santerikainulainen/ansible-role-elasticsearch
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #223 from gingerwizard/master

Browse source 
Support for Activating License
This commit is contained in:
Dale McDiarmid 2017-01-05 14:50:10 +00:00 committed by GitHub
commit a00f07e105
21 changed files with 93 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1,4 +1,5 @@
.kitchen/ .kitchen/
license.json
*.pyc *.pyc
.vendor .vendor
.bundle .bundle

14
.kitchen.yml
View file

@ -22,6 +22,18 @@ platforms:
- apt-get update && apt-get install -y software-properties-common && add-apt-repository -y ppa:ansible/ansible - apt-get update && apt-get install -y software-properties-common && add-apt-repository -y ppa:ansible/ansible
- apt-get update && apt-get -y -q install python-apt python-pycurl - apt-get update && apt-get -y -q install python-apt python-pycurl
use_sudo: false use_sudo: false
volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json
- name: ubuntu-16.04
driver_config:
image: dliappis/ubuntu-devopsci:16.04
privileged: true
provision_command:
- apt-get update && apt-get install -y software-properties-common && add-apt-repository -y ppa:ansible/ansible
- apt-get install -y -q net-tools
- apt-get update && apt-get -y -q install python-apt python-pycurl
use_sudo: false
volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json
run_command: "/sbin/init"
- name: debian-8 - name: debian-8
driver_config: driver_config:
image: dliappis/debian-devopsci:8 image: dliappis/debian-devopsci:8
@ -33,6 +45,7 @@ platforms:
- sed -ri 's/^#?PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config - sed -ri 's/^#?PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config
- sed -ri 's/^#?PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config - sed -ri 's/^#?PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config
- sed -ri 's/^#?UsePAM .*/UsePAM no/' /etc/ssh/sshd_config - sed -ri 's/^#?UsePAM .*/UsePAM no/' /etc/ssh/sshd_config
volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json
use_sudo: false use_sudo: false
run_command: "/sbin/init" run_command: "/sbin/init"
- name: centos-7 - name: centos-7
@ -45,6 +58,7 @@ platforms:
- rm /etc/yum.repos.d/epel*repo /etc/yum.repos.d/puppetlabs-pc1.repo - rm /etc/yum.repos.d/epel*repo /etc/yum.repos.d/puppetlabs-pc1.repo
- yum -y install initscripts - yum -y install initscripts
- yum clean all - yum clean all
volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json
run_command: "/usr/sbin/init" run_command: "/usr/sbin/init"
privileged: true privileged: true
use_sudo: false use_sudo: false

7
handlers/main.yml
View file

@ -6,10 +6,9 @@
service: name={{instance_init_script | basename}} state=restarted enabled=yes service: name={{instance_init_script | basename}} state=restarted enabled=yes
when: es_restart_on_change and es_start_service and ((plugin_installed is defined and plugin_installed.changed) or (config_updated is defined and config_updated.changed) or (xpack_state.changed) or (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed)) when: es_restart_on_change and es_start_service and ((plugin_installed is defined and plugin_installed.changed) or (config_updated is defined and config_updated.changed) or (xpack_state.changed) or (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed))
- name: load-native-realms # All security specific actions should go in here
include: ./handlers/shield/elasticsearch-shield-native.yml - name: activate-shield
when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined) include: ./handlers/shield/elasticsearch-shield.yml
#Templates are a handler as they need to come after a restart e.g. suppose user removes shield on a running node and doesn't #Templates are a handler as they need to come after a restart e.g. suppose user removes shield on a running node and doesn't
#specify es_api_basic_auth_username and es_api_basic_auth_password. The templates will subsequently not be removed if we don't wait for the node to restart. #specify es_api_basic_auth_username and es_api_basic_auth_password. The templates will subsequently not be removed if we don't wait for the node to restart.

7
handlers/shield/elasticsearch-shield-native.yml
View file

@ -1,11 +1,5 @@
--- ---
- name: Ensure elasticsearch is started
service: name={{instance_init_script | basename}} state=started enabled=yes
- name: Wait for elasticsearch to startup
wait_for: host={{es_api_host}} port={{es_api_port}} delay=10
- set_fact: manage_native_users=false - set_fact: manage_native_users=false
- set_fact: manage_native_users=true - set_fact: manage_native_users=true
@ -68,6 +62,7 @@
password: "{{es_api_basic_auth_password}}" password: "{{es_api_basic_auth_password}}"
force_basic_auth: yes force_basic_auth: yes
when: manage_native_users and es_users.native.keys() > 0 when: manage_native_users and es_users.native.keys() > 0
no_log: True
with_dict: "{{es_users.native}}" with_dict: "{{es_users.native}}"
#List current roles #List current roles

14
handlers/shield/elasticsearch-shield.yml Normal file
View file

@ -0,0 +1,14 @@
---
- name: Ensure elasticsearch is started
service: name={{instance_init_script | basename}} state=started enabled=yes
- name: Wait for elasticsearch to startup
wait_for: host={{es_api_host}} port={{es_api_port}} delay=10
- name: activate-license
include: ./handlers/shield/elasticsearch-xpack-activation.yml
when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != ''
- name: load-native-realms
include: ./handlers/shield/elasticsearch-shield-native.yml
when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)

37
handlers/shield/elasticsearch-xpack-activation.yml Normal file
View file

@ -0,0 +1,37 @@
---
- name: Activate ES license (without shield authentication)
uri:
method: PUT
url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true"
body_format: json
body: "{{ es_xpack_license }}"
return_content: yes
register: license_activated
no_log: True
when: not '"shield" in es_xpack_features'
failed_when: >
license_activated.status != 200 or
license_activated.json.license_status is not defined or
license_activated.json.license_status != 'valid'
- name: Activate ES license (with shield authentication)
uri:
method: PUT
url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true"
user: "{{es_api_basic_auth_username}}"
password: "{{es_api_basic_auth_password}}"
body_format: json
force_basic_auth: yes
body: "{{ es_xpack_license }}"
return_content: yes
register: license_activated
no_log: True
when: '"shield" in es_xpack_features'
failed_when: >
license_activated.status != 200 or
license_activated.json.license_status is not defined or
license_activated.json.license_status != 'valid'
- debug:
msg: "License: {{ license_activated.content }}"

9
tasks/java.yml
View file

@ -12,4 +12,11 @@
- name: Debian - Ensure Java is installed - name: Debian - Ensure Java is installed
apt: name={{ java }} state={{java_state}} update_cache=yes force=yes apt: name={{ java }} state={{java_state}} update_cache=yes force=yes
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'
- command: java -version 2>&1 | grep OpenJDK
register: open_jdk
- name: refresh the java ca-certificates
command: /var/lib/dpkg/info/ca-certificates-java.postinst configure
when: ansible_distribution == 'Ubuntu' and open_jdk.rc == 0

2
tasks/xpack/elasticsearch-xpack-install.yml
View file

@ -14,7 +14,7 @@
#Remove Plugin if installed and its not been requested or the ES version has changed #Remove Plugin if installed and its not been requested or the ES version has changed
- name: Remove {{item}} plugin - name: Remove {{item}} plugin
command: > command: >
{{es_home}}/bin/plugin remove shield {{es_home}}/bin/plugin remove {{item}}
register: xpack_state register: xpack_state
failed_when: "'ERROR' in xpack_state.stdout" failed_when: "'ERROR' in xpack_state.stdout"
changed_when: xpack_state.rc == 0 changed_when: xpack_state.rc == 0

3
tasks/xpack/elasticsearch-xpack.yml
View file

@ -5,7 +5,7 @@
#enabling xpack installs the license. Not a xpack feature and does not need to be specified - TODO: we should append it to the list if xpack is enabled and remove this #enabling xpack installs the license. Not a xpack feature and does not need to be specified - TODO: we should append it to the list if xpack is enabled and remove this
#Check if license is installed #Check if license is installed
- name: Check License is installed - name: Check License plugin is installed
shell: > shell: >
{{es_home}}/bin/plugin list | tail -n +2 | grep license {{es_home}}/bin/plugin list | tail -n +2 | grep license
register: license_installed register: license_installed
@ -50,6 +50,5 @@
- include: shield/elasticsearch-shield.yml - include: shield/elasticsearch-shield.yml
#Add any feature specific configuration here #Add any feature specific configuration here
- name: Set Plugin Directory Permissions - name: Set Plugin Directory Permissions
file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes

2
tasks/xpack/shield/elasticsearch-shield-file.yml
View file

@ -37,6 +37,7 @@
{{es_home}}/bin/shield/esusers useradd {{item}} -p {{es_users.file[item].password}} {{es_home}}/bin/shield/esusers useradd {{item}} -p {{es_users.file[item].password}}
with_items: "{{users_to_add | default([])}}" with_items: "{{users_to_add | default([])}}"
when: manage_file_users and users_to_add | length > 0 when: manage_file_users and users_to_add | length > 0
no_log: True
environment: environment:
CONF_DIR: "{{ conf_dir }}" CONF_DIR: "{{ conf_dir }}"
ES_HOME: "{{es_home}}" ES_HOME: "{{es_home}}"
@ -49,6 +50,7 @@
when: manage_file_users and es_users.file.keys() | length > 0 when: manage_file_users and es_users.file.keys() | length > 0
#Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip. #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip.
changed_when: False changed_when: False
no_log: True
environment: environment:
CONF_DIR: "{{ conf_dir }}" CONF_DIR: "{{ conf_dir }}"
ES_HOME: "{{es_home}}" ES_HOME: "{{es_home}}"

2
tasks/xpack/shield/elasticsearch-shield.yml
View file

@ -11,7 +11,7 @@
#-----------------------------NATIVE BASED REALM---------------------------------------- #-----------------------------NATIVE BASED REALM----------------------------------------
# The native realm requires the node to be started so we do as a handler # The native realm requires the node to be started so we do as a handler
- command: /bin/true - command: /bin/true
notify: load-native-realms notify: activate-shield
when: (es_enable_xpack and '"shield" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)) when: (es_enable_xpack and '"shield" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
#-----------------------------ROLE MAPPING ---------------------------------------- #-----------------------------ROLE MAPPING ----------------------------------------

2
test/integration/config-1x/config.yml
View file

@ -1,2 +0,0 @@
---
- host: test-kitchen

6
test/integration/config-1x/serverspec/default_spec.rb
View file

@ -1,6 +0,0 @@
require 'config_spec'
describe 'Config Tests v 1.x' do
include_examples 'config::init', "1.7.3"
end

9
test/integration/helpers/serverspec/xpack_spec.rb
View file

@ -87,6 +87,15 @@ shared_examples 'xpack::init' do |es_version|
describe command('curl -s localhost:9200/_nodes/plugins?pretty=true -u es_admin:changeMe | grep license') do describe command('curl -s localhost:9200/_nodes/plugins?pretty=true -u es_admin:changeMe | grep license') do
its(:exit_status) { should eq 0 } its(:exit_status) { should eq 0 }
end end
#Test if x-pack is activated
describe 'x-pack activation' do
it 'should be activated and valid' do
command = command('curl -s localhost:9200/_license?pretty=true -u es_admin:changeMe')
expect(command.stdout).to match('"status" : "active"')
expect(command.exit_status).to eq(0)
end
end
describe file('/usr/share/elasticsearch/plugins/shield') do describe file('/usr/share/elasticsearch/plugins/shield') do
it { should be_directory } it { should be_directory }

2
test/integration/multi-1x/multi.yml
View file

@ -1,2 +0,0 @@
---
- host: test-kitchen

6
test/integration/multi-1x/serverspec/default_spec.rb
View file

@ -1,6 +0,0 @@
require 'multi_spec'
describe 'Multi Tests v 1.x' do
include_examples 'multi::init', "1.7.3", ["kopf","marvel"]
end

2
test/integration/package-1x/package.yaml
View file

@ -1,2 +0,0 @@
---
- host: test-kitchen

5
test/integration/package-1x/serverspec/default_spec.rb
View file

@ -1,5 +0,0 @@
require 'package_spec'
describe 'Package Tests v 1.x' do
include_examples 'package::init', "1.7.3", ["kopf","marvel"]
end

8
test/integration/standard-1x/serverspec/default_spec.rb
View file

@ -1,8 +0,0 @@
require 'standard_spec'
describe 'Standard Tests v 1.x' do
include_examples 'standard::init', "1.7.3"
end

2
test/integration/standard-1x/standard.yml
View file

@ -1,2 +0,0 @@
---
- host: test-kitchen

1
test/integration/xpack.yml
View file

@ -8,6 +8,7 @@
vars: vars:
es_templates: true es_templates: true
es_enable_xpack: true es_enable_xpack: true
es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}"
es_plugins: es_plugins:
- plugin: lmenezes/elasticsearch-kopf - plugin: lmenezes/elasticsearch-kopf
version: master version: master