From 77612a9d8ebfdbcca882193899da87cc3dd9cd0f Mon Sep 17 00:00:00 2001 From: Dale McDiarmid Date: Mon, 19 Sep 2016 13:57:09 +0100 Subject: [PATCH 1/2] Support for role mapping --- tasks/xpack/shield/elasticsearch-shield-file.yml | 2 -- tasks/xpack/shield/elasticsearch-shield.yml | 9 ++++++++- templates/shield/role_mapping.yml.j2 | 1 + test/integration/xpack.yml | 6 ++++++ 4 files changed, 15 insertions(+), 3 deletions(-) create mode 100644 templates/shield/role_mapping.yml.j2 diff --git a/tasks/xpack/shield/elasticsearch-shield-file.yml b/tasks/xpack/shield/elasticsearch-shield-file.yml index 0746f4b..da78e91 100644 --- a/tasks/xpack/shield/elasticsearch-shield-file.yml +++ b/tasks/xpack/shield/elasticsearch-shield-file.yml @@ -60,5 +60,3 @@ template: src=shield/users_roles.j2 dest={{conf_dir}}/shield/users_roles mode=0644 force=yes when: manage_file_users and users_roles | length > 0 -#TODO: Support for mapping file - diff --git a/tasks/xpack/shield/elasticsearch-shield.yml b/tasks/xpack/shield/elasticsearch-shield.yml index ca16402..0b1a267 100644 --- a/tasks/xpack/shield/elasticsearch-shield.yml +++ b/tasks/xpack/shield/elasticsearch-shield.yml @@ -14,7 +14,14 @@ notify: load-native-realms when: (es_enable_xpack and '"shield" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)) -#--------------------------------------------------------------------- +#-----------------------------ROLE MAPPING ---------------------------------------- + +#Copy Roles files +- name: Copy role_mapping.yml File for Instance + template: src=shield/role_mapping.yml.j2 dest={{conf_dir}}/shield/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + when: es_role_mapping is defined + +#------------------------------------------------------------------------------------ #Ensure shield conf directory is created - name: Ensure shield conf directory exists diff --git a/templates/shield/role_mapping.yml.j2 b/templates/shield/role_mapping.yml.j2 new file mode 100644 index 0000000..2584375 --- /dev/null +++ b/templates/shield/role_mapping.yml.j2 @@ -0,0 +1 @@ +{{ es_role_mapping | to_nice_yaml }} \ No newline at end of file diff --git a/test/integration/xpack.yml b/test/integration/xpack.yml index fb22b60..8bfcd2b 100644 --- a/test/integration/xpack.yml +++ b/test/integration/xpack.yml @@ -16,6 +16,12 @@ - watcher es_api_basic_auth_username: es_admin es_api_basic_auth_password: changeMe + es_role_mapping: + power_user: + - "cn=admins,dc=example,dc=com" + user: + - "cn=users,dc=example,dc=com" + - "cn=admins,dc=example,dc=com" es_users: native: kibana4_server: From a8a0676b595958f8df36a508046d4ad2f46115b9 Mon Sep 17 00:00:00 2001 From: Dale McDiarmid Date: Mon, 19 Sep 2016 14:39:36 +0100 Subject: [PATCH 2/2] Tests for role mapping --- test/integration/helpers/serverspec/xpack_spec.rb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/test/integration/helpers/serverspec/xpack_spec.rb b/test/integration/helpers/serverspec/xpack_spec.rb index 69583ed..6848c9e 100644 --- a/test/integration/helpers/serverspec/xpack_spec.rb +++ b/test/integration/helpers/serverspec/xpack_spec.rb @@ -211,5 +211,14 @@ shared_examples 'xpack::init' do |es_version| it { should contain 'shield.authc.realms.native1.type: native' } end + #Test contents of role_mapping.yml + describe file('/etc/elasticsearch/shield_node/shield/role_mapping.yml') do + it { should be_owned_by 'elasticsearch' } + it { should contain 'power_user:' } + it { should contain '- cn=admins,dc=example,dc=com' } + it { should contain 'user:' } + it { should contain '- cn=admins,dc=example,dc=com' } + end + end