Xpack tests + protection against reserved roles and users
This commit is contained in:
Dale McDiarmid
parent
3b0c47333c
commit
8d84b57941
4 changed files with 30 additions and 39 deletions
|
|
@ -28,10 +28,16 @@ def extract_role_users(users={}):
|
|||
role_users.append(role+":"+user)
|
||||
return role_users
|
||||
|
||||
|
||||
def filename(filename=''):
|
||||
return os.path.splitext(os.path.basename(filename))[0]
|
||||
|
||||
def filter_reserved(user_roles={}):
|
||||
not_reserved = []
|
||||
for user_role,details in user_roles.items():
|
||||
if not "metadata" in details or not "_reserved" in details["metadata"] or not details["metadata"]["_reserved"]:
|
||||
not_reserved.append(user_role)
|
||||
return not_reserved
|
||||
|
||||
|
||||
class FilterModule(object):
|
||||
def filters(self):
|
||||
|
|
@ -39,5 +45,6 @@ class FilterModule(object):
|
|||
'append_to_list':append_to_list,
|
||||
'array_to_str':array_to_str,
|
||||
'extract_role_users':extract_role_users,
|
||||
'filter_reserved':filter_reserved,
|
||||
'filename':filename}
|
||||
|
||||
|
|
|
|||
|
|
@ -28,8 +28,8 @@
|
|||
register: user_list_response
|
||||
when: manage_native_users
|
||||
|
||||
#Current users not inc. the elastic user which is reserved and cannot be deleted
|
||||
- set_fact: current_users={{user_list_response.json.keys() | list | difference(['elastic'] )}}
|
||||
#Current users not inc. those reserved
|
||||
- set_fact: current_users={{ user_list_response.json | filter_reserved }}
|
||||
when: manage_native_users
|
||||
|
||||
#Identify non declared users
|
||||
|
|
@ -48,11 +48,10 @@
|
|||
when: manage_native_users and users_to_remove | length > 0
|
||||
with_items: "{{users_to_remove}}"
|
||||
|
||||
|
||||
#Overwrite all other users
|
||||
- name: Update Native Users
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/{{item.key}}
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item.key}}
|
||||
method: POST
|
||||
body_format: json
|
||||
body: "{{item.value | to_json}}"
|
||||
|
|
@ -61,11 +60,10 @@
|
|||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
when: manage_native_users and es_users.native.keys() > 0
|
||||
no_log: True
|
||||
#no_log: True
|
||||
with_dict: "{{es_users.native}}"
|
||||
|
||||
#List current roles
|
||||
|
||||
#List current roles not. inc those reserved
|
||||
- name: List Native Roles
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role
|
||||
|
|
@ -78,11 +76,8 @@
|
|||
register: role_list_response
|
||||
when: manage_native_roles
|
||||
|
||||
#Identify undeclared roles
|
||||
|
||||
- set_fact: current_roles={{role_list_response.json.keys() | list}}
|
||||
when: manage_native_users
|
||||
|
||||
- set_fact: current_roles={{ role_list_response.json | filter_reserved }}
|
||||
when: manage_native_roles
|
||||
- debug: msg="{{current_roles}}"
|
||||
|
||||
- set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys() ) }}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
require 'spec_helper'
|
||||
|
||||
shared_examples 'xpack::init' do |es_version|
|
||||
shared_examples 'xpack::init' do |es_version,plugins|
|
||||
|
||||
describe user('elasticsearch') do
|
||||
it { should exist }
|
||||
|
|
