Re-structure to make xpack idempotent
This commit is contained in:
Dale McDiarmid
parent
ddbf4ad956
commit
595368f873
6 changed files with 9 additions and 26 deletions
|
|
@ -45,4 +45,12 @@
|
|||
- meta: flush_handlers
|
||||
|
||||
- name: Wait for elasticsearch to startup
|
||||
wait_for: host={{es_api_host}} port={{es_api_port}} delay=5 connect_timeout=1
|
||||
wait_for: host={{es_api_host}} port={{es_api_port}} delay=5 connect_timeout=1
|
||||
|
||||
- name: activate-license
|
||||
include: ./xpack/security/elasticsearch-xpack-activation.yml
|
||||
when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != ''
|
||||
|
||||
#perform security actions here now elasticsearch is started
|
||||
- include: ./xpack/security/elasticsearch-security-native.yml
|
||||
when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
|
||||
|
|
|
|||
112
tasks/xpack/security/elasticsearch-security-native.yml
Normal file
112
tasks/xpack/security/elasticsearch-security-native.yml
Normal file
|
|
@ -0,0 +1,112 @@
|
|||
---
|
||||
|
||||
- set_fact: manage_native_users=false
|
||||
|
||||
- set_fact: manage_native_users=true
|
||||
when: es_users is defined and es_users.native is defined
|
||||
|
||||
- set_fact: manage_native_roles=false
|
||||
|
||||
- set_fact: manage_native_roles=true
|
||||
when: es_roles is defined and es_roles.native is defined
|
||||
|
||||
# If playbook runs too fast, Native commands could fail as the Native Realm is not yet up
|
||||
- name: Wait 15 seconds for the Native Relm to come up
|
||||
pause: seconds=15
|
||||
|
||||
#If the node has just has security installed it maybe either stopped or started 1. if stopped, we need to start to load native realms 2. if started, we need to restart to load
|
||||
|
||||
#List current users
|
||||
- name: List Native Users
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user
|
||||
method: GET
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
status_code: 200
|
||||
register: user_list_response
|
||||
when: manage_native_users
|
||||
|
||||
#Current users not inc. those reserved
|
||||
- set_fact: current_users={{ user_list_response.json | filter_reserved }}
|
||||
when: manage_native_users
|
||||
|
||||
#Identify non declared users
|
||||
- set_fact: users_to_remove={{ current_users | difference ( es_users.native.keys() ) }}
|
||||
when: manage_native_users
|
||||
|
||||
#Delete all non required users
|
||||
- name: Delete Native Users
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}
|
||||
method: DELETE
|
||||
status_code: 200
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
when: manage_native_users and users_to_remove | length > 0
|
||||
with_items: "{{users_to_remove}}"
|
||||
|
||||
#Overwrite all other users
|
||||
- name: Update Native Users
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item.key}}
|
||||
method: POST
|
||||
body_format: json
|
||||
body: "{{item.value | to_json}}"
|
||||
status_code: 200
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
when: manage_native_users and es_users.native.keys() > 0
|
||||
no_log: True
|
||||
with_dict: "{{es_users.native}}"
|
||||
|
||||
#List current roles not. inc those reserved
|
||||
- name: List Native Roles
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role
|
||||
method: GET
|
||||
body_format: json
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
status_code: 200
|
||||
register: role_list_response
|
||||
when: manage_native_roles
|
||||
|
||||
- set_fact: current_roles={{ role_list_response.json | filter_reserved }}
|
||||
when: manage_native_roles
|
||||
- debug: msg="{{current_roles}}"
|
||||
|
||||
- set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys() ) }}
|
||||
when: manage_native_roles
|
||||
|
||||
|
||||
#Delete all non required roles
|
||||
- name: Delete Native Roles
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}}
|
||||
method: DELETE
|
||||
status_code: 200
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
when: manage_native_roles and roles_to_remove | length > 0
|
||||
with_items: "{{roles_to_remove}}"
|
||||
|
||||
|
||||
#Update other roles
|
||||
- name: Update Native Roles
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item.key}}
|
||||
method: POST
|
||||
body_format: json
|
||||
body: "{{item.value | to_json}}"
|
||||
status_code: 200
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
when: manage_native_roles and es_roles.native.keys() > 0
|
||||
with_dict: "{{es_roles.native}}"
|
||||
|
|
@ -8,13 +8,6 @@
|
|||
- include: elasticsearch-security-file.yml
|
||||
when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.file) or (es_roles is defined and es_roles.file is defined))
|
||||
|
||||
#-----------------------------NATIVE BASED REALM----------------------------------------
|
||||
# The native realm requires the node to be started so we do as a handler
|
||||
- command: /bin/true
|
||||
notify: activate-security
|
||||
when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
|
||||
changed_when: False
|
||||
|
||||
#-----------------------------ROLE MAPPING ----------------------------------------
|
||||
|
||||
#Copy Roles files
|
||||
|
|
|
|||
37
tasks/xpack/security/elasticsearch-xpack-activation.yml
Normal file
37
tasks/xpack/security/elasticsearch-xpack-activation.yml
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
|
||||
- name: Activate ES license (without security authentication)
|
||||
uri:
|
||||
method: PUT
|
||||
url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true"
|
||||
body_format: json
|
||||
body: "{{ es_xpack_license }}"
|
||||
return_content: yes
|
||||
register: license_activated
|
||||
no_log: True
|
||||
when: 'not "security" in es_xpack_features'
|
||||
failed_when: >
|
||||
license_activated.status != 200 or
|
||||
license_activated.json.license_status is not defined or
|
||||
license_activated.json.license_status != 'valid'
|
||||
|
||||
- name: Activate ES license (with security authentication)
|
||||
uri:
|
||||
method: PUT
|
||||
url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true"
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
body_format: json
|
||||
force_basic_auth: yes
|
||||
body: "{{ es_xpack_license }}"
|
||||
return_content: yes
|
||||
register: license_activated
|
||||
no_log: True
|
||||
when: '"security" in es_xpack_features'
|
||||
failed_when: >
|
||||
license_activated.status != 200 or
|
||||
license_activated.json.license_status is not defined or
|
||||
license_activated.json.license_status != 'valid'
|
||||
|
||||
- debug:
|
||||
msg: "License: {{ license_activated.content }}"
|
||||
Loading…
Add table
Add a link
Reference in a new issue