use files permissions from official package

2019-09-18 10:57:07 +02:00 · 2019-09-18 10:57:07 +02:00 · 9bac169862
commit 9bac169862
parent 6a1b886753
8 changed files with 34 additions and 25 deletions
--- a/tasks/elasticsearch-config.yml
+++ b/tasks/elasticsearch-config.yml
@ -1,27 +1,35 @@
 ---
 # Configure Elasticsearch Node

-#Create required directories
- name: Create Directories
+#Create conf directory
+- name: Create Configuration Directory
  become: yes
-  file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }}
+  file: path={{ es_conf_dir }} state=directory owner=root group={{ es_group }} mode=2750
+
+#Create pid directory
+- name: Create PID Directory
+  become: yes
+  file: path={{ es_pid_dir }} state=directory owner={{ es_user }} group={{ es_group }} mode=0755
+
+#Create required directories
+- name: Create Others Directories
+  become: yes
+  file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }} mode=2750
  with_items:
-    - "{{ es_pid_dir }}"
    - "{{ es_log_dir }}"
-    - "{{ es_conf_dir }}"
    - "{{ es_data_dirs }}"

 #Copy the config template
 - name: Copy Configuration File
  become: yes
-  template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner=root group={{ es_group }} mode=0660 force=yes
  register: system_change
  notify: restart elasticsearch

 #Copy the default file
 - name: Copy Default File
  become: yes
-  template: src=elasticsearch.j2 dest={{ default_file }} mode=0644 force=yes
+  template: src=elasticsearch.j2 dest={{ default_file }} owner=root group={{ es_group }} mode=0660 force=yes
  notify: restart elasticsearch

 #Copy the systemd specific file if systemd is installed
@ -40,10 +48,10 @@
 #Copy the logging.yml
 - name: Copy log4j2.properties File
  become: yes
-  template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner=root group={{ es_group }} mode=0660 force=yes
  notify: restart elasticsearch

 - name: Copy jvm.options File
  become: yes
-  template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner=root group={{ es_group }} mode=0660 force=yes
  notify: restart elasticsearch
--- a/tasks/elasticsearch-template.yml
+++ b/tasks/elasticsearch-template.yml
@ -4,11 +4,12 @@
  file:
    path: "{{ es_conf_dir }}/templates"
    state: directory
-    owner: "{{ es_user }}"
+    owner: root
    group: "{{ es_group }}"
+    mode: 2750

 - name: Copy templates to elasticsearch
-  copy: src={{ item }} dest={{ es_conf_dir }}/templates owner={{ es_user }} group={{ es_group }}
+  copy: src={{ item }} dest={{ es_conf_dir }}/templates owner=root group={{ es_group }} mode=0660
  register: load_templates
  with_fileglob:
    - "{{ es_templates_fileglob | default('') }}"
--- a/tasks/xpack/elasticsearch-xpack.yml
+++ b/tasks/xpack/elasticsearch-xpack.yml
@ -8,5 +8,4 @@
 #Make sure elasticsearch.keystore has correct Permissions
 - name: Set elasticsearch.keystore Permissions
  become: yes
-  file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner={{ es_user }} group={{ es_group }}
-  when: es_enable_xpack
+  file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner=root group={{ es_group }} mode=0660
--- a/tasks/xpack/security/elasticsearch-security-file.yml
+++ b/tasks/xpack/security/elasticsearch-security-file.yml
@ -18,7 +18,7 @@
    src: "{{ es_conf_dir }}/x-pack/users"
    dest: "{{ es_conf_dir }}/users"
    group: "{{ es_group }}"
-    owner: "{{ es_user }}"
+    owner: root
  when: old_users_file.stat.exists
 # End of users migrations

@ -95,11 +95,11 @@
 #Copy Roles files
 - name: Copy roles.yml File for Instance
  become: yes
-  template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner=root group={{ es_group }} mode=0660 force=yes
  when: es_roles is defined and es_roles.file is defined

 #Overwrite users_roles file
 - name: Copy User Roles
  become: yes
-  template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner=root group={{ es_group }} mode=0660 force=yes
  when: manage_file_users and users_roles | length > 0
--- a/tasks/xpack/security/elasticsearch-security.yml
+++ b/tasks/xpack/security/elasticsearch-security.yml
@ -46,5 +46,5 @@
 #Copy Roles files
 - name: Copy role_mapping.yml File for Instance
  become: yes
-  template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner=root group={{ es_group }} mode=0660 force=yes
  when: es_role_mapping is defined
--- a/test/integration/helpers/serverspec/oss_spec.rb
+++ b/test/integration/helpers/serverspec/oss_spec.rb
@ -3,11 +3,11 @@ require 'spec_helper'
 shared_examples 'oss::init' do |vars|
  describe file("/etc/elasticsearch/log4j2.properties") do
    it { should be_file }
-    it { should be_owned_by 'elasticsearch' }
+    it { should be_owned_by 'root' }
    it { should_not contain 'CUSTOM LOG4J FILE' }
  end
  describe file("/etc/elasticsearch/jvm.options") do
    it { should be_file }
-    it { should be_owned_by vars['es_user'] }
+    it { should be_owned_by 'root' }
  end
 end
--- a/test/integration/helpers/serverspec/shared_spec.rb
+++ b/test/integration/helpers/serverspec/shared_spec.rb
@ -108,11 +108,11 @@ shared_examples 'shared::init' do |vars|
  if vars['es_templates']
    describe file('/etc/elasticsearch/templates') do
      it { should be_directory }
-      it { should be_owned_by vars['es_user'] }
+      it { should be_owned_by 'root' }
    end
    describe file('/etc/elasticsearch/templates/basic.json') do
      it { should be_file }
-      it { should be_owned_by vars['es_user'] }
+      it { should be_owned_by 'root' }
    end
    #This is possibly subject to format changes in the response across versions so may fail in the future
    describe 'Template Contents Correct' do
@ -152,6 +152,7 @@ shared_examples 'shared::init' do |vars|
    end
  end
  describe file("/etc/elasticsearch/elasticsearch.yml") do
+    it { should be_owned_by 'root' }
    it { should contain "node.name: localhost" }
    it { should contain 'cluster.name: elasticsearch' }
    it { should_not contain "path.conf: /etc/elasticsearch" }
--- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb
+++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb
@ -5,13 +5,13 @@ vars = JSON.parse(File.read('/tmp/vars.json'))
 shared_examples 'xpack_upgrade::init' do |vars|
  #Test users file, users_roles and roles.yml
  describe file("/etc/elasticsearch/users_roles") do
-    it { should be_owned_by 'elasticsearch' }
+    it { should be_owned_by 'root' }
    it { should contain 'admin:es_admin' }
    it { should contain 'power_user:testUser' }
  end

  describe file("/etc/elasticsearch/users") do
-    it { should be_owned_by 'elasticsearch' }
+    it { should be_owned_by 'root' }
    it { should contain 'testUser:' }
    it { should contain 'es_admin:' }
  end
@ -37,7 +37,7 @@ shared_examples 'xpack_upgrade::init' do |vars|

  #Test contents of role_mapping.yml
  describe file("/etc/elasticsearch/role_mapping.yml") do
-    it { should be_owned_by 'elasticsearch' }
+    it { should be_owned_by 'root' }
    it { should contain 'power_user:' }
    it { should contain '- cn=admins,dc=example,dc=com' }
    it { should contain 'user:' }