@ -19,7 +19,7 @@ shared_examples 'xpack::init' do |es_version|
|
|||
it { should be_owned_by 'elasticsearch' }
|
||||
end
|
||||
|
||||
describe file('/etc/elasticsearch/security_node/logging.yml') do
|
||||
describe file('/etc/elasticsearch/security_node/log4j2.properties') do
|
||||
it { should be_file }
|
||||
it { should be_owned_by 'elasticsearch' }
|
||||
end
|
||||
|
|
@ -29,7 +29,6 @@ shared_examples 'xpack::init' do |es_version|
|
|||
it { should contain 'cluster.name: elasticsearch' }
|
||||
it { should contain 'path.conf: /etc/elasticsearch/security_node' }
|
||||
it { should contain 'path.data: /var/lib/elasticsearch/localhost-security_node' }
|
||||
it { should contain 'path.work: /tmp/elasticsearch/localhost-security_node' }
|
||||
it { should contain 'path.logs: /var/log/elasticsearch/localhost-security_node' }
|
||||
end
|
||||
|
||||
|
|
@ -77,17 +76,6 @@ shared_examples 'xpack::init' do |es_version|
|
|||
it { should be_owned_by 'elasticsearch' }
|
||||
end
|
||||
|
||||
|
||||
#Check x-pack and license plugins are installed
|
||||
describe file('/usr/share/elasticsearch/plugins/license') do
|
||||
it { should be_directory }
|
||||
it { should be_owned_by 'elasticsearch' }
|
||||
end
|
||||
|
||||
describe command('curl -s localhost:9200/_nodes/plugins?pretty=true -u es_admin:changeMe | grep license') do
|
||||
its(:exit_status) { should eq 0 }
|
||||
end
|
||||
|
||||
#Test if x-pack is activated
|
||||
describe 'x-pack activation' do
|
||||
it 'should be activated and valid' do
|
||||
|
|
@ -116,16 +104,17 @@ shared_examples 'xpack::init' do |es_version|
|
|||
it { should be_owned_by 'elasticsearch' }
|
||||
end
|
||||
|
||||
describe file('/usr/share/elasticsearch/plugins/kopf') do
|
||||
it { should be_directory }
|
||||
it { should be_owned_by 'elasticsearch' }
|
||||
end
|
||||
for plugin in plugins
|
||||
describe file('/usr/share/elasticsearch/plugins/'+plugin) do
|
||||
it { should be_directory }
|
||||
it { should be_owned_by 'elasticsearch' }
|
||||
end
|
||||
|
||||
describe command('curl -s localhost:9200/_nodes/plugins?pretty=true -u es_admin:changeMe | grep kopf') do
|
||||
its(:exit_status) { should eq 0 }
|
||||
describe command('curl -s -u es_admin:changeMe localhost:9200/_nodes/plugins?pretty=true | grep '+plugin) do
|
||||
its(:exit_status) { should eq 0 }
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
#Test users file, users_roles and roles.yml
|
||||
describe file('/etc/elasticsearch/security_node/x-pack/users_roles') do
|
||||
it { should be_owned_by 'elasticsearch' }
|
||||
|
|
@ -148,19 +137,19 @@ shared_examples 'xpack::init' do |es_version|
|
|||
|
||||
|
||||
#Test native roles and users are loaded
|
||||
describe command('curl -s localhost:9200/_xpack/security/user -u es_admin:changeMe | md5sum | grep 557a730df7136694131b5b7012a5ffad') do
|
||||
describe command('curl -s localhost:9200/_xpack/security/user -u es_admin:changeMe | md5sum | grep 243b362bd47623c0b91a1fafbce2b6f5') do
|
||||
its(:exit_status) { should eq 0 }
|
||||
end
|
||||
|
||||
describe command('curl -s localhost:9200/_xpack/security/user -u es_admin:changeMe | grep "{\"kibana4_server\":{\"username\":\"kibana4_server\",\"roles\":\[\"kibana4_server\"\],\"full_name\":null,\"email\":null,\"metadata\":{}}}"') do
