Move fil realm reserved user check earlier, Move template and license after naitve realm

2017-09-20 22:58:17 +01:00 · 2017-09-20 22:58:17 +01:00 · 7ab416c782
commit 7ab416c782
parent e9a6f74d09
6 changed files with 24 additions and 44 deletions
--- a/tasks/elasticsearch-parameters.yml
+++ b/tasks/elasticsearch-parameters.yml
@ -23,6 +23,13 @@
 - fail: msg="Enabling security requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations"
  when: es_enable_xpack and ("security" in es_xpack_features) and es_api_basic_auth_username is not defined and es_api_basic_auth_password is not defined

+- set_fact: file_reserved_users={{ es_users.file.keys() | intersect (reserved_xpack_users) }}
+  when: es_users is defined and es_users.file is defined and (es_users.file.keys() | length > 0) and (es_users.file.keys() | intersect (reserved_xpack_users) | length > 0)
+
+- fail:
+     msg: "ERROR: INVALID CONFIG - YOU CANNOT CHANGE RESERVED USERS THROUGH THE FILE REALM. THE FOLLOWING CANNOT BE CHANGED: {{file_reserved_users}}. USE THE NATIVE REALM."
+  when: file_reserved_users | default([]) | length > 0
+
 - set_fact: instance_default_file={{default_file | dirname}}/{{es_instance_name}}_{{default_file | basename}}
 - set_fact: instance_init_script={{init_script | dirname }}/{{es_instance_name}}_{{init_script | basename}}
 - set_fact: conf_dir={{ es_conf_dir }}/{{es_instance_name}}
--- a/tasks/elasticsearch-template.yml
+++ b/tasks/elasticsearch-template.yml
@ -8,15 +8,6 @@
  with_fileglob:
    - "{{ es_templates_fileglob | default('') }}"

-
- name: Ensure elasticsearch is started
-  service: name={{instance_init_script | basename}} state=started enabled=yes
-  when: es_start_service and load_templates.changed
-
- name: Wait for elasticsearch to startup
-  wait_for: host={{es_api_host}} port={{es_api_port}} delay=10
-  when: es_start_service and load_templates.changed
-
 - name: Install templates without auth
  uri:
    url: "http://{{es_api_host}}:{{es_api_port}}/_template/{{item | filename}}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -39,12 +39,6 @@

 - meta: flush_handlers

-#Templates done after restart - handled by flushing the handlers. e.g. suppose user removes security on a running node and doesn't specify es_api_basic_auth_username and es_api_basic_auth_password.  The templates will subsequently not be removed if we don't wait for the node to restart.
- include: elasticsearch-template.yml
-  when: es_templates
-  tags:
-      - templates
-
 - name: Make sure elasticsearch is started
  service: name={{instance_init_script | basename}} state=started enabled=yes
  when: es_start_service
@ -53,10 +47,17 @@
  wait_for: host={{es_api_host}} port={{es_api_port}} delay=5 connect_timeout=1
  when: es_restarted is defined and es_restarted.changed and es_start_service

+#perform security actions here now elasticsearch is started
+- include: ./xpack/security/elasticsearch-security-native.yml
+  when: es_start_service and (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
+
 - name: activate-license
  include: ./xpack/security/elasticsearch-xpack-activation.yml
  when: es_start_service and es_enable_xpack and es_xpack_license is defined and es_xpack_license != ''

-#perform security actions here now elasticsearch is started
- include: ./xpack/security/elasticsearch-security-native.yml
-  when: es_start_service and (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
+#Templates done after restart - handled by flushing the handlers. e.g. suppose user removes security on a running node and doesn't specify es_api_basic_auth_username and es_api_basic_auth_password.  The templates will subsequently not be removed if we don't wait for the node to restart.
+#We also do after the native realm to ensure any changes are applied here first and its denf up.
+- include: elasticsearch-template.yml
+  when: es_templates
+  tags:
+      - templates
--- a/tasks/xpack/security/elasticsearch-security-file.yml
+++ b/tasks/xpack/security/elasticsearch-security-file.yml
@ -16,41 +16,31 @@
  command: >
    {{es_home}}/bin/x-pack/users userdel {{item}}
  with_items: "{{users_to_remove | default([])}}"
-  when: manage_file_users and (users_to_remove | length > 0)
+  when: manage_file_users
  environment:
    CONF_DIR: "{{ conf_dir }}"
    ES_HOME: "{{es_home}}"

- set_fact: users_to_add={{ es_users.file.keys() | difference (current_file_users.stdout_lines) | difference (reserved_xpack_users) | default([]) }}
+- set_fact: users_to_add={{ es_users.file.keys() | difference (current_file_users.stdout_lines) }}
  when: manage_file_users

- set_fact: users_to_ignore={{ es_users.file.keys() | difference (current_file_users.stdout_lines) | intersect (reserved_xpack_users) }}
-  when: manage_file_users
-
- debug:
-     msg: "WARNING: YOU CANNOT CHANGE RESERVED USERS THROUGH THE FILE REALM. THE FOLLOWING WILL BE IGNORED: {{users_to_ignore}}"
-  when: manage_file_users and users_to_ignore | length > 0
-
 #Add users
 - name: Add Users
  command: >
    {{es_home}}/bin/x-pack/users useradd {{item}} -p {{es_users.file[item].password}}
-  with_items: "{{ users_to_add }}"
-  when: manage_file_users and users_to_add | length > 0
+  with_items: "{{ users_to_add | default([]) }}"
+  when: manage_file_users
  no_log: True
  environment:
    CONF_DIR: "{{ conf_dir }}"
    ES_HOME: "{{es_home}}"

- set_fact: users_to_modify={{ es_users.file.keys() | difference (reserved_xpack_users) | default([]) }}
-  when: manage_file_users
-
 #Set passwords for all users declared - Required as the useradd will not change existing user passwords
 - name: Set User Passwords
  command: >
    {{es_home}}/bin/x-pack/users passwd {{ item }} -p {{es_users.file[item].password}}
-  with_items: "{{ users_to_modify }}"
-  when: manage_file_users and users_to_modify | length > 0
+  with_items: "{{ es_users.file.keys() | default([]) }}"
+  when: manage_file_users
  #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip.
  changed_when: False
  no_log: True
@ -58,7 +48,7 @@
    CONF_DIR: "{{ conf_dir }}"
    ES_HOME: "{{es_home}}"

- set_fact: users_roles={{es_users.file | extract_role_users (reserved_xpack_users) }}
+- set_fact: users_roles={{es_users.file | extract_role_users () }}
  when: manage_file_users

 #Copy Roles files
--- a/test/integration/issue-test.yml
+++ b/test/integration/issue-test.yml
@ -28,10 +28,6 @@
    es_api_basic_auth_password: changeme
    es_users:
      file:
-        kibana:
-          password: changeme
-          roles:
-            - kibana_system
        test_user:
          password: changeme
          roles:
--- a/test/integration/xpack.yml
+++ b/test/integration/xpack.yml
@ -49,11 +49,6 @@
          roles:
            - power_user
            - user
-        #testing this shouldn't be impacted through the file call
-        kibana:
-          password: this_wont_be_set
-          roles:
-            - kibana_system
    es_roles:
      file:
        admin: