diff --git a/.gitignore b/.gitignore index 7a4be3e..bdcfa29 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ .kitchen/ +license.json *.pyc .vendor .bundle diff --git a/.kitchen.yml b/.kitchen.yml index 98adee0..0284b0b 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -22,6 +22,18 @@ platforms: - apt-get update && apt-get install -y software-properties-common && add-apt-repository -y ppa:ansible/ansible - apt-get update && apt-get -y -q install python-apt python-pycurl use_sudo: false + volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json + - name: ubuntu-16.04 + driver_config: + image: dliappis/ubuntu-devopsci:16.04 + privileged: true + provision_command: + - apt-get update && apt-get install -y software-properties-common && add-apt-repository -y ppa:ansible/ansible + - apt-get install -y -q net-tools + - apt-get update && apt-get -y -q install python-apt python-pycurl + use_sudo: false + volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json + run_command: "/sbin/init" - name: debian-8 driver_config: image: dliappis/debian-devopsci:8 @@ -33,6 +45,7 @@ platforms: - sed -ri 's/^#?PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config - sed -ri 's/^#?PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config - sed -ri 's/^#?UsePAM .*/UsePAM no/' /etc/ssh/sshd_config + volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json use_sudo: false run_command: "/sbin/init" - name: centos-7 @@ -45,6 +58,7 @@ platforms: - rm /etc/yum.repos.d/epel*repo /etc/yum.repos.d/puppetlabs-pc1.repo - yum -y install initscripts - yum clean all + volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json run_command: "/usr/sbin/init" privileged: true use_sudo: false diff --git a/handlers/main.yml b/handlers/main.yml index ac960ef..00df18e 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -6,10 +6,9 @@ service: name={{instance_init_script | basename}} state=restarted enabled=yes when: es_restart_on_change and es_start_service and ((plugin_installed is defined and plugin_installed.changed) or (config_updated is defined and config_updated.changed) or (xpack_state.changed) or (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed)) -- name: load-native-realms - include: ./handlers/shield/elasticsearch-shield-native.yml - when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined) - +# All security specific actions should go in here +- name: activate-shield + include: ./handlers/shield/elasticsearch-shield.yml #Templates are a handler as they need to come after a restart e.g. suppose user removes shield on a running node and doesn't #specify es_api_basic_auth_username and es_api_basic_auth_password. The templates will subsequently not be removed if we don't wait for the node to restart. diff --git a/handlers/shield/elasticsearch-shield-native.yml b/handlers/shield/elasticsearch-shield-native.yml index 02b9b02..d545394 100644 --- a/handlers/shield/elasticsearch-shield-native.yml +++ b/handlers/shield/elasticsearch-shield-native.yml @@ -1,11 +1,5 @@ --- -- name: Ensure elasticsearch is started - service: name={{instance_init_script | basename}} state=started enabled=yes - -- name: Wait for elasticsearch to startup - wait_for: host={{es_api_host}} port={{es_api_port}} delay=10 - - set_fact: manage_native_users=false - set_fact: manage_native_users=true @@ -68,6 +62,7 @@ password: "{{es_api_basic_auth_password}}" force_basic_auth: yes when: manage_native_users and es_users.native.keys() > 0 + no_log: True with_dict: "{{es_users.native}}" #List current roles diff --git a/handlers/shield/elasticsearch-shield.yml b/handlers/shield/elasticsearch-shield.yml new file mode 100644 index 0000000..61620b3 --- /dev/null +++ b/handlers/shield/elasticsearch-shield.yml @@ -0,0 +1,14 @@ +--- +- name: Ensure elasticsearch is started + service: name={{instance_init_script | basename}} state=started enabled=yes + +- name: Wait for elasticsearch to startup + wait_for: host={{es_api_host}} port={{es_api_port}} delay=10 + +- name: activate-license + include: ./handlers/shield/elasticsearch-xpack-activation.yml + when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != '' + +- name: load-native-realms + include: ./handlers/shield/elasticsearch-shield-native.yml + when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined) \ No newline at end of file diff --git a/handlers/shield/elasticsearch-xpack-activation.yml b/handlers/shield/elasticsearch-xpack-activation.yml new file mode 100644 index 0000000..948bd83 --- /dev/null +++ b/handlers/shield/elasticsearch-xpack-activation.yml @@ -0,0 +1,37 @@ +--- + +- name: Activate ES license (without shield authentication) + uri: + method: PUT + url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true" + body_format: json + body: "{{ es_xpack_license }}" + return_content: yes + register: license_activated + no_log: True + when: not '"shield" in es_xpack_features' + failed_when: > + license_activated.status != 200 or + license_activated.json.license_status is not defined or + license_activated.json.license_status != 'valid' + +- name: Activate ES license (with shield authentication) + uri: + method: PUT + url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true" + user: "{{es_api_basic_auth_username}}" + password: "{{es_api_basic_auth_password}}" + body_format: json + force_basic_auth: yes + body: "{{ es_xpack_license }}" + return_content: yes + register: license_activated + no_log: True + when: '"shield" in es_xpack_features' + failed_when: > + license_activated.status != 200 or + license_activated.json.license_status is not defined or + license_activated.json.license_status != 'valid' + +- debug: + msg: "License: {{ license_activated.content }}" diff --git a/tasks/java.yml b/tasks/java.yml index ed7247f..ed49fb1 100644 --- a/tasks/java.yml +++ b/tasks/java.yml @@ -12,4 +12,11 @@ - name: Debian - Ensure Java is installed apt: name={{ java }} state={{java_state}} update_cache=yes force=yes - when: ansible_os_family == 'Debian' \ No newline at end of file + when: ansible_os_family == 'Debian' + +- command: java -version 2>&1 | grep OpenJDK + register: open_jdk + +- name: refresh the java ca-certificates + command: /var/lib/dpkg/info/ca-certificates-java.postinst configure + when: ansible_distribution == 'Ubuntu' and open_jdk.rc == 0 \ No newline at end of file diff --git a/tasks/xpack/elasticsearch-xpack-install.yml b/tasks/xpack/elasticsearch-xpack-install.yml index 77ddc58..d7b08d3 100644 --- a/tasks/xpack/elasticsearch-xpack-install.yml +++ b/tasks/xpack/elasticsearch-xpack-install.yml @@ -14,7 +14,7 @@ #Remove Plugin if installed and its not been requested or the ES version has changed - name: Remove {{item}} plugin command: > - {{es_home}}/bin/plugin remove shield + {{es_home}}/bin/plugin remove {{item}} register: xpack_state failed_when: "'ERROR' in xpack_state.stdout" changed_when: xpack_state.rc == 0 diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index 327f63c..07b68d3 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -5,7 +5,7 @@ #enabling xpack installs the license. Not a xpack feature and does not need to be specified - TODO: we should append it to the list if xpack is enabled and remove this #Check if license is installed -- name: Check License is installed +- name: Check License plugin is installed shell: > {{es_home}}/bin/plugin list | tail -n +2 | grep license register: license_installed @@ -50,6 +50,5 @@ - include: shield/elasticsearch-shield.yml #Add any feature specific configuration here - - name: Set Plugin Directory Permissions file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes \ No newline at end of file diff --git a/tasks/xpack/shield/elasticsearch-shield-file.yml b/tasks/xpack/shield/elasticsearch-shield-file.yml index d2a2c20..380f289 100644 --- a/tasks/xpack/shield/elasticsearch-shield-file.yml +++ b/tasks/xpack/shield/elasticsearch-shield-file.yml @@ -37,6 +37,7 @@ {{es_home}}/bin/shield/esusers useradd {{item}} -p {{es_users.file[item].password}} with_items: "{{users_to_add | default([])}}" when: manage_file_users and users_to_add | length > 0 + no_log: True environment: CONF_DIR: "{{ conf_dir }}" ES_HOME: "{{es_home}}" @@ -49,6 +50,7 @@ when: manage_file_users and es_users.file.keys() | length > 0 #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip. changed_when: False + no_log: True environment: CONF_DIR: "{{ conf_dir }}" ES_HOME: "{{es_home}}" diff --git a/tasks/xpack/shield/elasticsearch-shield.yml b/tasks/xpack/shield/elasticsearch-shield.yml index 35abd3a..e464c76 100644 --- a/tasks/xpack/shield/elasticsearch-shield.yml +++ b/tasks/xpack/shield/elasticsearch-shield.yml @@ -11,7 +11,7 @@ #-----------------------------NATIVE BASED REALM---------------------------------------- # The native realm requires the node to be started so we do as a handler - command: /bin/true - notify: load-native-realms + notify: activate-shield when: (es_enable_xpack and '"shield" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)) #-----------------------------ROLE MAPPING ---------------------------------------- diff --git a/test/integration/config-1x/config.yml b/test/integration/config-1x/config.yml deleted file mode 100644 index a3c37e1..0000000 --- a/test/integration/config-1x/config.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- host: test-kitchen diff --git a/test/integration/config-1x/serverspec/default_spec.rb b/test/integration/config-1x/serverspec/default_spec.rb deleted file mode 100644 index 404dd30..0000000 --- a/test/integration/config-1x/serverspec/default_spec.rb +++ /dev/null @@ -1,6 +0,0 @@ -require 'config_spec' - -describe 'Config Tests v 1.x' do - include_examples 'config::init', "1.7.3" -end - diff --git a/test/integration/helpers/serverspec/xpack_spec.rb b/test/integration/helpers/serverspec/xpack_spec.rb index 2e315e7..2bc671d 100644 --- a/test/integration/helpers/serverspec/xpack_spec.rb +++ b/test/integration/helpers/serverspec/xpack_spec.rb @@ -87,6 +87,15 @@ shared_examples 'xpack::init' do |es_version| describe command('curl -s localhost:9200/_nodes/plugins?pretty=true -u es_admin:changeMe | grep license') do its(:exit_status) { should eq 0 } end + + #Test if x-pack is activated + describe 'x-pack activation' do + it 'should be activated and valid' do + command = command('curl -s localhost:9200/_license?pretty=true -u es_admin:changeMe') + expect(command.stdout).to match('"status" : "active"') + expect(command.exit_status).to eq(0) + end + end describe file('/usr/share/elasticsearch/plugins/shield') do it { should be_directory } diff --git a/test/integration/multi-1x/multi.yml b/test/integration/multi-1x/multi.yml deleted file mode 100644 index a3c37e1..0000000 --- a/test/integration/multi-1x/multi.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- host: test-kitchen diff --git a/test/integration/multi-1x/serverspec/default_spec.rb b/test/integration/multi-1x/serverspec/default_spec.rb deleted file mode 100644 index 4fbbceb..0000000 --- a/test/integration/multi-1x/serverspec/default_spec.rb +++ /dev/null @@ -1,6 +0,0 @@ -require 'multi_spec' - - -describe 'Multi Tests v 1.x' do - include_examples 'multi::init', "1.7.3", ["kopf","marvel"] -end \ No newline at end of file diff --git a/test/integration/package-1x/package.yaml b/test/integration/package-1x/package.yaml deleted file mode 100644 index a3c37e1..0000000 --- a/test/integration/package-1x/package.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- host: test-kitchen diff --git a/test/integration/package-1x/serverspec/default_spec.rb b/test/integration/package-1x/serverspec/default_spec.rb deleted file mode 100644 index b22af05..0000000 --- a/test/integration/package-1x/serverspec/default_spec.rb +++ /dev/null @@ -1,5 +0,0 @@ -require 'package_spec' - -describe 'Package Tests v 1.x' do - include_examples 'package::init', "1.7.3", ["kopf","marvel"] -end \ No newline at end of file diff --git a/test/integration/standard-1x/serverspec/default_spec.rb b/test/integration/standard-1x/serverspec/default_spec.rb deleted file mode 100644 index 67f3c99..0000000 --- a/test/integration/standard-1x/serverspec/default_spec.rb +++ /dev/null @@ -1,8 +0,0 @@ -require 'standard_spec' - - -describe 'Standard Tests v 1.x' do - include_examples 'standard::init', "1.7.3" -end - - diff --git a/test/integration/standard-1x/standard.yml b/test/integration/standard-1x/standard.yml deleted file mode 100644 index a3c37e1..0000000 --- a/test/integration/standard-1x/standard.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- host: test-kitchen diff --git a/test/integration/xpack.yml b/test/integration/xpack.yml index 9ccca20..25ece50 100644 --- a/test/integration/xpack.yml +++ b/test/integration/xpack.yml @@ -8,6 +8,7 @@ vars: es_templates: true es_enable_xpack: true + es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}" es_plugins: - plugin: lmenezes/elasticsearch-kopf version: master