|
||||
describe command('curl -s localhost:9200/_xpack/security/user -u es_admin:changeMe | grep "{\"elastic\":{\"username\":\"elastic\",\"roles\":\[\"superuser\"\],\"full_name\":null,\"email\":null,\"metadata\":{\"_reserved\":true},\"enabled\":true},\"kibana\":{\"username\":\"kibana\",\"roles\":\[\"kibana\"\],\"full_name\":null,\"email\":null,\"metadata\":{\"_reserved\":true},\"enabled\":true},\"kibana4_server\":{\"username\":\"kibana4_server\",\"roles\":\[\"kibana4_server\"\],\"full_name\":null,\"email\":null,\"metadata\":{},\"enabled\":true}}"') do
|
||||
its(:exit_status) { should eq 0 }
|
||||
end
|
||||
|
||||
describe command('curl -s localhost:9200/_xpack/security/role -u es_admin:changeMe | grep "{\"logstash\":{\"cluster\":\[\"manage_index_templates\"\],\"indices\":\[{\"names\":\[\"logstash-\*\"\],\"privileges\":\[\"write\",\"delete\",\"create_index\"\]}\],\"run_as\":\[\]}}"') do
|
||||
describe command('curl -s localhost:9200/_xpack/security/role -u es_admin:changeMe | grep "{\"superuser\":{\"cluster\":\[\"all\"\],\"indices\":\[{\"names\":\[\"\*\"\],\"privileges\":\[\"all\"\]}\],\"run_as\":\[\"\*\"\],\"metadata\":{\"_reserved\":true}},\"transport_client\":{\"cluster\":\[\"transport_client\"\],\"indices\":\[\],\"run_as\":\[\],\"metadata\":{\"_reserved\":true}},\"kibana_user\":{\"cluster\":\[\"monitor\"\],\"indices\":\[{\"names\":\[\".kibana\*\"\],\"privileges\":\[\"manage\",\"read\",\"index\",\"delete\"\]}\],\"run_as\":\[\],\"metadata\":{\"_reserved\":true}},\"monitoring_user\":{\"cluster\":\[\],\"indices\":\[{\"names\":\[\"\.marvel-es-\*\",\".monitoring-\*\"\],\"privileges\":\[\"read\"\]}\],\"run_as\":\[\],\"metadata\":{\"_reserved\":true}},\"remote_monitoring_agent\":{\"cluster\":\[\"manage_index_templates\",\"manage_ingest_pipelines\",\"monitor\"\],\"indices\":\[{\"names\":\[\"\.marvel-es-\*\",\"\.monitoring-\*\"\],\"privileges\":\[\"all\"\]}\],\"run_as\":\[\],\"metadata\":{\"_reserved\":true}},\"ingest_admin\":{\"cluster\":\[\"manage_index_templates\",\"manage_pipeline\"\],\"indices\":\[\],\"run_as\":\[\],\"metadata\":{\"_reserved\":true}},\"reporting_user\":{\"cluster\":\[\],\"indices\":\[{\"names\":\[\"\.reporting-\*\"\],\"privileges\":\[\"read\",\"write\"\]}\],\"run_as\":\[\],\"metadata\":{\"_reserved\":true}},\"logstash\":{\"cluster\":\[\"manage_index_templates\"\],\"indices\":\[{\"names\":\[\"logstash-\*\"\],\"privileges\":\[\"write\",\"delete\",\"create_index\"\]}\],\"run_as\":\[\],\"metadata\":{}}}"') do
|
||||
its(:exit_status) { should eq 0 }
|
||||
end
|
||||
|
||||
describe command('curl -s localhost:9200/_xpack/security/role -u es_admin:changeMe | md5sum | grep 6d14f09ef1eea64adf4d4a9c04229629') do
|
||||
describe command('curl -s localhost:9200/_xpack/security/role -u es_admin:changeMe | md5sum | grep 78a0696c9c9690042cec2c1f16860cfc') do
|
||||
its(:exit_status) { should eq 0 }
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
require 'xpack_spec'
|
||||
|
||||
describe 'Xpack Tests v 5.x' do
|
||||
include_examples 'xpack::init', "5.1.2"
|
||||
include_examples 'xpack::init', "5.1.2", ["ingest-geoip"]
|
||||
end
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue