Merge branch 'master' into AddSSLSupport

2019-10-11 23:09:03 +01:00 · 2019-10-11 23:09:03 +01:00 · 551d93b646
commit 551d93b646
parent 9580a08f4d 17b363c7e9
25 changed files with 171 additions and 246 deletions
--- a/tasks/xpack/elasticsearch-xpack-install.yml
+++ b/tasks/xpack/elasticsearch-xpack-install.yml
@ -1,68 +0,0 @@
---
-
-#Test if feature is installed
- name: Test if x-pack is installed
-  shell: "{{es_home}}/bin/elasticsearch-plugin list | grep x-pack"
-  become: yes
-  register: x_pack_installed
-  changed_when: False
-  failed_when: "'ERROR' in x_pack_installed.stdout"
-  check_mode: no
-  ignore_errors: yes
-  environment:
-    CONF_DIR: "{{ es_conf_dir }}"
-    ES_PATH_CONF: "{{ es_conf_dir }}"
-    ES_INCLUDE: "{{ default_file }}"
-
-
-#Remove X-Pack if installed and its not been requested or the ES version has changed
- name: Remove x-pack plugin
-  become: yes
-  command: "{{es_home}}/bin/elasticsearch-plugin remove x-pack"
-  register: xpack_state
-  failed_when: "'ERROR' in xpack_state.stdout"
-  changed_when: xpack_state.rc == 0
-  when: x_pack_installed.rc == 0 and (not es_enable_xpack or es_version_changed)
-  notify: restart elasticsearch
-  environment:
-    CONF_DIR: "{{ es_conf_dir }}"
-    ES_PATH_CONF: "{{ es_conf_dir }}"
-    ES_INCLUDE: "{{ default_file }}"
-
-
-#Install plugin if not installed, or the es version has changed (so removed above), and its been requested
- name: Download x-pack from url
-  get_url: url={{ es_xpack_custom_url }} dest=/tmp/x-pack-{{ es_version }}.zip
-  when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is defined)
-
- name: Install x-pack plugin from local
-  become: yes
-  command: >
-    {{es_home}}/bin/elasticsearch-plugin install --silent --batch file:///tmp/x-pack-{{ es_version }}.zip
-  register: xpack_state
-  changed_when: xpack_state.rc == 0
-  when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is defined)
-  notify: restart elasticsearch
-  environment:
-    CONF_DIR: "{{ es_conf_dir }}"
-    ES_PATH_CONF: "{{ es_conf_dir }}"
-    ES_INCLUDE: "{{ default_file }}"
-
- name: Delete x-pack zip file
-  file: dest=/tmp/x-pack-{{ es_version }}.zip state=absent
-  when: es_xpack_custom_url is defined
-
- name: Install x-pack plugin from elastic.co
-  become: yes
-  command: >
-    {{es_home}}/bin/elasticsearch-plugin install --silent --batch x-pack
-  register: xpack_state
-  failed_when: "'ERROR' in xpack_state.stdout"
-  changed_when: xpack_state.rc == 0
-  when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is not defined)
-  notify: restart elasticsearch
-  environment:
-    CONF_DIR: "{{ es_conf_dir }}"
-    ES_PATH_CONF: "{{ es_conf_dir }}"
-    ES_INCLUDE: "{{ default_file }}"
-    ES_JAVA_OPTS: "{% if es_proxy_host is defined and es_proxy_host != '' %}-Dhttp.proxyHost={{ es_proxy_host }} -Dhttp.proxyPort={{ es_proxy_port }} -Dhttps.proxyHost={{ es_proxy_host }} -Dhttps.proxyPort={{ es_proxy_port }}{% endif %}"
--- a/tasks/xpack/elasticsearch-xpack.yml
+++ b/tasks/xpack/elasticsearch-xpack.yml
@ -1,24 +1,11 @@
 ---

- name: set fact es_version_changed
-  set_fact: es_version_changed={{ ((elasticsearch_install_from_package is defined and (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) }}
-
- name: include elasticsearch-xpack-install.yml
-  include: elasticsearch-xpack-install.yml
-  when: es_install_xpack
-
 #Security configuration
 - name: include security/elasticsearch-security.yml
  include: security/elasticsearch-security.yml
  when: es_enable_xpack

-#Add any feature specific configuration here
- name: Set Plugin Directory Permissions
-  become: yes
-  file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes
-
 #Make sure elasticsearch.keystore has correct Permissions
 - name: Set elasticsearch.keystore Permissions
  become: yes
-  file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner={{ es_user }} group={{ es_group }}
-  when: es_enable_xpack
+  file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner=root group={{ es_group }} mode=0660
--- a/tasks/xpack/security/elasticsearch-security-file.yml
+++ b/tasks/xpack/security/elasticsearch-security-file.yml
@ -1,7 +1,10 @@
 ---
- name: set fact manage_file_users
-  set_fact: manage_file_users=es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0
+- set_fact: manage_file_users=false

+- set_fact: manage_file_users=true
+  when: es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0
+
+# Users migration from elasticsearch < 6.3 versions
 - name: Check if old users file exists
  stat:
    path: '{{ es_conf_dir }}/x-pack/users'
@ -13,22 +16,16 @@
    remote_src: yes
    force: no # only copy it if the new path doesn't exist yet
    src: "{{ es_conf_dir }}/x-pack/users"
-    dest: "{{ es_conf_dir }}{{ es_xpack_conf_subdir }}/users"
-  when: old_users_file.stat.exists
-
- name: Create the users file if it doesn't exist
-  copy:
-    content: ""
-    dest: "{{ es_conf_dir }}{{ es_xpack_conf_subdir }}/users"
-    force: no # this ensures it only creates it if it does not exist
+    dest: "{{ es_conf_dir }}/users"
    group: "{{ es_group }}"
-    owner: "{{ es_user }}"
-    mode: 0555
+    owner: root
+  when: old_users_file.stat.exists
+# End of users migrations

 #List current users
 - name: List Users
  become: yes
-  shell: cat {{ es_conf_dir }}{{es_xpack_conf_subdir}}/users | awk -F':' '{print $1}'
+  shell: cat {{ es_conf_dir }}/users | awk -F':' '{print $1}'
  register: current_file_users
  when: manage_file_users
  changed_when: False
@ -42,7 +39,7 @@
 - name: Remove Users
  become: yes
  command: >
-    {{es_home}}/bin/{{es_xpack_users_command}} userdel {{item}}
+    {{es_home}}/bin/elasticsearch-users userdel {{item}}
  with_items: "{{users_to_remove | default([])}}"
  when: manage_file_users
  environment:
@ -58,7 +55,7 @@
 - name: Add Users
  become: yes
  command: >
-    {{es_home}}/bin/{{es_xpack_users_command}} useradd {{item}} -p {{es_users.file[item].password}}
+    {{es_home}}/bin/elasticsearch-users useradd {{item}} -p {{es_users.file[item].password}}
  with_items: "{{ users_to_add | default([]) }}"
  when: manage_file_users
  no_log: True
@ -71,7 +68,7 @@
 - name: Set User Passwords
  become: yes
  command: >
-    {{es_home}}/bin/{{es_xpack_users_command}} passwd {{ item }} -p {{es_users.file[item].password}}
+    {{es_home}}/bin/elasticsearch-users passwd {{ item }} -p {{es_users.file[item].password}}
  with_items: "{{ es_users.file.keys() | list }}"
  when: manage_file_users
  #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip.
@ -89,16 +86,11 @@
 #Copy Roles files
 - name: Copy roles.yml File for Instance
  become: yes
-  template: src=security/roles.yml.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner=root group={{ es_group }} mode=0660 force=yes
  when: es_roles is defined and es_roles.file is defined

 #Overwrite users_roles file
 - name: Copy User Roles
  become: yes
-  template: src=security/users_roles.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/users_roles mode=0644 force=yes
+  template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner=root group={{ es_group }} mode=0660 force=yes
  when: manage_file_users and users_roles | length > 0
-
-#Set permission on security directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions.
- name: Set Security Directory Permissions Recursive
-  become: yes
-  file: state=directory path={{ es_conf_dir }}{{es_xpack_conf_subdir}}/ owner={{ es_user }} group={{ es_group }} recurse=yes
--- a/tasks/xpack/security/elasticsearch-security.yml
+++ b/tasks/xpack/security/elasticsearch-security.yml
@ -3,12 +3,6 @@

 #TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6

-#Ensure x-pack conf directory is created if necessary
- name: Ensure x-pack conf directory exists (file)
-  file: path={{ es_conf_dir }}{{ es_xpack_conf_subdir }} state=directory owner={{ es_user }} group={{ es_group }}
-  changed_when: False
-  when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined)
-
 #-----------------------------Create Bootstrap User-----------------------------------
 ### START BLOCK elasticsearch keystore ###
 - name: create the elasticsearch keystore
@ -52,13 +46,5 @@
 #Copy Roles files
 - name: Copy role_mapping.yml File for Instance
  become: yes
-  template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner=root group={{ es_group }} mode=0660 force=yes
  when: es_role_mapping is defined
-
-#------------------------------------------------------------------------------------
-
-#Ensure security conf directory is created
- name: Ensure security conf directory exists
-  become: yes
-  file: path={{ es_conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }}
-  changed_when: False