From 946d89ac74c85801a03b30b30d24d0b0b5968caf Mon Sep 17 00:00:00 2001 From: Dale McDiarmid Date: Tue, 14 Mar 2017 12:58:46 -0700 Subject: [PATCH 1/5] Idempotent tests - Make java install idempotent --- .kitchen.yml | 1 + tasks/java.yml | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index 9d2c326..0bd7a15 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -12,6 +12,7 @@ provisioner: http_proxy: <%= ENV['HTTP_PROXY'] %> https_proxy: <%= ENV['HTTPS_PROXY'] %> no_proxy: localhost,127.0.0.1 + idempotency_test: true platforms: - name: ubuntu-14.04 diff --git a/tasks/java.yml b/tasks/java.yml index 388ceed..508ad67 100644 --- a/tasks/java.yml +++ b/tasks/java.yml @@ -10,13 +10,15 @@ when: ansible_os_family == 'RedHat' - name: Debian - Ensure Java is installed - apt: name={{ java }} state={{java_state}} update_cache=yes force=yes + apt: name={{ java }} state={{java_state}} update_cache=yes when: ansible_os_family == 'Debian' - command: java -version 2>&1 | grep OpenJDK register: open_jdk changed_when: false +#https://github.com/docker-library/openjdk/issues/19 - ensures tests pass due to java 8 broken certs - name: refresh the java ca-certificates command: /var/lib/dpkg/info/ca-certificates-java.postinst configure - when: ansible_distribution == 'Ubuntu' and open_jdk.rc == 0 \ No newline at end of file + when: ansible_distribution == 'Ubuntu' and open_jdk.rc == 0 + changed_when: false \ No newline at end of file From d9bb90fdc87b1262dea70155b0c4d4cc861cbeb2 Mon Sep 17 00:00:00 2001 From: Dale McDiarmid Date: Wed, 15 Mar 2017 14:52:58 -0400 Subject: [PATCH 2/5] Idempotency fix for java --- tasks/java.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/tasks/java.yml b/tasks/java.yml index 508ad67..380481d 100644 --- a/tasks/java.yml +++ b/tasks/java.yml @@ -8,9 +8,14 @@ - name: RedHat - Ensure Java is installed yum: name={{ java }} state={{java_state}} when: ansible_os_family == 'RedHat' - + +- name: Refresh java repo + apt: update_cache=yes + changed_when: false + when: ansible_os_family == 'Debian' + - name: Debian - Ensure Java is installed - apt: name={{ java }} state={{java_state}} update_cache=yes + apt: name={{ java }} state={{java_state}} when: ansible_os_family == 'Debian' - command: java -version 2>&1 | grep OpenJDK From ddbf4ad956e66a4e413df8b2af15196017ac67c8 Mon Sep 17 00:00:00 2001 From: Dale McDiarmid Date: Wed, 15 Mar 2017 15:19:39 -0400 Subject: [PATCH 3/5] Fix for idempotent security --- tasks/xpack/security/elasticsearch-security.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 5b483cf..9c4470d 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -13,7 +13,8 @@ - command: /bin/true notify: activate-security when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)) - + changed_when: False + #-----------------------------ROLE MAPPING ---------------------------------------- #Copy Roles files From 595368f873a8d4f653bd1d0ff8adf5c150c64c0f Mon Sep 17 00:00:00 2001 From: Dale McDiarmid Date: Wed, 15 Mar 2017 16:12:22 -0400 Subject: [PATCH 4/5] Re-structure to make xpack idempotent --- handlers/main.yml | 4 ---- handlers/security/elasticsearch-security.yml | 14 -------------- tasks/main.yml | 10 +++++++++- .../security/elasticsearch-security-native.yml | 0 tasks/xpack/security/elasticsearch-security.yml | 7 ------- .../security/elasticsearch-xpack-activation.yml | 0 6 files changed, 9 insertions(+), 26 deletions(-) delete mode 100644 handlers/security/elasticsearch-security.yml rename {handlers => tasks/xpack}/security/elasticsearch-security-native.yml (100%) rename {handlers => tasks/xpack}/security/elasticsearch-xpack-activation.yml (100%) diff --git a/handlers/main.yml b/handlers/main.yml index ff07a08..55b95af 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -6,10 +6,6 @@ service: name={{instance_init_script | basename}} state=restarted enabled=yes when: es_restart_on_change and es_start_service and ((plugin_installed is defined and plugin_installed.changed) or (config_updated is defined and config_updated.changed) or (xpack_state.changed) or (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed)) -# All security specific actions should go in here -- name: activate-security - include: ./handlers/security/elasticsearch-security.yml - #Templates are a handler as they need to come after a restart e.g. suppose user removes security on a running node and doesn't #specify es_api_basic_auth_username and es_api_basic_auth_password. The templates will subsequently not be removed if we don't wait for the node to restart. #Templates done after restart therefore - as a handler. diff --git a/handlers/security/elasticsearch-security.yml b/handlers/security/elasticsearch-security.yml deleted file mode 100644 index af52976..0000000 --- a/handlers/security/elasticsearch-security.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Ensure elasticsearch is started - service: name={{instance_init_script | basename}} state=started enabled=yes - -- name: Wait for elasticsearch to startup - wait_for: host={{es_api_host}} port={{es_api_port}} delay=10 - -- name: activate-license - include: ./handlers/security/elasticsearch-xpack-activation.yml - when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != '' - -- name: load-native-realms - include: ./handlers/security/elasticsearch-security-native.yml - when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined) \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index fe12c38..4648f8d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -45,4 +45,12 @@ - meta: flush_handlers - name: Wait for elasticsearch to startup - wait_for: host={{es_api_host}} port={{es_api_port}} delay=5 connect_timeout=1 \ No newline at end of file + wait_for: host={{es_api_host}} port={{es_api_port}} delay=5 connect_timeout=1 + +- name: activate-license + include: ./xpack/security/elasticsearch-xpack-activation.yml + when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != '' + +#perform security actions here now elasticsearch is started +- include: ./xpack/security/elasticsearch-security-native.yml + when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)) diff --git a/handlers/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml similarity index 100% rename from handlers/security/elasticsearch-security-native.yml rename to tasks/xpack/security/elasticsearch-security-native.yml diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 9c4470d..820c7e3 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -8,13 +8,6 @@ - include: elasticsearch-security-file.yml when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.file) or (es_roles is defined and es_roles.file is defined)) -#-----------------------------NATIVE BASED REALM---------------------------------------- -# The native realm requires the node to be started so we do as a handler -- command: /bin/true - notify: activate-security - when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)) - changed_when: False - #-----------------------------ROLE MAPPING ---------------------------------------- #Copy Roles files diff --git a/handlers/security/elasticsearch-xpack-activation.yml b/tasks/xpack/security/elasticsearch-xpack-activation.yml similarity index 100% rename from handlers/security/elasticsearch-xpack-activation.yml rename to tasks/xpack/security/elasticsearch-xpack-activation.yml From 4e8af6ced5b8a19153fa9fa09959d9e66761c284 Mon Sep 17 00:00:00 2001 From: Dale McDiarmid Date: Wed, 15 Mar 2017 17:24:10 -0400 Subject: [PATCH 5/5] Fixes for conditional execution as a task --- .../security/elasticsearch-security-file.yml | 2 +- .../security/elasticsearch-security-native.yml | 18 ++++++++++++------ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index 5da0d13..b09237c 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -21,8 +21,8 @@ - name: Remove Users command: > {{es_home}}/bin/x-pack/users userdel {{item}} - when: manage_file_users and (users_to_remove | length > 0) with_items: "{{users_to_remove | default([])}}" + when: manage_file_users and (users_to_remove | length > 0) environment: CONF_DIR: "{{ conf_dir }}" ES_HOME: "{{es_home}}" diff --git a/tasks/xpack/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml index 463e095..96bedfa 100644 --- a/tasks/xpack/security/elasticsearch-security-native.yml +++ b/tasks/xpack/security/elasticsearch-security-native.yml @@ -46,7 +46,10 @@ password: "{{es_api_basic_auth_password}}" force_basic_auth: yes when: manage_native_users and users_to_remove | length > 0 - with_items: "{{users_to_remove}}" + with_items: "{{users_to_remove | default([]) }}" + +- set_fact: native_users={{ es_users.native }} + when: manage_native_users and es_users.native.keys() > 0 #Overwrite all other users - name: Update Native Users @@ -59,9 +62,9 @@ user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" force_basic_auth: yes - when: manage_native_users and es_users.native.keys() > 0 + when: manage_native_users and native_users.keys() > 0 no_log: True - with_dict: "{{es_users.native}}" + with_dict: "{{native_users | default({}) }}" #List current roles not. inc those reserved - name: List Native Roles @@ -94,9 +97,12 @@ password: "{{es_api_basic_auth_password}}" force_basic_auth: yes when: manage_native_roles and roles_to_remove | length > 0 - with_items: "{{roles_to_remove}}" + with_items: "{{roles_to_remove | default([]) }}" +- set_fact: native_roles={{ es_roles.native }} + when: manage_native_roles and es_roles.native.keys() > 0 + #Update other roles - name: Update Native Roles uri: @@ -108,5 +114,5 @@ user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" force_basic_auth: yes - when: manage_native_roles and es_roles.native.keys() > 0 - with_dict: "{{es_roles.native}}" + when: manage_native_roles and native_roles.keys() > 0 + with_dict: "{{ native_roles | default({})}}"