From 447550903ff1860760c9abe19fb56a400a93df8e Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 09:32:36 +0200 Subject: [PATCH 01/17] clean log config specific to 5.x version --- templates/log4j2.properties.j2 | 32 -------------------------------- 1 file changed, 32 deletions(-) diff --git a/templates/log4j2.properties.j2 b/templates/log4j2.properties.j2 index dbfb23e..b4754c1 100644 --- a/templates/log4j2.properties.j2 +++ b/templates/log4j2.properties.j2 @@ -11,23 +11,14 @@ appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n appender.rolling.type = RollingFile appender.rolling.name = rolling -{% if (es_version is version_compare('6.0.0', '<')) %} -appender.rolling.fileName = ${sys:es.logs}.log -{% else %} appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log -{% endif %} appender.rolling.layout.type = PatternLayout appender.rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%.-10000m%n -{% if (es_version is version_compare('6.0.0', '<')) %} -appender.rolling.filePattern = ${sys:es.logs}-%d{yyyy-MM-dd}.log -{% else %} appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.log.gz -{% endif %} appender.rolling.policies.type = Policies appender.rolling.policies.time.type = TimeBasedTriggeringPolicy appender.rolling.policies.time.interval = 1 appender.rolling.policies.time.modulate = true -{% if (es_version is version_compare('6.0.0', '>')) %} appender.rolling.policies.size.type = SizeBasedTriggeringPolicy appender.rolling.policies.size.size = 128MB appender.rolling.strategy.type = DefaultRolloverStrategy @@ -38,25 +29,16 @@ appender.rolling.strategy.action.condition.type = IfFileName appender.rolling.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-* appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB -{% endif %} rootLogger.level = info rootLogger.appenderRef.console.ref = console rootLogger.appenderRef.rolling.ref = rolling appender.deprecation_rolling.type = RollingFile appender.deprecation_rolling.name = deprecation_rolling -{% if (es_version is version_compare('6.0.0', '<')) %} -appender.deprecation_rolling.fileName = ${sys:es.logs}_deprecation.log -{% else %} appender.deprecation_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.log -{% endif %} appender.deprecation_rolling.layout.type = PatternLayout appender.deprecation_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%.-10000m%n -{% if (es_version is version_compare('6.0.0', '<')) %} -appender.deprecation_rolling.filePattern = ${sys:es.logs}_deprecation-%i.log.gz -{% else %} appender.deprecation_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation-%i.log.gz -{% endif %} appender.deprecation_rolling.policies.type = Policies appender.deprecation_rolling.policies.size.type = SizeBasedTriggeringPolicy appender.deprecation_rolling.policies.size.size = 1GB @@ -70,18 +52,12 @@ logger.deprecation.additivity = false appender.index_search_slowlog_rolling.type = RollingFile appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling -{% if (es_version is version_compare('6.0.0', '<')) %} appender.index_search_slowlog_rolling.fileName = ${sys:es.logs}_index_search_slowlog.log -{% else %} appender.index_search_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog.log -{% endif %} appender.index_search_slowlog_rolling.layout.type = PatternLayout appender.index_search_slowlog_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %marker%.-10000m%n -{% if (es_version is version_compare('6.0.0', '<')) %} appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs}_index_search_slowlog-%d{yyyy-MM-dd}.log -{% else %} appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog-%d{yyyy-MM-dd}.log -{% endif %} appender.index_search_slowlog_rolling.policies.type = Policies appender.index_search_slowlog_rolling.policies.time.type = TimeBasedTriggeringPolicy appender.index_search_slowlog_rolling.policies.time.interval = 1 @@ -94,18 +70,10 @@ logger.index_search_slowlog_rolling.additivity = false appender.index_indexing_slowlog_rolling.type = RollingFile appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling -{% if (es_version is version_compare('6.0.0', '<')) %} -appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs}_index_indexing_slowlog.log -{% else %} appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog.log -{% endif %} appender.index_indexing_slowlog_rolling.layout.type = PatternLayout appender.index_indexing_slowlog_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %marker%.