/users useradd {{item}} -p {{es_users.file[item].password}}
  with_items: "{{users_to_add | default([])}}"
  when: manage_file_users and users_to_add | length > 0
  no_log: True
@ -45,7 +45,7 @@
 #Set passwords for all users declared - Required as the useradd will not change existing user passwords
 - name: Set User Passwords
  command: >
-    {{es_home}}/bin/shield/esusers passwd {{item.key}} -p {{item.value.password}}
+    {{es_home}}/bin/x-pack/users passwd {{item.key}} -p {{item.value.password}}
  with_dict: "{{(es_users | default({'file':{}})).file}}"
  when: manage_file_users and es_users.file.keys() | length > 0
  #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip.
@ -60,14 +60,14 @@

 #Copy Roles files
 - name: Copy roles.yml File for Instance
-  template: src=shield/roles.yml.j2 dest={{conf_dir}}/shield/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/roles.yml.j2 dest={{conf_dir}}/x-pack/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
  when: es_roles is defined and es_roles.file is defined

 #Overwrite users_roles file
 - name: Copy User Roles
-  template: src=shield/users_roles.j2 dest={{conf_dir}}/shield/users_roles mode=0644 force=yes
+  template: src=security/users_roles.j2 dest={{conf_dir}}/x-pack/users_roles mode=0644 force=yes
  when: manage_file_users and users_roles | length > 0

-#Set permission on shield directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions.
- name: Set Shield Directory Permissions Recursive
-  file: state=directory path={{conf_dir}}/shield/ owner={{ es_user }} group={{ es_group }} recurse=yes
+#Set permission on security directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions.
+- name: Set Security Directory Permissions Recursive
+  file: state=directory path={{conf_dir}}/x-pack/ owner={{ es_user }} group={{ es_group }} recurse=yes
--- a/tasks/xpack/shield/elasticsearch-security.yml
+++ b/tasks/xpack/shield/elasticsearch-security.yml
@ -0,0 +1,36 @@
+---
+#Security specific configuration done here
+
+#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6
+
+#-----------------------------FILE BASED REALM----------------------------------------
+
+- include: elasticsearch-security-file.yml
+  when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.file) or (es_roles is defined and es_roles.file is defined))
+
+#-----------------------------NATIVE BASED REALM----------------------------------------
+# The native realm requires the node to be started so we do as a handler
+- command: /bin/true
+  notify: activate-security
+  when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
+
+#-----------------------------ROLE MAPPING ----------------------------------------
+
+#Copy Roles files
+- name: Copy role_mapping.yml File for Instance
+  template: src=security/role_mapping.yml.j2 dest={{conf_dir}}/x-pack/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  when: es_role_mapping is defined
+
+#-----------------------------AUTH FILE----------------------------------------
+
+- name: Copy message auth key to elasticsearch
+  copy: src={{ es_message_auth_file }} dest={{conf_dir}}/x-pack/system_key owner={{ es_user }} group={{ es_group }} mode=0600 force=yes
+  when: es_message_auth_file is defined
+
+#------------------------------------------------------------------------------------
+
+#Ensure security conf directory is created
+- name: Ensure security conf directory exists
+  file: path={{ conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }}
+  changed_when: False
+  when: es_enable_xpack and '"security" in es_xpack_features'
--- a/tasks/xpack/shield/elasticsearch-shield.yml
+++ b/tasks/xpack/shield/elasticsearch-shield.yml
@ -1,36 +0,0 @@
---
-#Shield specific configuration done here
-
-#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6
-
-#-----------------------------FILE BASED REALM----------------------------------------
-
- include: elasticsearch-shield-file.yml
-  when: (es_enable_xpack and '"shield" in es_xpack_features') and ((es_users is defined and es_users.file) or (es_roles is defined and es_roles.file is defined))
-
-#-----------------------------NATIVE BASED REALM----------------------------------------
-# The native realm requires the node to be started so we do as a handler
- command: /bin/true
-  notify: activate-shield
-  when: (es_enable_xpack and '"shield" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
-
-#-----------------------------ROLE MAPPING ----------------------------------------
-
-#Copy Roles files
- name: Copy role_mapping.yml File for Instance
-  template: src=shield/role_mapping.yml.j2 dest={{conf_dir}}/shield/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
-  when: es_role_mapping is defined
-
-#-----------------------------AUTH FILE----------------------------------------
-
- name: Copy message auth key to elasticsearch
-  copy: src={{ es_message_auth_file }} dest={{conf_dir}}/shield/system_key owner={{ es_user }} group={{ es_group }} mode=0600 force=yes
-  when: es_message_auth_file is defined
-
-#------------------------------------------------------------------------------------
-
-#Ensure shield conf directory is created
- name: Ensure shield conf directory exists
-  file: path={{ conf_dir }}/shield state=directory owner={{ es_user }} group={{ es_group }}
-  changed_when: False
-  when: es_enable_xpack and '"shield" in es_xpack_features'