Initial Shield support + latest gems + single plugin dir + new port/host vars

2016-07-22 23:44:27 +01:00 · 2016-07-22 23:44:27 +01:00 · ab592724d8
commit ab592724d8
parent 6f968bd789
28 changed files with 459 additions and 172 deletions
--- a/tasks/xpack/elasticsearch-shield-file.yml
+++ b/tasks/xpack/elasticsearch-shield-file.yml
@ -0,0 +1,62 @@
+---
+
+- set_fact: manage_file_users=false
+
+- set_fact: manage_file_users=true
+  when: es_users is defined and es_users.file is defined
+
+#List current users
+- name: List Users
+  shell: cat {{conf_dir}}/shield/users | awk -F':' '{print $1}'
+  register: current_file_users
+  when: manage_file_users
+
+- set_fact: users_to_remove={{ current_file_users.stdout_lines | difference ( es_users.file.keys()  ) }}
+  when: manage_file_users
+
+#Remove users
+- name: Remove Users
+  command: >
+    {{es_home}}/bin/shield/esusers userdel {{item}}
+  when: manage_file_users and (users_to_remove | length > 0)
+  with_items: "{{users_to_remove}}"
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_HOME: "{{es_home}}"
+
+
+#Add users
+- name: Add Users
+  command: >
+    {{es_home}}/bin/shield/esusers useradd {{item.key}} -p {{item.value.password}}
+  with_dict: "{{es_users.file}}"
+  when: manage_file_users and es_users.file.keys() | length > 0
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_HOME: "{{es_home}}"
+
+#Set passwords for all users declared - Required as the useradd will not change existing user passwords
+- name: Set User Passwords
+  command: >
+    {{es_home}}/bin/shield/esusers passwd {{item.key}} -p {{item.value.password}}
+  with_dict: "{{es_users.file}}"
+  when: manage_file_users and es_users.file.keys() | length > 0
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_HOME: "{{es_home}}"
+
+- set_fact: users_roles={{es_users.file | extract_role_users}}
+  when: manage_file_users
+
+#Copy Roles files
+- name: Copy roles.yml File for Instance
+  template: src=shield/roles.yml.j2 dest={{conf_dir}}/shield/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  when: es_roles is defined and es_roles.file is defined
+
+#Overwrite users_roles file
+- name: Copy User Roles
+  template: src=shield/users_roles.j2 dest={{conf_dir}}/shield/users_roles mode=0644 force=yes
+  when: manage_file_users and users_roles | length > 0
+
+#TODO: Support for mapping file
+
--- a/tasks/xpack/elasticsearch-shield.yml
+++ b/tasks/xpack/elasticsearch-shield.yml
@ -0,0 +1,45 @@
+---
+
+#Test if we need to install shield
+
+- shell: "{{es_home}}/bin/plugin list | sed -n '1!p' | grep shield"
+  register: shield_installed
+  changed_when: False
+  ignore_errors: yes
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_INCLUDE: "{{ instance_default_file }}"
+
+
+#Install Shield if not installed
+- name: Install shield plugin
+  command: >
+    {{es_home}}/bin/plugin install shield
+  register: shield
+  failed_when: "'ERROR' in shield_installed.stdout"
+  changed_when: shield.rc == 1
+  when: shield_installed.rc == 1
+  notify: restart elasticsearch
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_INCLUDE: "{{ instance_default_file }}"
+
+#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6
+
+
+#Ensure shield conf directory is created
+- name: Ensure shield conf directory exists
+  file: path={{ conf_dir }}/shield state=directory owner={{ es_user }} group={{ es_group }}
+
+#-----------------------------FILE BASED REALM----------------------------------------
+
+- include: elasticsearch-shield-file.yml
+  when: (es_users is defined and es_users.file) or (es_roles is defined and es_roles.file is defined)
+
+#-----------------------------NATIVE BASED REALM----------------------------------------
+# The native realm requires the node to be started so we do as a handler
+- command: /bin/true
+  notify: load-native-realms
+  when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)
+
+
--- a/tasks/xpack/elasticsearch-xpack.yml
+++ b/tasks/xpack/elasticsearch-xpack.yml
@ -0,0 +1,33 @@
+---
+#Check if license is installed
+- name: Check License is installed
+  shell: >
+    {{es_home}}/bin/plugin list | tail -n +2 | grep license
+  register: license_installed
+  ignore_errors: yes
+  changed_when: False
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_INCLUDE: "{{ instance_default_file }}"
+
+#Install License if not installed
+- name: Install license plugin
+  command: >
+    {{es_home}}/bin/plugin install license
+  register: license
+  failed_when: "'ERROR' in license_installed  .stdout"
+  changed_when: license.rc == 1
+  when: license_installed.rc == 1
+  notify: restart elasticsearch
+  environment:
+    CONF_DIR: "{{ conf_dir }}"
+    ES_INCLUDE: "{{ instance_default_file }}"
+
+
+- name: Set Plugin Directory Permissions
+  file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes
+
+- include: elasticsearch-shield.yml
+  when: '"shield" in es_xpack_features'
+
+#Any other xpacks plugins requiring configuration to be entered here