-10000m%n -{% if (es_version is version_compare('6.0.0', '<')) %} -appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs}_index_indexing_slowlog-%d{yyyy-MM-dd}.log -{% else %} appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog-%d{yyyy-MM-dd}.log -{% endif %} appender.index_indexing_slowlog_rolling.policies.type = Policies appender.index_indexing_slowlog_rolling.policies.time.type = TimeBasedTriggeringPolicy appender.index_indexing_slowlog_rolling.policies.time.interval = 1 From d5e414b9aa028ef5dd726df12b9b30dc218e1a54 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 09:42:16 +0200 Subject: [PATCH 02/17] clean code related to xpack plugin install We don't need this anymore as X-Pack is now already included in elasticsearch since 6.3. --- tasks/compatibility-variables.yml | 18 ------ tasks/elasticsearch-plugins.yml | 1 - tasks/xpack/elasticsearch-xpack-install.yml | 68 --------------------- tasks/xpack/elasticsearch-xpack.yml | 4 -- 4 files changed, 91 deletions(-) delete mode 100644 tasks/xpack/elasticsearch-xpack-install.yml diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index 0ed0c21..eb725e8 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -8,9 +8,6 @@ - name: Set the defaults here otherwise they can't be overriden in the same play if the role is called twice set_fact: - es_open_xpack: true - es_install_xpack: false - es_users_path: "users" es_xpack_conf_subdir: "" es_repo_name: "{{ es_major_version }}" es_xpack_users_command: "elasticsearch-users" @@ -19,20 +16,6 @@ es_other_repo_name: "{{ 'oss-' + es_major_version }}" es_other_apt_url: "deb {{ es_repo_base }}/packages/{{ 'oss-' + es_major_version }}/apt stable main" -- name: Detect if es_version is before X-Pack was open and included - set_fact: - es_open_xpack: false - when: "es_version is version_compare('6.3.0', '<')" - -- name: If this is an older version we need to install X-Pack as a plugin and use a different users command - set_fact: - es_install_xpack: true - es_xpack_users_command: "x-pack/users" - es_xpack_conf_subdir: "/x-pack" - when: - - not es_open_xpack - - es_enable_xpack - - name: Use the oss repo and package if xpack is not being used set_fact: es_repo_name: "{{ 'oss-' + es_major_version }}" @@ -41,5 +24,4 @@ es_package_name: "elasticsearch-oss" es_other_package_name: "elasticsearch" when: - - es_open_xpack - not es_enable_xpack diff --git a/tasks/elasticsearch-plugins.yml b/tasks/elasticsearch-plugins.yml index b0a300d..af669f0 100644 --- a/tasks/elasticsearch-plugins.yml +++ b/tasks/elasticsearch-plugins.yml @@ -17,7 +17,6 @@ file: dest: "{{ es_home }}/plugins/x-pack" state: "absent" - when: es_open_xpack #List currently installed plugins. We have to list the directories as the list commmand fails if the ES version is different than the plugin version. - name: Check installed elasticsearch plugins diff --git a/tasks/xpack/elasticsearch-xpack-install.yml b/tasks/xpack/elasticsearch-xpack-install.yml deleted file mode 100644 index 421a475..0000000 --- a/tasks/xpack/elasticsearch-xpack-install.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- - -#Test if feature is installed -- name: Test if x-pack is installed - shell: "{{es_home}}/bin/elasticsearch-plugin list | grep x-pack" - become: yes - register: x_pack_installed - changed_when: False - failed_when: "'ERROR' in x_pack_installed.stdout" - check_mode: no - ignore_errors: yes - environment: - CONF_DIR: "{{ es_conf_dir }}" - ES_PATH_CONF: "{{ es_conf_dir }}" - ES_INCLUDE: "{{ default_file }}" - - -#Remove X-Pack if installed and its not been requested or the ES version has changed -- name: Remove x-pack plugin - become: yes - command: "{{es_home}}/bin/elasticsearch-plugin remove x-pack" - register: xpack_state - failed_when: "'ERROR' in xpack_state.stdout" - changed_when: xpack_state.rc == 0 - when: x_pack_installed.rc == 0 and (not es_enable_xpack or es_version_changed) - notify: restart elasticsearch - environment: - CONF_DIR: "{{ es_conf_dir }}" - ES_PATH_CONF: "{{ es_conf_dir }}" - ES_INCLUDE: "{{ default_file }}" - - -#Install plugin if not installed, or the es version has changed (so removed above), and its been requested -- name: Download x-pack from url - get_url: url={{ es_xpack_custom_url }} dest=/tmp/x-pack-{{ es_version }}.zip - when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is defined) - -- name: Install x-pack plugin from local - become: yes - command: > - {{es_home}}/bin/elasticsearch-plugin install --silent --batch file:///tmp/x-pack-{{ es_version }}.zip - register: xpack_state - changed_when: xpack_state.rc == 0 - when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is defined) - notify: restart elasticsearch - environment: - CONF_DIR: "{{ es_conf_dir }}" - ES_PATH_CONF: "{{ es_conf_dir }}" - ES_INCLUDE: "{{ default_file }}" - -- name: Delete x-pack zip file - file: dest=/tmp/x-pack-{{ es_version }}.zip state=absent - when: es_xpack_custom_url is defined - -- name: Install x-pack plugin from elastic.co - become: yes - command: > - {{es_home}}/bin/elasticsearch-plugin install --silent --batch x-pack - register: xpack_state - failed_when: "'ERROR' in xpack_state.stdout" - changed_when: xpack_state.rc == 0 - when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is not defined) - notify: restart elasticsearch - environment: - CONF_DIR: "{{ es_conf_dir }}" - ES_PATH_CONF: "{{ es_conf_dir }}" - ES_INCLUDE: "{{ default_file }}" - ES_JAVA_OPTS: "{% if es_proxy_host is defined and es_proxy_host != '' %}-Dhttp.proxyHost={{ es_proxy_host }} -Dhttp.proxyPort={{ es_proxy_port }} -Dhttps.proxyHost={{ es_proxy_host }} -Dhttps.proxyPort={{ es_proxy_port }}{% endif %}" diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index 3347bd4..ec239c5 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -3,10 +3,6 @@ - name: set fact es_version_changed set_fact: es_version_changed={{ ((elasticsearch_install_from_package is defined and (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) }} -- name: include elasticsearch-xpack-install.yml - include: elasticsearch-xpack-install.yml - when: es_install_xpack - #Security configuration - name: include security/elasticsearch-security.yml include: security/elasticsearch-security.yml From abaf124639f3f45e40ba7e9404c35b8a282b82c1 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 09:53:49 +0200 Subject: [PATCH 03/17] cleanup unused es_version_changed fact --- tasks/xpack/elasticsearch-xpack.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index ec239c5..794334f 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -1,8 +1,5 @@ --- -- name: set fact es_version_changed - set_fact: es_version_changed={{ ((elasticsearch_install_from_package is defined and (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) }} - #Security configuration - name: include security/elasticsearch-security.yml include: security/elasticsearch-security.yml From 0f601259c673a2c1d9d0b958a84decb0d59c2dad Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:06:26 +0200 Subject: [PATCH 04/17] clean es_xpack_conf_subdir variable This variable was added to manage specific x-pack dir with version < 6.3 --- tasks/compatibility-variables.yml | 1 - tasks/xpack/security/elasticsearch-security-file.yml | 12 ++++++------ tasks/xpack/security/elasticsearch-security.yml | 4 ++-- .../helpers/serverspec/xpack_upgrade_spec.rb | 6 +++--- 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index eb725e8..c5a31ab 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -8,7 +8,6 @@ - name: Set the defaults here otherwise they can't be overriden in the same play if the role is called twice set_fact: - es_xpack_conf_subdir: "" es_repo_name: "{{ es_major_version }}" es_xpack_users_command: "elasticsearch-users" es_package_name: "elasticsearch" diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index ab77be1..a9f1fe0 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -13,13 +13,13 @@ remote_src: yes force: no # only copy it if the new path doesn't exist yet src: "{{ es_conf_dir }}/x-pack/users" - dest: "{{ es_conf_dir }}{{ es_xpack_conf_subdir }}/users" + dest: "{{ es_conf_dir }}/users" when: old_users_file.stat.exists - name: Create the users file if it doesn't exist copy: content: "" - dest: "{{ es_conf_dir }}{{ es_xpack_conf_subdir }}/users" + dest: "{{ es_conf_dir }}/users" force: no # this ensures it only creates it if it does not exist group: "{{ es_group }}" owner: "{{ es_user }}" @@ -28,7 +28,7 @@ #List current users - name: List Users become: yes - shell: cat {{ es_conf_dir }}{{es_xpack_conf_subdir}}/users | awk -F':' '{print $1}' + shell: cat {{ es_conf_dir }}/users | awk -F':' '{print $1}' register: current_file_users when: manage_file_users changed_when: False @@ -89,16 +89,16 @@ #Copy Roles files - name: Copy roles.yml File for Instance become: yes - template: src=security/roles.yml.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: es_roles is defined and es_roles.file is defined #Overwrite users_roles file - name: Copy User Roles become: yes - template: src=security/users_roles.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/users_roles mode=0644 force=yes + template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles mode=0644 force=yes when: manage_file_users and users_roles | length > 0 #Set permission on security directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions. - name: Set Security Directory Permissions Recursive become: yes - file: state=directory path={{ es_conf_dir }}{{es_xpack_conf_subdir}}/ owner={{ es_user }} group={{ es_group }} recurse=yes + file: state=directory path={{ es_conf_dir }}/ owner={{ es_user }} group={{ es_group }} recurse=yes diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 2c18019..1c85c67 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -5,7 +5,7 @@ #Ensure x-pack conf directory is created if necessary - name: Ensure x-pack conf directory exists (file) - file: path={{ es_conf_dir }}{{ es_xpack_conf_subdir }} state=directory owner={{ es_user }} group={{ es_group }} + file: path={{ es_conf_dir }} state=directory owner={{ es_user }} group={{ es_group }} changed_when: False when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined) @@ -52,7 +52,7 @@ #Copy Roles files - name: Copy role_mapping.yml File for Instance become: yes - template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: es_role_mapping is defined #------------------------------------------------------------------------------------ diff --git a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb index 4223234..aadf9e9 100644 --- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb +++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb @@ -4,13 +4,13 @@ vars = JSON.parse(File.read('/tmp/vars.json')) shared_examples 'xpack_upgrade::init' do |vars| #Test users file, users_roles and roles.yml - describe file("/etc/elasticsearch/#{vars['es_xpack_conf_subdir']}/users_roles") do + describe file("/etc/elasticsearch/users_roles") do it { should be_owned_by 'elasticsearch' } it { should contain 'admin:es_admin' } it { should contain 'power_user:testUser' } end - describe file("/etc/elasticsearch/#{vars['es_xpack_conf_subdir']}/users") do + describe file("/etc/elasticsearch/users") do it { should be_owned_by 'elasticsearch' } it { should contain 'testUser:' } it { should contain 'es_admin:' } @@ -36,7 +36,7 @@ shared_examples 'xpack_upgrade::init' do |vars| end #Test contents of role_mapping.yml - describe file("/etc/elasticsearch/#{vars['es_xpack_conf_subdir']}/role_mapping.yml") do + describe file("/etc/elasticsearch/role_mapping.yml") do it { should be_owned_by 'elasticsearch' } it { should contain 'power_user:' } it { should contain '- cn=admins,dc=example,dc=com' } From 27a524cd07364f33cbc6ce67fb6bfd08b4f450e2 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:28:23 +0200 Subject: [PATCH 05/17] remove x-pack dir creation --- tasks/xpack/security/elasticsearch-security.