diff --git a/files/system_key b/files/system_key new file mode 100644 index 0000000..9196291 Binary files /dev/null and b/files/system_key differ diff --git a/tasks/xpack/shield/elasticsearch-shield.yml b/tasks/xpack/shield/elasticsearch-shield.yml index 0b1a267..35abd3a 100644 --- a/tasks/xpack/shield/elasticsearch-shield.yml +++ b/tasks/xpack/shield/elasticsearch-shield.yml @@ -21,6 +21,12 @@ template: src=shield/role_mapping.yml.j2 dest={{conf_dir}}/shield/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: es_role_mapping is defined +#-----------------------------AUTH FILE---------------------------------------- + +- name: Copy message auth key to elasticsearch + copy: src={{ es_message_auth_file }} dest={{conf_dir}}/shield/system_key owner={{ es_user }} group={{ es_group }} mode=0600 force=yes + when: es_message_auth_file is defined + #------------------------------------------------------------------------------------ #Ensure shield conf directory is created diff --git a/test/integration/helpers/serverspec/xpack_spec.rb b/test/integration/helpers/serverspec/xpack_spec.rb index 6848c9e..2e315e7 100644 --- a/test/integration/helpers/serverspec/xpack_spec.rb +++ b/test/integration/helpers/serverspec/xpack_spec.rb @@ -220,5 +220,16 @@ shared_examples 'xpack::init' do |es_version| it { should contain '- cn=admins,dc=example,dc=com' } end + + describe file('/etc/elasticsearch/shield_node/shield/system_key') do + it { should be_owned_by 'elasticsearch' } + it { should be_writable.by('owner') } + it { should be_writable.by_user('elasticsearch') } + it { should be_readable.by('owner') } + it { should be_readable.by_user('elasticsearch') } + it { should_not be_executable } + #Test contents as expected + its(:md5sum) { should eq '6ff0e6c4380a6ac0f6e04d871c0ca5e8' } + end end diff --git a/test/integration/xpack.yml b/test/integration/xpack.yml index 8bfcd2b..9ccca20 100644 --- a/test/integration/xpack.yml +++ b/test/integration/xpack.yml @@ -16,6 +16,7 @@ - watcher es_api_basic_auth_username: es_admin es_api_basic_auth_password: changeMe + es_message_auth_file: system_key es_role_mapping: power_user: - "cn=admins,dc=example,dc=com"