From 2ea0842a6c0dd2a0af25a1660c01217c699a09ad Mon Sep 17 00:00:00 2001 From: Dale McDiarmid Date: Wed, 4 Jan 2017 13:23:22 +0000 Subject: [PATCH] Changes to support license --- .gitignore | 1 + .kitchen.yml | 3 +++ handlers/elasticsearch-templates.yml | 6 ------ handlers/main.yml | 12 +++++++++--- handlers/shield/elasticsearch-shield-native.yml | 6 ------ handlers/shield/elasticsearch-shield.yml | 9 +++++++++ .../shield}/elasticsearch-xpack-activation.yml | 11 ++++++----- license.json | 1 + tasks/xpack/elasticsearch-xpack.yml | 6 +----- tasks/xpack/shield/elasticsearch-shield.yml | 2 +- test/integration/helpers/serverspec/xpack_spec.rb | 7 +++---- test/integration/xpack.yml | 2 +- 12 files changed, 35 insertions(+), 31 deletions(-) create mode 100644 handlers/shield/elasticsearch-shield.yml rename {tasks/xpack => handlers/shield}/elasticsearch-xpack-activation.yml (77%) create mode 100644 license.json diff --git a/.gitignore b/.gitignore index 7a4be3e..bdcfa29 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ .kitchen/ +license.json *.pyc .vendor .bundle diff --git a/.kitchen.yml b/.kitchen.yml index 98adee0..d7857a1 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -22,6 +22,7 @@ platforms: - apt-get update && apt-get install -y software-properties-common && add-apt-repository -y ppa:ansible/ansible - apt-get update && apt-get -y -q install python-apt python-pycurl use_sudo: false + volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json - name: debian-8 driver_config: image: dliappis/debian-devopsci:8 @@ -33,6 +34,7 @@ platforms: - sed -ri 's/^#?PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config - sed -ri 's/^#?PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config - sed -ri 's/^#?UsePAM .*/UsePAM no/' /etc/ssh/sshd_config + volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json use_sudo: false run_command: "/sbin/init" - name: centos-7 @@ -45,6 +47,7 @@ platforms: - rm /etc/yum.repos.d/epel*repo /etc/yum.repos.d/puppetlabs-pc1.repo - yum -y install initscripts - yum clean all + volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json run_command: "/usr/sbin/init" privileged: true use_sudo: false diff --git a/handlers/elasticsearch-templates.yml b/handlers/elasticsearch-templates.yml index 4595ef6..bad2226 100644 --- a/handlers/elasticsearch-templates.yml +++ b/handlers/elasticsearch-templates.yml @@ -1,11 +1,5 @@ --- -- name: Ensure elasticsearch is started - service: name={{instance_init_script | basename}} state=started enabled=yes - -- name: Wait for elasticsearch to startup - wait_for: host={{es_api_host}} port={{es_api_port}} delay=10 - - name: Get template files find: paths="/etc/elasticsearch/templates" patterns="*.json" register: templates diff --git a/handlers/main.yml b/handlers/main.yml index ac960ef..524d130 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -6,10 +6,16 @@ service: name={{instance_init_script | basename}} state=restarted enabled=yes when: es_restart_on_change and es_start_service and ((plugin_installed is defined and plugin_installed.changed) or (config_updated is defined and config_updated.changed) or (xpack_state.changed) or (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed)) -- name: load-native-realms - include: ./handlers/shield/elasticsearch-shield-native.yml - when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined) +# Assumes all handlers need to be started as likely to make HTTP calls +- name: Ensure elasticsearch is started + service: name={{instance_init_script | basename}} state=started enabled=yes +- name: Wait for elasticsearch to startup + wait_for: host={{es_api_host}} port={{es_api_port}} delay=10 + +# All security specific actions should go in here +- name: activate-shield + include: ./handlers/shield/elasticsearch-shield.yml #Templates are a handler as they need to come after a restart e.g. suppose user removes shield on a running node and doesn't #specify es_api_basic_auth_username and es_api_basic_auth_password. The templates will subsequently not be removed if we don't wait for the node to restart. diff --git a/handlers/shield/elasticsearch-shield-native.yml b/handlers/shield/elasticsearch-shield-native.yml index c6fcb66..d545394 100644 --- a/handlers/shield/elasticsearch-shield-native.yml +++ b/handlers/shield/elasticsearch-shield-native.yml @@ -1,11 +1,5 @@ --- -- name: Ensure elasticsearch is started - service: name={{instance_init_script | basename}} state=started enabled=yes - -- name: Wait for elasticsearch to startup - wait_for: host={{es_api_host}} port={{es_api_port}} delay=10 - - set_fact: manage_native_users=false - set_fact: manage_native_users=true diff --git a/handlers/shield/elasticsearch-shield.yml b/handlers/shield/elasticsearch-shield.yml new file mode 100644 index 0000000..ca4f63f --- /dev/null +++ b/handlers/shield/elasticsearch-shield.yml @@ -0,0 +1,9 @@ +--- + +- name: activate-license + include: ./handlers/shield/elasticsearch-xpack-activation.yml + when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != '' + +- name: load-native-realms + include: ./handlers/shield/elasticsearch-shield-native.yml + when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined) \ No newline at end of file diff --git a/tasks/xpack/elasticsearch-xpack-activation.yml b/handlers/shield/elasticsearch-xpack-activation.yml similarity index 77% rename from tasks/xpack/elasticsearch-xpack-activation.yml rename to handlers/shield/elasticsearch-xpack-activation.yml index 7010a5b..063a9e9 100644 --- a/tasks/xpack/elasticsearch-xpack-activation.yml +++ b/handlers/shield/elasticsearch-xpack-activation.yml @@ -1,14 +1,15 @@ --- + - name: Activate ES license (without shield authentication) uri: method: PUT - url: "http://{{es_api_host}}:{{es_api_port}}/_xpack/license?acknowledge=true" + url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true" body_format: json body: "{{ es_xpack_license }}" return_content: yes register: license_activated no_log: True - when: '"shield" not in es_xpack_features + when: not '"shield" in es_xpack_features' failed_when: > license_activated.status != 200 or license_activated.json.license_status is not defined or @@ -17,7 +18,7 @@ - name: Activate ES license (with shield authentication) uri: method: PUT - url: "http://{{es_api_host}}:{{es_api_port}}/_xpack/license?acknowledge=true" + url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true" user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" body_format: json @@ -25,8 +26,8 @@ body: "{{ es_xpack_license }}" return_content: yes register: license_activated - no_log: True - when: '"shield" in es_xpack_features + #no_log: True + when: '"shield" in es_xpack_features' failed_when: > license_activated.status != 200 or license_activated.json.license_status is not defined or diff --git a/license.json b/license.json new file mode 100644 index 0000000..cef4223 --- /dev/null +++ b/license.json @@ -0,0 +1 @@ +{"license":{"uid":"bdbff559-f174-4759-a247-b61a53c435f1","type":"platinum","issue_date_in_millis":1467936000000,"expiry_date_in_millis":1485993599999,"max_nodes":100,"issued_to":"Elastic - INTERNAL","issuer":"Steve Kearns","signature":"AAAAAgAAAA1U9OcROUC+K+4MlK/gAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQBL67VOlF8w2t85at2P5R5VjrZViKJk/XUHmLC/xBBr0YsFWN5XIWOpRSAIrA4MfQMwrfQ3eHpQmCSD3ki/pe+jMgAhnqMfq3Ojgoqb41HTEIQb9GYKFX/Jvlubzuf+6TYO56FRz3sgg2f4KsyoHi3/YlfUbhHPxOnqS2RhLBrKNL7atW04Pb7NhfGMTX60y+PppPQnE9uTUVS6BiXjz2aILpEqBgLDnnqN3gTdOHaOIhphfkztZcMO8cnHFLkkU61qNtmANRSAvbnjsuixho5wQdWctla8pZDAYiglI0LHsTN5Oe11x/lKEtXun59VyN7cPfxTsQ2l7QypJQE/v0fi"}} \ No newline at end of file diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index 0669b42..07b68d3 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -5,7 +5,7 @@ #enabling xpack installs the license. Not a xpack feature and does not need to be specified - TODO: we should append it to the list if xpack is enabled and remove this #Check if license is installed -- name: Check License is installed +- name: Check License plugin is installed shell: > {{es_home}}/bin/plugin list | tail -n +2 | grep license register: license_installed @@ -49,10 +49,6 @@ #Shield configuration - include: shield/elasticsearch-shield.yml -# Activate ES lience -- include: elasticsearch-xpack-activation.yml - when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != '' - #Add any feature specific configuration here - name: Set Plugin Directory Permissions file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes \ No newline at end of file diff --git a/tasks/xpack/shield/elasticsearch-shield.yml b/tasks/xpack/shield/elasticsearch-shield.yml index 35abd3a..e464c76 100644 --- a/tasks/xpack/shield/elasticsearch-shield.yml +++ b/tasks/xpack/shield/elasticsearch-shield.yml @@ -11,7 +11,7 @@ #-----------------------------NATIVE BASED REALM---------------------------------------- # The native realm requires the node to be started so we do as a handler - command: /bin/true - notify: load-native-realms + notify: activate-shield when: (es_enable_xpack and '"shield" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)) #-----------------------------ROLE MAPPING ---------------------------------------- diff --git a/test/integration/helpers/serverspec/xpack_spec.rb b/test/integration/helpers/serverspec/xpack_spec.rb index 93c6507..2bc671d 100644 --- a/test/integration/helpers/serverspec/xpack_spec.rb +++ b/test/integration/helpers/serverspec/xpack_spec.rb @@ -90,10 +90,9 @@ shared_examples 'xpack::init' do |es_version| #Test if x-pack is activated describe 'x-pack activation' do - it 'should be activated with the license uid '+ENV["ES_XPACK_LICENSE_UID"] do - command = command('curl -s localhost:9200/_xpack/license?pretty=true -u es_admin:changeMe') - expect(command.stdout).to match(active) - expect(command.stdout).to match(ENV["ES_XPACK_LICENSE_UID"]) + it 'should be activated and valid' do + command = command('curl -s localhost:9200/_license?pretty=true -u es_admin:changeMe') + expect(command.stdout).to match('"status" : "active"') expect(command.exit_status).to eq(0) end end diff --git a/test/integration/xpack.yml b/test/integration/xpack.yml index af52016..25ece50 100644 --- a/test/integration/xpack.yml +++ b/test/integration/xpack.yml @@ -5,10 +5,10 @@ - { role: elasticsearch, es_config: { "http.port": 9200, "transport.tcp.port":9300, discovery.zen.ping.unicast.hosts: "localhost:9300", "shield.authc.realms.file1.type": "file","shield.authc.realms.file1.order": 0, "shield.authc.realms.native1.type": "native","shield.authc.realms.native1.order": 1 }, es_instance_name: "shield_node" } - include_vars: <%= ENV['ES_XPACK_LICENSE_FILE'] %> vars: es_templates: true es_enable_xpack: true + es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}" es_plugins: - plugin: lmenezes/elasticsearch-kopf version: master