use files permissions from official package

2019-09-18 10:57:07 +02:00 · 2019-09-18 10:57:07 +02:00 · 9bac169862
commit 9bac169862
parent 6a1b886753
8 changed files with 34 additions and 25 deletions
--- a/tasks/elasticsearch-config.yml
+++ b/tasks/elasticsearch-config.yml
@ -1,27 +1,35 @@
 ---
 # Configure Elasticsearch Node

-#Create required directories
- name: Create Directories
+#Create conf directory
+- name: Create Configuration Directory
  become: yes
-  file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }}
+  file: path={{ es_conf_dir }} state=directory owner=root group={{ es_group }} mode=2750
+
+#Create pid directory
+- name: Create PID Directory
+  become: yes
+  file: path={{ es_pid_dir }} state=directory owner={{ es_user }} group={{ es_group }} mode=0755
+
+#Create required directories
+- name: Create Others Directories
+  become: yes
+  file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }} mode=2750
  with_items:
-    - "{{ es_pid_dir }}"
    - "{{ es_log_dir }}"
-    - "{{ es_conf_dir }}"
    - "{{ es_data_dirs }}"

 #Copy the config template
 - name: Copy Configuration File
  become: yes
-  template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner=root group={{ es_group }} mode=0660 force=yes
  register: system_change
  notify: restart elasticsearch

 #Copy the default file
 - name: Copy Default File
  become: yes
-  template: src=elasticsearch.j2 dest={{ default_file }} mode=0644 force=yes
+  template: src=elasticsearch.j2 dest={{ default_file }} owner=root group={{ es_group }} mode=0660 force=yes
  notify: restart elasticsearch

 #Copy the systemd specific file if systemd is installed
@ -30,7 +38,7 @@
  block:
    - name: Make sure destination dir exists
      file: path={{ sysd_config_file | dirname }} state=directory mode=0755
-  
+
    - name: Copy specific ElasticSearch Systemd config file
      ini_file: path={{ sysd_config_file }} section=Service option=LimitMEMLOCK value=infinity mode=0644
      notify:
@ -40,10 +48,10 @@
 #Copy the logging.yml
 - name: Copy log4j2.properties File
  become: yes
-  template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner=root group={{ es_group }} mode=0660 force=yes
  notify: restart elasticsearch

 - name: Copy jvm.options File
  become: yes
-  template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner=root group={{ es_group }} mode=0660 force=yes
  notify: restart elasticsearch
--- a/tasks/elasticsearch-template.yml
+++ b/tasks/elasticsearch-template.yml
@ -4,11 +4,12 @@
  file:
    path: "{{ es_conf_dir }}/templates"
    state: directory
-    owner: "{{ es_user }}"
+    owner: root
    group: "{{ es_group }}"
+    mode: 2750

 - name: Copy templates to elasticsearch
-  copy: src={{ item }} dest={{ es_conf_dir }}/templates owner={{ es_user }} group={{ es_group }}
+  copy: src={{ item }} dest={{ es_conf_dir }}/templates owner=root group={{ es_group }} mode=0660
  register: load_templates
  with_fileglob:
    - "{{ es_templates_fileglob | default('') }}"
--- a/tasks/xpack/elasticsearch-xpack.yml
+++ b/tasks/xpack/elasticsearch-xpack.yml
@ -8,5 +8,4 @@
 #Make sure elasticsearch.keystore has correct Permissions
 - name: Set elasticsearch.keystore Permissions
  become: yes
-  file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner={{ es_user }} group={{ es_group }}
-  when: es_enable_xpack
+  file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner=root group={{ es_group }} mode=0660
--- a/tasks/xpack/security/elasticsearch-security-file.yml
+++ b/tasks/xpack/security/elasticsearch-security-file.yml
@ -18,7 +18,7 @@
    src: "{{ es_conf_dir }}/x-pack/users"
    dest: "{{ es_conf_dir }}/users"
    group: "{{ es_group }}"
-    owner: "{{ es_user }}"
+    owner: root
  when: old_users_file.stat.exists
 # End of users migrations

@ -95,11 +95,11 @@
 #Copy Roles files
 - name: Copy roles.yml File for Instance
  become: yes
-  template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner=root group={{ es_group }} mode=0660 force=yes
  when: es_roles is defined and es_roles.file is defined

 #Overwrite users_roles file
 - name: Copy User Roles
  become: yes
-  template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner=root group={{ es_group }} mode=0660 force=yes
  when: manage_file_users and users_roles | length > 0
--- a/tasks/xpack/security/elasticsearch-security.yml
+++ b/tasks/xpack/security/elasticsearch-security.yml
@ -46,5 +46,5 @@
 #Copy Roles files
 - name: Copy role_mapping.yml File for Instance
  become: yes
-  template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner=root group={{ es_group }} mode=0660 force=yes
  when: es_role_mapping is defined