Merge pull request #267 from gingerwizard/master
Fixes and tests for idempotent behavour
This commit is contained in:
Dale McDiarmid
GitHub
commit
7d159f1766
9 changed files with 33 additions and 35 deletions
|
|
@ -12,6 +12,7 @@ provisioner:
|
||||||
http_proxy: <%= ENV['HTTP_PROXY'] %>
|
http_proxy: <%= ENV['HTTP_PROXY'] %>
|
||||||
https_proxy: <%= ENV['HTTPS_PROXY'] %>
|
https_proxy: <%= ENV['HTTPS_PROXY'] %>
|
||||||
no_proxy: localhost,127.0.0.1
|
no_proxy: localhost,127.0.0.1
|
||||||
|
idempotency_test: true
|
||||||
|
|
||||||
platforms:
|
platforms:
|
||||||
- name: ubuntu-14.04
|
- name: ubuntu-14.04
|
||||||
|
|
|
||||||
|
|
@ -6,10 +6,6 @@
|
||||||
service: name={{instance_init_script | basename}} state=restarted enabled=yes
|
service: name={{instance_init_script | basename}} state=restarted enabled=yes
|
||||||
when: es_restart_on_change and es_start_service and ((plugin_installed is defined and plugin_installed.changed) or (config_updated is defined and config_updated.changed) or (xpack_state.changed) or (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed))
|
when: es_restart_on_change and es_start_service and ((plugin_installed is defined and plugin_installed.changed) or (config_updated is defined and config_updated.changed) or (xpack_state.changed) or (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed))
|
||||||
|
|
||||||
# All security specific actions should go in here
|
|
||||||
- name: activate-security
|
|
||||||
include: ./handlers/security/elasticsearch-security.yml
|
|
||||||
|
|
||||||
#Templates are a handler as they need to come after a restart e.g. suppose user removes security on a running node and doesn't
|
#Templates are a handler as they need to come after a restart e.g. suppose user removes security on a running node and doesn't
|
||||||
#specify es_api_basic_auth_username and es_api_basic_auth_password. The templates will subsequently not be removed if we don't wait for the node to restart.
|
#specify es_api_basic_auth_username and es_api_basic_auth_password. The templates will subsequently not be removed if we don't wait for the node to restart.
|
||||||
#Templates done after restart therefore - as a handler.
|
#Templates done after restart therefore - as a handler.
|
||||||
|
|
|
||||||
|
|
@ -1,14 +0,0 @@
|
||||||
---
|
|
||||||
- name: Ensure elasticsearch is started
|
|
||||||
service: name={{instance_init_script | basename}} state=started enabled=yes
|
|
||||||
|
|
||||||
- name: Wait for elasticsearch to startup
|
|
||||||
wait_for: host={{es_api_host}} port={{es_api_port}} delay=10
|
|
||||||
|
|
||||||
- name: activate-license
|
|
||||||
include: ./handlers/security/elasticsearch-xpack-activation.yml
|
|
||||||
when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != ''
|
|
||||||
|
|
||||||
- name: load-native-realms
|
|
||||||
include: ./handlers/security/elasticsearch-security-native.yml
|
|
||||||
when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)
|
|
||||||
|
|
@ -8,15 +8,22 @@
|
||||||
- name: RedHat - Ensure Java is installed
|
- name: RedHat - Ensure Java is installed
|
||||||
yum: name={{ java }} state={{java_state}}
|
yum: name={{ java }} state={{java_state}}
|
||||||
when: ansible_os_family == 'RedHat'
|
when: ansible_os_family == 'RedHat'
|
||||||
|
|
||||||
|
- name: Refresh java repo
|
||||||
|
apt: update_cache=yes
|
||||||
|
changed_when: false
|
||||||
|
when: ansible_os_family == 'Debian'
|
||||||
|
|
||||||
- name: Debian - Ensure Java is installed
|
- name: Debian - Ensure Java is installed
|
||||||
apt: name={{ java }} state={{java_state}} update_cache=yes force=yes
|
apt: name={{ java }} state={{java_state}}
|
||||||
when: ansible_os_family == 'Debian'
|
when: ansible_os_family == 'Debian'
|
||||||
|
|
||||||
- command: java -version 2>&1 | grep OpenJDK
|
- command: java -version 2>&1 | grep OpenJDK
|
||||||
register: open_jdk
|
register: open_jdk
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
|
#https://github.com/docker-library/openjdk/issues/19 - ensures tests pass due to java 8 broken certs
|
||||||
- name: refresh the java ca-certificates
|
- name: refresh the java ca-certificates
|
||||||
command: /var/lib/dpkg/info/ca-certificates-java.postinst configure
|
command: /var/lib/dpkg/info/ca-certificates-java.postinst configure
|
||||||
when: ansible_distribution == 'Ubuntu' and open_jdk.rc == 0
|
when: ansible_distribution == 'Ubuntu' and open_jdk.rc == 0
|
||||||
|
changed_when: false
|
||||||
|
|
@ -45,4 +45,12 @@
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
||||||
- name: Wait for elasticsearch to startup
|
- name: Wait for elasticsearch to startup
|
||||||
wait_for: host={{es_api_host}} port={{es_api_port}} delay=5 connect_timeout=1
|
wait_for: host={{es_api_host}} port={{es_api_port}} delay=5 connect_timeout=1
|
||||||
|
|
||||||
|
- name: activate-license
|
||||||
|
include: ./xpack/security/elasticsearch-xpack-activation.yml
|
||||||
|
when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != ''
|
||||||
|
|
||||||
|
#perform security actions here now elasticsearch is started
|
||||||
|
- include: ./xpack/security/elasticsearch-security-native.yml
|
||||||
|
when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
|
||||||
|
|
|
||||||
|
|
@ -21,8 +21,8 @@
|
||||||
- name: Remove Users
|
- name: Remove Users
|
||||||
command: >
|
command: >
|
||||||
{{es_home}}/bin/x-pack/users userdel {{item}}
|
{{es_home}}/bin/x-pack/users userdel {{item}}
|
||||||
when: manage_file_users and (users_to_remove | length > 0)
|
|
||||||
with_items: "{{users_to_remove | default([])}}"
|
with_items: "{{users_to_remove | default([])}}"
|
||||||
|
when: manage_file_users and (users_to_remove | length > 0)
|
||||||
environment:
|
environment:
|
||||||
CONF_DIR: "{{ conf_dir }}"
|
CONF_DIR: "{{ conf_dir }}"
|
||||||
ES_HOME: "{{es_home}}"
|
ES_HOME: "{{es_home}}"
|
||||||
|
|
|
||||||
|
|
@ -46,7 +46,10 @@
|
||||||
password: "{{es_api_basic_auth_password}}"
|
password: "{{es_api_basic_auth_password}}"
|
||||||
force_basic_auth: yes
|
force_basic_auth: yes
|
||||||
when: manage_native_users and users_to_remove | length > 0
|
when: manage_native_users and users_to_remove | length > 0
|
||||||
with_items: "{{users_to_remove}}"
|
with_items: "{{users_to_remove | default([]) }}"
|
||||||
|
|
||||||
|
- set_fact: native_users={{ es_users.native }}
|
||||||
|
when: manage_native_users and es_users.native.keys() > 0
|
||||||
|
|
||||||
#Overwrite all other users
|
#Overwrite all other users
|
||||||
- name: Update Native Users
|
- name: Update Native Users
|
||||||
|
|
@ -59,9 +62,9 @@
|
||||||
user: "{{es_api_basic_auth_username}}"
|
user: "{{es_api_basic_auth_username}}"
|
||||||
password: "{{es_api_basic_auth_password}}"
|
password: "{{es_api_basic_auth_password}}"
|
||||||
force_basic_auth: yes
|
force_basic_auth: yes
|
||||||
when: manage_native_users and es_users.native.keys() > 0
|
when: manage_native_users and native_users.keys() > 0
|
||||||
no_log: True
|
no_log: True
|
||||||
with_dict: "{{es_users.native}}"
|
with_dict: "{{native_users | default({}) }}"
|
||||||
|
|
||||||
#List current roles not. inc those reserved
|
#List current roles not. inc those reserved
|
||||||
- name: List Native Roles
|
- name: List Native Roles
|
||||||
|
|
@ -94,9 +97,12 @@
|
||||||
password: "{{es_api_basic_auth_password}}"
|
password: "{{es_api_basic_auth_password}}"
|
||||||
force_basic_auth: yes
|
force_basic_auth: yes
|
||||||
when: manage_native_roles and roles_to_remove | length > 0
|
when: manage_native_roles and roles_to_remove | length > 0
|
||||||
with_items: "{{roles_to_remove}}"
|
with_items: "{{roles_to_remove | default([]) }}"
|
||||||
|
|
||||||
|
|
||||||
|
- set_fact: native_roles={{ es_roles.native }}
|
||||||
|
when: manage_native_roles and es_roles.native.keys() > 0
|
||||||
|
|
||||||
#Update other roles
|
#Update other roles
|
||||||
- name: Update Native Roles
|
- name: Update Native Roles
|
||||||
uri:
|
uri:
|
||||||
|
|
@ -108,5 +114,5 @@
|
||||||
user: "{{es_api_basic_auth_username}}"
|
user: "{{es_api_basic_auth_username}}"
|
||||||
password: "{{es_api_basic_auth_password}}"
|
password: "{{es_api_basic_auth_password}}"
|
||||||
force_basic_auth: yes
|
force_basic_auth: yes
|
||||||
when: manage_native_roles and es_roles.native.keys() > 0
|
when: manage_native_roles and native_roles.keys() > 0
|
||||||
with_dict: "{{es_roles.native}}"
|
with_dict: "{{ native_roles | default({})}}"
|
||||||
|
|
@ -8,12 +8,6 @@
|
||||||
- include: elasticsearch-security-file.yml
|
- include: elasticsearch-security-file.yml
|
||||||
when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.file) or (es_roles is defined and es_roles.file is defined))
|
when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.file) or (es_roles is defined and es_roles.file is defined))
|
||||||
|
|
||||||
#-----------------------------NATIVE BASED REALM----------------------------------------
|
|
||||||
# The native realm requires the node to be started so we do as a handler
|
|
||||||
- command: /bin/true
|
|
||||||
notify: activate-security
|
|
||||||
when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
|
|
||||||
|
|
||||||
#-----------------------------ROLE MAPPING ----------------------------------------
|
#-----------------------------ROLE MAPPING ----------------------------------------
|
||||||
|
|
||||||
#Copy Roles files
|
#Copy Roles files
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue