Initial Shield support + latest gems + single plugin dir + new port/host vars

tasks/checkParameters.yml

@@ -1,22 +0,0 @@
-# Check for mandatory parameters
-
-- fail: msg="es_instance_name must be specified and cannot be blank"
-  when: es_instance_name is not defined or es_instance_name == ''
-
-- fail: msg="es_proxy_port must be specified and cannot be blank when es_proxy_host is defined"
-  when: (es_proxy_port is not defined or es_proxy_port == '') and (es_proxy_host is defined and es_proxy_host != '')
-
-- set_fact: multi_cast={{ (es_version | version_compare('2.0', '<') and es_config['discovery.zen.ping.multicast.enabled'] is not defined) or (es_config['discovery.zen.ping.multicast.enabled'] is defined and es_config['discovery.zen.ping.multicast.enabled'])}}
-
-- debug: msg="WARNING - It is recommended you specify the parameter 'http.port' when multicast is disabled"
-  when: not multi_cast and es_config['http.port'] is not defined
-
-- debug: msg="WARNING - It is recommended you specify the parameter 'transport.tcp.port' when multicast is disabled"
-  when: not multi_cast and es_config['transport.tcp.port'] is not defined
-
-- debug: msg="WARNING - It is recommended you specify the parameter 'discovery.zen.ping.unicast.hosts' when multicast is disabled"
-  when: not multi_cast and es_config['discovery.zen.ping.unicast.hosts'] is not defined
-
-#If the user attempts to lock memory they must specify a heap size
-- fail: msg="If locking memory with bootstrap.mlockall a heap size must be specified"
-  when: es_config['bootstrap.mlockall'] is defined and es_config['bootstrap.mlockall'] == True and es_heap_size is not defined

tasks/elasticsearch-config.yml

@@ -1,42 +1,6 @@
 ---
-
 # Configure Elasticsearch Node
 
-#Use systemd for the following distributions:
-#
-#Ubuntu 15 and up
-#Debian 8 and up
-#Centos 7 and up
-#Relies on elasticsearch distribution installing a serviced script to determine whether one should be copied.
-
-
-- set_fact: use_system_d={{(ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', '>=')) or (ansible_distribution == 'CentOS' and ansible_distribution_version | version_compare('7', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version | version_compare('15', '>=')) }}
-  tags:
-      - always
-
-- set_fact: instance_sysd_script={{sysd_script | dirname }}/{{es_instance_name}}_{{sysd_script | basename}}
-  when: use_system_d
-  tags:
-      - always
-
-#For directories we also use the {{inventory_hostname}}-{{ es_instance_name }} - this helps if we have a shared SAN.
-
-- set_fact: instance_suffix={{inventory_hostname}}-{{ es_instance_name }}
-  tags:
-      - always
-
-- set_fact: pid_dir={{ es_pid_dir }}/{{instance_suffix}}
-  tags:
-      - always
-
-- set_fact: log_dir={{ es_log_dir }}/{{instance_suffix}}
-  tags:
-      - always
-
-- set_fact: work_dir={{ es_work_dir }}/{{instance_suffix}}
-  tags:
-      - always
-
 #Create required directories
 - name: Create Directories
   file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }}
@@ -45,11 +9,6 @@
     - "{{work_dir}}"
     - "{{log_dir}}"
     - "{{conf_dir}}"
-    - "{{plugin_dir}}"
-
-- set_fact: data_dirs={{ es_data_dirs | append_to_list('/'+instance_suffix) }}
-  tags:
-      - always
 
 - name: Create Data Directories
   file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }}
@@ -112,4 +71,3 @@
 - name: Delete Default Logging File
   file: dest=/etc/elasticsearch/logging.yml state=absent
 
-- debug: msg="Data Dirs {{data_dirs}}"

tasks/elasticsearch-parameters.yml

@@ -0,0 +1,50 @@
+# Check for mandatory parameters
+
+- fail: msg="es_instance_name must be specified and cannot be blank"
+  when: es_instance_name is not defined or es_instance_name == ''
+
+- fail: msg="es_proxy_port must be specified and cannot be blank when es_proxy_host is defined"
+  when: (es_proxy_port is not defined or es_proxy_port == '') and (es_proxy_host is defined and es_proxy_host != '')
+
+- set_fact: multi_cast={{ (es_version | version_compare('2.0', '<') and es_config['discovery.zen.ping.multicast.enabled'] is not defined) or (es_config['discovery.zen.ping.multicast.enabled'] is defined and es_config['discovery.zen.ping.multicast.enabled'])}}
+
+- debug: msg="WARNING - It is recommended you specify the parameter 'http.port' when multicast is disabled"
+  when: not multi_cast and es_config['http.port'] is not defined
+
+- debug: msg="WARNING - It is recommended you specify the parameter 'transport.tcp.port' when multicast is disabled"
+  when: not multi_cast and es_config['transport.tcp.port'] is not defined
+
+- debug: msg="WARNING - It is recommended you specify the parameter 'discovery.zen.ping.unicast.hosts' when multicast is disabled"
+  when: not multi_cast and es_config['discovery.zen.ping.unicast.hosts'] is not defined
+
+#If the user attempts to lock memory they must specify a heap size
+- fail: msg="If locking memory with bootstrap.mlockall a heap size must be specified"
+  when: es_config['bootstrap.mlockall'] is defined and es_config['bootstrap.mlockall'] == True and es_heap_size is not defined
+
+#Check if working with shield we have an es_api_basic_auth_username and es_api_basic_auth_username - otherwise any http calls wont work
+- fail: msg="Enabling shield requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations"
+  when: es_enable_xpack and '"shield" in es_xpack_features' and es_api_basic_auth_username is not defined and es_api_basic_auth_username is not defined
+
+- set_fact: instance_default_file={{default_file | dirname}}/{{es_instance_name}}_{{default_file | basename}}
+- set_fact: instance_init_script={{init_script | dirname }}/{{es_instance_name}}_{{init_script | basename}}
+- set_fact: conf_dir={{ es_conf_dir }}/{{es_instance_name}}
+- set_fact: m_lock_enabled={{ es_config['bootstrap.mlockall'] is defined and es_config['bootstrap.mlockall'] == True }}
+
+#Use systemd for the following distributions:
+#Ubuntu 15 and up
+#Debian 8 and up
+#Centos 7 and up
+#Relies on elasticsearch distribution installing a serviced script to determine whether one should be copied.
+
+
+- set_fact: use_system_d={{(ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', '>=')) or (ansible_distribution == 'CentOS' and ansible_distribution_version | version_compare('7', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version | version_compare('15', '>=')) }}
+
+- set_fact: instance_sysd_script={{sysd_script | dirname }}/{{es_instance_name}}_{{sysd_script | basename}}
+  when: use_system_d
+#For directories we also use the {{inventory_hostname}}-{{ es_instance_name }} - this helps if we have a shared SAN.
+
+- set_fact: instance_suffix={{inventory_hostname}}-{{ es_instance_name }}
+- set_fact: pid_dir={{ es_pid_dir }}/{{instance_suffix}}
+- set_fact: log_dir={{ es_log_dir }}/{{instance_suffix}}
+- set_fact: work_dir={{ es_work_dir }}/{{instance_suffix}}
+- set_fact: data_dirs={{ es_data_dirs | append_to_list('/'+instance_suffix) }}

tasks/elasticsearch-plugins.yml

@@ -4,24 +4,20 @@
 # i.e. we have changed ES version(or we have clean installation of ES), or if no plugins listed. Otherwise it is false and requires explicitly setting.
 - set_fact: es_plugins_reinstall=true
   when: ((elasticsearch_install_from_package is defined and elasticsearch_install_from_repo.changed) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) or es_plugins is not defined or es_plugins is none
-  tags:
-      - always
 
 - set_fact: list_command="list"
-  tags:
-      - always
+
 - set_fact: list_command="--list"
   when: es_version | version_compare('2.0', '<')
-  tags:
-      - always
 
 #List currently installed plugins
 - shell: "{{es_home}}/bin/plugin {{list_command}} | sed -n '1!p' | cut -d '-' -f2-"
   register: installed_plugins
   changed_when: False
+  ignore_errors: yes
   environment:
-      CONF_DIR: "{{ conf_dir }}"
-      ES_INCLUDE: "{{ instance_default_file }}"
+    CONF_DIR: "{{ conf_dir }}"
+    ES_INCLUDE: "{{ instance_default_file }}"
 
 #This needs to removes any currently installed plugins
 - name: Remove elasticsearch plugins
@@ -50,4 +46,4 @@
 
 #Set permissions on plugins directory
 - name: Set Plugin Directory Permissions
-  file: state=directory path={{ plugin_dir }} owner={{ es_user }} group={{ es_group }} recurse=yes
+  file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes

tasks/elasticsearch-shield.yml

@@ -1,3 +0,0 @@
----
-
-

tasks/elasticsearch-templates.yml

@@ -12,22 +12,13 @@
   with_fileglob:
     - "{{ es_templates_fileglob }}"
 
-- set_fact: http_port=9200
-  tags:
-      - always
-
-- set_fact: http_port={{es_config['http.port']}}
-  when: es_config['http.port'] is defined
-  tags:
-      - always
-
 - name: Wait for elasticsearch to startup
-  wait_for: port={{http_port}} delay=10
+  wait_for: port={{es_api_port}} delay=10
 
 - name: Get template files 
   shell: find . -maxdepth 1 -type f | sed "s#\./##" | sed "s/.json//" chdir=/etc/elasticsearch/templates
   register: resultstemplate
 
 - name: Install template(s)
-  command: "curl -sL -XPUT http://localhost:{{http_port}}/_template/{{item}} -d @/etc/elasticsearch/templates/{{item}}.json"
+  command: "curl -sL -XPUT http://{{es_api_host}}:{{es_api_port}}/_template/{{item}} -d @/etc/elasticsearch/templates/{{item}}.json"
   with_items: "{{ resultstemplate.stdout_lines }}"

tasks/elasticsearch.yml

@@ -1,24 +1,6 @@
 ---
 
-- set_fact: instance_default_file={{default_file | dirname}}/{{es_instance_name}}_{{default_file | basename}}
-  tags:
-      - always
-- set_fact: instance_init_script={{init_script | dirname }}/{{es_instance_name}}_{{init_script | basename}}
-  tags:
-      - always
-- set_fact: conf_dir={{ es_conf_dir }}/{{es_instance_name}}
-  tags:
-      - always
-- set_fact: plugin_dir={{ es_plugin_dir }}/{{es_instance_name}}
-  tags:
-      - always
-- set_fact: m_lock_enabled={{ es_config['bootstrap.mlockall'] is defined and es_config['bootstrap.mlockall'] == True }}
-  tags:
-      - always
-
-- debug: msg="Node configuration {{ es_config }} "
-
-- name: Include optional user and group creation. 
+- name: Include optional user and group creation.
   when: (es_user_id is defined) and (es_group_id is defined)
   include: elasticsearch-optional-user.yml
 

tasks/main.yml

@@ -1,12 +1,14 @@
 ---
-- name: check-parameters
-  include: checkParameters.yml
-  tags:
-      - check
 - name: os-specific vars
   include_vars: "{{ansible_os_family}}.yml"
   tags:
       - always
+
+- name: check-set-parameters
+  include: elasticsearch-parameters.yml
+  tags:
+      - always
+
 - include: java.yml
   when: es_java_install
   tags:
@@ -25,10 +27,10 @@
   when: es_plugins is defined or es_plugins_reinstall
   tags:
       - plugins
-- include: elasticsearch-shield.yml
-  when: es_install_shield
+- include: xpack/elasticsearch-xpack.yml
+  when: es_enable_xpack
   tags:
-      - shield
+      - xpack
 - include: elasticsearch-service.yml
   tags:
       - service

tasks/xpack/elasticsearch-shield-file.yml

@@ -0,0 +1,62 @@
+---
+
+- set_fact: manage_file_users=false
+
+- set_fact: manage_file_users=true
+  when: es_users is defined and es_users.file is defined
+
+#List current users
+- name: List Users
+  shell: cat {{conf_dir}}/shield/users | awk -F':' '{print $1}'
+  register: current_file_users
+  when: manage_file_users
+
+- set_fact: users_to_remove={{ current_file_users.stdout_lines | difference ( es_users.file.keys()  ) }}
+  when: manage_file_users
+
+#Remove users
+- name: Remove Users
+  command: >
+    {{es_home}}/bin/shield/esusers userdel {{item}}
+  when: manage_file_users and (users_to_remove | length > 0)
+  with_items: "{{users_to_remove}}"
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_HOME: "{{es_home}}"
+
+
+#Add users
+- name: Add Users
+  command: >
+    {{es_home}}/bin/shield/esusers useradd {{item.key}} -p {{item.value.password}}
+  with_dict: "{{es_users.file}}"
+  when: manage_file_users and es_users.file.keys() | length > 0
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_HOME: "{{es_home}}"
+
+#Set passwords for all users declared - Required as the useradd will not change existing user passwords
+- name: Set User Passwords
+  command: >
+    {{es_home}}/bin/shield/esusers passwd {{item.key}} -p {{item.value.password}}
+  with_dict: "{{es_users.file}}"
+  when: manage_file_users and es_users.file.keys() | length > 0
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_HOME: "{{es_home}}"
+
+- set_fact: users_roles={{es_users.file | extract_role_users}}
+  when: manage_file_users
+
+#Copy Roles files
+- name: Copy roles.yml File for Instance
+  template: src=shield/roles.yml.j2 dest={{conf_dir}}/shield/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  when: es_roles is defined and es_roles.file is defined
+
+#Overwrite users_roles file
+- name: Copy User Roles
+  template: src=shield/users_roles.j2 dest={{conf_dir}}/shield/users_roles mode=0644 force=yes
+  when: manage_file_users and users_roles | length > 0
+
+#TODO: Support for mapping file
+

tasks/xpack/elasticsearch-shield.yml

@@ -0,0 +1,45 @@
+---
+
+#Test if we need to install shield
+
+- shell: "{{es_home}}/bin/plugin list | sed -n '1!p' | grep shield"
+  register: shield_installed
+  changed_when: False
+  ignore_errors: yes
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_INCLUDE: "{{ instance_default_file }}"
+
+
+#Install Shield if not installed
+- name: Install shield plugin
+  command: >
+    {{es_home}}/bin/plugin install shield
+  register: shield
+  failed_when: "'ERROR' in shield_installed.stdout"
+  changed_when: shield.rc == 1
+  when: shield_installed.rc == 1
+  notify: restart elasticsearch
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_INCLUDE: "{{ instance_default_file }}"
+
+#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6
+
+
+#Ensure shield conf directory is created
+- name: Ensure shield conf directory exists
+  file: path={{ conf_dir }}/shield state=directory owner={{ es_user }} group={{ es_group }}
+
+#-----------------------------FILE BASED REALM----------------------------------------
+
+- include: elasticsearch-shield-file.yml
+  when: (es_users is defined and es_users.file) or (es_roles is defined and es_roles.file is defined)
+
+#-----------------------------NATIVE BASED REALM----------------------------------------
+# The native realm requires the node to be started so we do as a handler
+- command: /bin/true
+  notify: load-native-realms
+  when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)
+
+

tasks/xpack/elasticsearch-xpack.yml

@@ -0,0 +1,33 @@
+---
+#Check if license is installed
+- name: Check License is installed
+  shell: >
+    {{es_home}}/bin/plugin list | tail -n +2 | grep license
+  register: license_installed
+  ignore_errors: yes
+  changed_when: False
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_INCLUDE: "{{ instance_default_file }}"
+
+#Install License if not installed
+- name: Install license plugin
+  command: >
+    {{es_home}}/bin/plugin install license
+  register: license
+  failed_when: "'ERROR' in license_installed  .stdout"
+  changed_when: license.rc == 1
+  when: license_installed.rc == 1
+  notify: restart elasticsearch
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_INCLUDE: "{{ instance_default_file }}"
+
+
+- name: Set Plugin Directory Permissions
+  file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes
+
+- include: elasticsearch-shield.yml
+  when: '"shield" in es_xpack_features'
+
+#Any other xpacks plugins requiring configuration to be entered here