Protect reserved elastic user + doc clarification on configuring native realm

README.md

@@ -300,6 +300,14 @@ X-Pack configuration parameters can be added to the elasticsearch.yml file using
 
 For a full example see [here](https://github.com/elastic/ansible-elasticsearch/blob/master/test/integration/xpack.yml)
 
+####Important Note for Native Realm Configuration
+
+In order for native users and roles to be configured, the role calls the Elasticsearch API.  Given security is installed this requires definition of two parameters:
+
+* ```es_api_basic_auth_username``` - admin username
+* ```es_api_basic_auth_password``` - admin password
+
+These can either be set to a user declared in the file based realm, with admin permissions, or the default "elastic" superuser (default password is changeme).
 
 
 ### Additional Configuration

handlers/security/elasticsearch-security-native.yml

@@ -28,12 +28,11 @@
   register: user_list_response
   when: manage_native_users
 
-
-- set_fact: current_users={{user_list_response.json.keys() | list}}
+#Current users not inc. the elastic user which is reserved and cannot be deleted
+- set_fact: current_users={{user_list_response.json.keys() | list | difference(['elastic'] )}}
   when: manage_native_users
 
 #Identify non declared users
-
 - set_fact: users_to_remove={{ current_users | difference ( es_users.native.keys() ) }}
   when: manage_native_users
 

test/integration/xpack.yml

@@ -14,8 +14,8 @@
     es_xpack_features:
       - security
       - alerting
-    es_api_basic_auth_username: es_admin
-    es_api_basic_auth_password: changeMe
+    es_api_basic_auth_username: elastic
+    es_api_basic_auth_password: changeme
     es_message_auth_file: system_key
     es_role_mapping:
       power_user: