Merge branch 'master' into become-yes

2017-09-21 22:22:36 -06:00 · 2017-09-21 22:22:36 -06:00 · b032eee3da
commit b032eee3da
parent 891d87c019 03fd99f0d3
11 changed files with 223 additions and 68 deletions
--- a/tasks/xpack/security/elasticsearch-security-file.yml
+++ b/tasks/xpack/security/elasticsearch-security-file.yml
@ -1,5 +1,5 @@
 ---
- set_fact: manage_file_users=es_users is defined and es_users.file is defined
+- set_fact: manage_file_users=es_users is defined and es_users.file is defined and es_users.file.keys() | length > 0

 #List current users
 - name: List Users
@ -18,12 +18,11 @@
  command: >
    {{es_home}}/bin/x-pack/users userdel {{item}}
  with_items: "{{users_to_remove | default([])}}"
-  when: manage_file_users and (users_to_remove | length > 0)
+  when: manage_file_users
  environment:
    CONF_DIR: "{{ conf_dir }}"
    ES_HOME: "{{es_home}}"

-
 - set_fact: users_to_add={{ es_users.file.keys() | difference (current_file_users.stdout_lines) }}
  when: manage_file_users

@ -32,8 +31,8 @@
  become: yes
  command: >
    {{es_home}}/bin/x-pack/users useradd {{item}} -p {{es_users.file[item].password}}
-  with_items: "{{users_to_add | default([])}}"
-  when: manage_file_users and users_to_add | length > 0
+  with_items: "{{ users_to_add | default([]) }}"
+  when: manage_file_users
  no_log: True
  environment:
    CONF_DIR: "{{ conf_dir }}"
@ -43,9 +42,9 @@
 - name: Set User Passwords
  become: yes
  command: >
-    {{es_home}}/bin/x-pack/users passwd {{item.key}} -p {{item.value.password}}
-  with_dict: "{{(es_users | default({'file':{}})).file}}"
-  when: manage_file_users and es_users.file.keys() | length > 0
+    {{es_home}}/bin/x-pack/users passwd {{ item }} -p {{es_users.file[item].password}}
+  with_items: "{{ es_users.file.keys() | default([]) }}"
+  when: manage_file_users
  #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip.
  changed_when: False
  no_log: True
@ -53,7 +52,7 @@
    CONF_DIR: "{{ conf_dir }}"
    ES_HOME: "{{es_home}}"

- set_fact: users_roles={{es_users.file | extract_role_users}}
+- set_fact: users_roles={{es_users.file | extract_role_users () }}
  when: manage_file_users

 #Copy Roles files
--- a/tasks/xpack/security/elasticsearch-security-native.yml
+++ b/tasks/xpack/security/elasticsearch-security-native.yml
@ -1,18 +1,15 @@
 ---
+- set_fact: change_api_password=false

 - set_fact: manage_native_users=false

 - set_fact: manage_native_users=true
-  when: es_users is defined and es_users.native is defined
+  when: es_users is defined and es_users.native is defined and es_users.native.keys() | length > 0

 - set_fact: manage_native_roles=false

 - set_fact: manage_native_roles=true
-  when: es_roles is defined and es_roles.native is defined
-
-# If playbook runs too fast, Native commands could fail as the Native Realm is not yet up
- name: Wait 15 seconds for the Native Realm to come up
-  pause: seconds=15
+  when: es_roles is defined and es_roles.native is defined and es_roles.native.keys() | length > 0

 #If the node has just has security installed it maybe either stopped or started 1. if stopped, we need to start to load native realms 2. if started, we need to restart to load

@ -28,15 +25,40 @@
  register: user_list_response
  when: manage_native_users

+- set_fact: reserved_users={{ user_list_response.json | filter_reserved }}
+  when: manage_native_users
+
 #Current users not inc. those reserved
- set_fact: current_users={{ user_list_response.json | filter_reserved }}
+- set_fact: current_users={{ user_list_response.json.keys() | difference (reserved_users) }}
  when: manage_native_users

-#Identify non declared users
- set_fact: users_to_remove={{ current_users | difference ( es_users.native.keys() ) }}
+#We are changing the es_api_basic_auth_username password, so we need to do it first and update the param
+- set_fact: native_users={{ es_users.native }}
  when: manage_native_users

-#Delete all non required users
+- set_fact: change_api_password=true
+  when: manage_native_users and es_api_basic_auth_username in native_users and native_users[es_api_basic_auth_username].password is defined
+
+- name: Update API User Password
+  uri:
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{es_api_basic_auth_username}}/_password
+    method: POST
+    body_format: json
+    body: "{ \"password\":\"{{native_users[es_api_basic_auth_username].password}}\" }"
+    status_code: 200
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+  when: change_api_password
+
+- set_fact: es_api_basic_auth_password={{native_users[es_api_basic_auth_username].password}}
+  when: change_api_password
+
+#Identify users that are present in ES but not declared and thus should be removed
+- set_fact: users_to_remove={{ current_users | difference ( native_users.keys() ) }}
+  when: manage_native_users
+
+#Delete all non required users NOT inc. reserved
 - name: Delete Native Users
  uri:
    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}
@ -45,26 +67,50 @@
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
-  when: manage_native_users and users_to_remove | length > 0
-  with_items: "{{users_to_remove | default([]) }}"
+  when: manage_native_users
+  with_items: "{{ users_to_remove | default([]) }}"

- set_fact: native_users={{ es_users.native }}
-  when: manage_native_users and es_users.native.keys() > 0
+- set_fact: users_to_ignore={{ native_users.keys() | intersect (reserved_users) }}
+  when: manage_native_users

-#Overwrite all other users
- name: Update Native Users
+- debug:
+    msg: "WARNING: YOU CAN ONLY CHANGE THE PASSWORD FOR RESERVED USERS IN THE NATIVE REALM. ANY ROLE CHANGES WILL BE IGNORED: {{users_to_ignore}}"
+  when: manage_native_users and users_to_ignore | length > 0
+
+#Update password on all reserved users
+- name: Update Reserved User Passwords
  uri:
-    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item.key}}
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}/_password
    method: POST
    body_format: json
-    body: "{{item.value | to_json}}"
+    body: "{ \"password\":\"{{native_users[item].password}}\" }"
    status_code: 200
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
-  when: manage_native_users and native_users.keys() > 0
+  when: native_users[item].password is defined
  no_log: True
-  with_dict: "{{native_users | default({}) }}"
+  with_items: "{{ users_to_ignore | default([]) }}"
+
+- set_fact: users_to_modify={{ native_users.keys() | difference (reserved_users) }}
+  when: manage_native_users
+
+#Overwrite all other users NOT inc. those reserved
+- name: Update Non-Reserved Native User Details
+  uri:
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}
+    method: POST
+    body_format: json
+    body: "{{ native_users[item] | to_json }}"
+    status_code: 200
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+  when: manage_native_users
+  no_log: True
+  with_items: "{{ users_to_modify | default([]) }}"
+
+## ROLE CHANGES

 #List current roles not. inc those reserved
 - name: List Native Roles
@ -79,16 +125,23 @@
  register: role_list_response
  when: manage_native_roles

- set_fact: current_roles={{ role_list_response.json | filter_reserved }}
+- set_fact: reserved_roles={{ role_list_response.json | filter_reserved }}
  when: manage_native_roles

- debug: msg="{{current_roles}}"
+- set_fact: current_roles={{ role_list_response.json.keys() | difference (reserved_roles) }}
  when: manage_native_roles

+- set_fact: roles_to_ignore={{ es_roles.native.keys() | intersect (reserved_roles) | default([]) }}
+  when: manage_native_roles
+
+- debug:
+    msg: "WARNING: YOU CANNOT CHANGE RESERVED ROLES. THE FOLLOWING WILL BE IGNORED: {{roles_to_ignore}}"
+  when: manage_native_roles and roles_to_ignore | length > 0
+
 - set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys()  ) }}
  when: manage_native_roles

-#Delete all non required roles
+#Delete all non required roles NOT inc. reserved
 - name: Delete Native Roles
  uri:
    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}}
@ -97,23 +150,22 @@
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
-  when: manage_native_roles and roles_to_remove | length > 0
+  when: manage_native_roles
  with_items: "{{roles_to_remove | default([]) }}"

+- set_fact: roles_to_modify={{ es_roles.native.keys() | difference (reserved_roles) }}
+  when: manage_native_roles

- set_fact: native_roles={{ es_roles.native }}
-  when: manage_native_roles and es_roles.native.keys() > 0
-
-#Update other roles
+#Update other roles - NOT inc. reserved roles
 - name: Update Native Roles
  uri:
-    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item.key}}
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}}
    method: POST
    body_format: json
-    body: "{{item.value | to_json}}"
+    body: "{{ es_roles.native[item] | to_json}}"
    status_code: 200
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
-  when: manage_native_roles and native_roles.keys() > 0
-  with_dict: "{{ native_roles | default({})}}"
+  when: manage_native_roles
+  with_items: "{{ roles_to_modify | default([]) }}"