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 1c85c67..2e54575 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -3,12 +3,6 @@ #TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6 -#Ensure x-pack conf directory is created if necessary -- name: Ensure x-pack conf directory exists (file) - file: path={{ es_conf_dir }} state=directory owner={{ es_user }} group={{ es_group }} - changed_when: False - when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined) - #-----------------------------Create Bootstrap User----------------------------------- ### START BLOCK elasticsearch keystore ### - name: create the elasticsearch keystore From 08512fc17ea49568a58f788d1ed998133a68fd3e Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:30:03 +0200 Subject: [PATCH 06/17] fix typo I think this typo was here since https://github.com/elastic/ansible-elasticsearch/pull/129/commits/048fd636025a00379d2549c36f8b4bd271a8f832 --- tasks/xpack/security/elasticsearch-security-file.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index a9f1fe0..831d803 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -1,6 +1,8 @@ --- -- name: set fact manage_file_users - set_fact: manage_file_users=es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0 +- set_fact: manage_file_users=false + +- set_fact: manage_file_users=true + when: es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0 - name: Check if old users file exists stat: From ffc6d99915c699ee31e782dc1ec2819b2e7237d6 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:45:36 +0200 Subject: [PATCH 07/17] clean es_xpack_custom_url variable wich is no more used This was used to define url to download X-Pack but X-Pack is now embedded in Elasticsearch since 6.3 --- README.md | 4 ---- test/integration/xpack.yml | 1 - 2 files changed, 5 deletions(-) diff --git a/README.md b/README.md index c448754..47499da 100644 --- a/README.md +++ b/README.md @@ -264,10 +264,6 @@ X-Pack features, such as Security, are supported. The parameter `es_xpack_features` allows to list xpack features to install (example: `["alerting","monitoring","graph","security","ml"]`). When the list is empty, it install all features available with the current licence. -The following additional parameters allow X-Pack to be configured: - -* ```es_xpack_custom_url``` Url from which X-Pack can be downloaded. This can be used for installations in isolated environments where the elastic.co repo is not accessible. e.g. ```es_xpack_custom_url: "https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-5.5.1.zip"``` - * ```es_role_mapping``` Role mappings file declared as yml as described [here](https://www.elastic.co/guide/en/x-pack/current/mapping-roles.html) diff --git a/test/integration/xpack.yml b/test/integration/xpack.yml index e12064d..002736f 100644 --- a/test/integration/xpack.yml +++ b/test/integration/xpack.yml @@ -7,5 +7,4 @@ roles: - elasticsearch vars: - es_xpack_custom_url: "https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-{{ es_version }}.zip" es_heap_size: 2g From 407dddcae1673c633fa3c243c1ba721f75d54447 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:48:24 +0200 Subject: [PATCH 08/17] hardcode elasticsearch-users command instead of es_xpack_users_command This variable was introduce to match legacy x-pack/users command before 6.3. --- tasks/compatibility-variables.yml | 1 - tasks/xpack/security/elasticsearch-security-file.yml | 6 +++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index c5a31ab..a0b6dfc 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -9,7 +9,6 @@ - name: Set the defaults here otherwise they can't be overriden in the same play if the role is called twice set_fact: es_repo_name: "{{ es_major_version }}" - es_xpack_users_command: "elasticsearch-users" es_package_name: "elasticsearch" es_other_package_name: "elasticsearch-oss" es_other_repo_name: "{{ 'oss-' + es_major_version }}" diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index 831d803..ef68efe 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -44,7 +44,7 @@ - name: Remove Users become: yes command: > - {{es_home}}/bin/{{es_xpack_users_command}} userdel {{item}} + {{es_home}}/bin/elasticsearch-users userdel {{item}} with_items: "{{users_to_remove | default([])}}" when: manage_file_users environment: @@ -60,7 +60,7 @@ - name: Add Users become: yes command: > - {{es_home}}/bin/{{es_xpack_users_command}} useradd {{item}} -p {{es_users.file[item].password}} + {{es_home}}/bin/elasticsearch-users useradd {{item}} -p {{es_users.file[item].password}} with_items: "{{ users_to_add | default([]) }}" when: manage_file_users no_log: True @@ -73,7 +73,7 @@ - name: Set User Passwords become: yes command: > - {{es_home}}/bin/{{es_xpack_users_command}} passwd {{ item }} -p {{es_users.file[item].password}} + {{es_home}}/bin/elasticsearch-users passwd {{ item }} -p {{es_users.file[item].password}} with_items: "{{ es_users.file.keys() | list }}" when: manage_file_users #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip. From e45c902e5e316324961827324ee165eebd44dcc5 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:49:33 +0200 Subject: [PATCH 09/17] clean unused task related to multi-instance directories --- tasks/xpack/security/elasticsearch-security-file.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index ef68efe..4dd2c52 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -100,7 +100,3 @@ template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles mode=0644 force=yes when: manage_file_users and users_roles | length > 0 -#Set permission on security directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions. -- name: Set Security Directory Permissions Recursive - become: yes - file: state=directory path={{ es_conf_dir }}/ owner={{ es_user }} group={{ es_group }} recurse=yes From be7941438c5fbf6b8bf5fd9b3152ddfeb2e4a96a Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:50:20 +0200 Subject: [PATCH 10/17] cleanup some values related to 5.x version We can remove them since 5.x is no more supported --- defaults/main.yml | 2 +- templates/elasticsearch.yml.j2 | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8de86f4..81cc21d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -29,7 +29,7 @@ es_data_dirs: es_log_dir: "/var/log/elasticsearch" es_action_auto_create_index: true es_max_open_files: 65536 -es_max_threads: "{{ 2048 if ( es_version is version_compare('6.0.0', '<')) else 8192 }}" +es_max_threads: 8192 es_max_map_count: 262144 es_allow_downgrades: false es_xpack_features: [] diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index abb6c56..9ceac83 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -15,10 +15,6 @@ node.name: {{inventory_hostname}} # Path to directory containing configuration (this file and logging.yml): -{% if (es_version is version_compare('6.0.0', '<')) %} -path.conf: {{ es_conf_dir }} -{% endif %} - path.data: {{ es_data_dirs | array_to_str }} path.logs: {{ es_log_dir }} From 8e1cafacf5e96defc086dc5aaabcf53ee555d941 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:51:41 +0200 Subject: [PATCH 11/17] add some comment to better identify user migration tasks from elasticsearch < 6.3 --- tasks/xpack/security/elasticsearch-security-file.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index 4dd2c52..cdba2b8 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -4,6 +4,7 @@ - set_fact: manage_file_users=true when: es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0 +# Users migration from elasticsearch < 6.3 versions - name: Check if old users file exists stat: path: '{{ es_conf_dir }}/x-pack/users' @@ -17,6 +18,7 @@ src: "{{ es_conf_dir }}/x-pack/users" dest: "{{ es_conf_dir }}/users" when: old_users_file.stat.exists +# End of users migrations - name: Create the users file if it doesn't exist copy: @@ -99,4 +101,3 @@ become: yes template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles mode=0644 force=yes when: manage_file_users and users_roles | length > 0 - From 08a8a467b61ea61f40de82383ac2587d74cce4dd Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Mon, 16 Sep 2019 12:31:07 +0200 Subject: [PATCH 12/17] fix missing permissions --- tasks/xpack/security/elasticsearch-security-file.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index cdba2b8..c4e02ec 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -17,6 +17,8 @@ force: no # only copy it if the new path doesn't exist yet src: "{{ es_conf_dir }}/x-pack/users" dest: "{{ es_conf_dir }}/users" + group: "{{ es_group }}" + owner: "{{ es_user }}" when: old_users_file.stat.exists # End of users migrations @@ -99,5 +101,5 @@ #Overwrite users_roles file - name: Copy User Roles become: yes - template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles mode=0644 force=yes + template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: manage_file_users and users_roles | length > 0 From c8b666bd798fb49bdc41435bc5df609fa70636ee Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 18 Sep 2019 09:51:45 +0200 Subject: [PATCH 13/17] remove /etc/elasticsearch/security directory creation This directory isn't used anywhere in this ansible-role --- tasks/xpack/security/elasticsearch-security.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 2e54575..2678611 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -48,11 +48,3 @@ become: yes template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: es_role_mapping is defined - -#------------------------------------------------------------------------------------ - -#Ensure security conf directory is created -- name: Ensure security conf directory exists - become: yes - file: path={{ es_conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }} - changed_when: False From 79470cb344946666c918261dac538ca6a9eac7ec Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 18 Sep 2019 10:04:50 +0200 Subject: [PATCH 14/17] replace hardcoded /etc/elasticsearch dir by the good variable --- tasks/elasticsearch-Debian.yml | 4 ++-- tasks/elasticsearch-RedHat.yml | 2 +- tasks/elasticsearch-template.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index 4f6844b..5fc4a7a 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -92,7 +92,7 @@ register: debian_elasticsearch_install_from_repo notify: restart elasticsearch environment: - ES_PATH_CONF: "/etc/elasticsearch" + ES_PATH_CONF: "{{ es_conf_dir }}" - name: Debian - hold elasticsearch version become: yes @@ -112,4 +112,4 @@ register: elasticsearch_install_from_package notify: restart elasticsearch environment: - ES_PATH_CONF: "/etc/elasticsearch" + ES_PATH_CONF: "{{ es_conf_dir }}" diff --git a/tasks/elasticsearch-RedHat.yml b/tasks/elasticsearch-RedHat.yml index 1208b1c..a7b974d 100644 --- a/tasks/elasticsearch-RedHat.yml +++ b/tasks/elasticsearch-RedHat.yml @@ -52,7 +52,7 @@ retries: 5 delay: 10 environment: - ES_PATH_CONF: "/etc/elasticsearch" + ES_PATH_CONF: "{{ es_conf_dir }}" - name: RedHat - Install Elasticsearch from url become: yes diff --git a/tasks/elasticsearch-template.yml b/tasks/elasticsearch-template.yml index 8af780d..beb512e 100644 --- a/tasks/elasticsearch-template.yml +++ b/tasks/elasticsearch-template.yml @@ -2,13 +2,13 @@ - name: ensure templates dir is created file: - path: /etc/elasticsearch/templates + path: "{{ es_conf_dir }}/templates" state: directory owner: "{{ es_user }}" group: "{{ es_group }}" - name: Copy templates to elasticsearch - copy: src={{ item }} dest=/etc/elasticsearch/templates owner={{ es_user }} group={{ es_group }} + copy: src={{ item }} dest={{ es_conf_dir }}/templates owner={{ es_user }} group={{ es_group }} register: load_templates with_fileglob: - "{{ es_templates_fileglob | default('') }}" From 6a1b886753f3e855c82d92a907d29f64319bf809 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 18 Sep 2019 10:53:43 +0200 Subject: [PATCH 15/17] use default permissions from official package for plugin directory --- tasks/elasticsearch-plugins.yml | 5 ----- tasks/xpack/elasticsearch-xpack.yml | 5 ----- test/integration/helpers/serverspec/shared_spec.rb | 2 +- 3 files changed, 1 insertion(+), 11 deletions(-) diff --git a/tasks/elasticsearch-plugins.yml b/tasks/elasticsearch-plugins.yml index af669f0..e953ae0 100644 --- a/tasks/elasticsearch-plugins.yml +++ b/tasks/elasticsearch-plugins.yml @@ -79,8 +79,3 @@ until: plugin_installed.rc == 0 retries: 5 delay: 5 - -#Set permissions on plugins directory -- name: Set Plugin Directory Permissions - become: yes - file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index 794334f..a8f04f7 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -5,11 +5,6 @@ include: security/elasticsearch-security.yml when: es_enable_xpack -#Add any feature specific configuration here -- name: Set Plugin Directory Permissions - become: yes - file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes - #Make sure elasticsearch.keystore has correct Permissions - name: Set elasticsearch.keystore Permissions become: yes diff --git a/test/integration/helpers/serverspec/shared_spec.rb b/test/integration/helpers/serverspec/shared_spec.rb index cbeb2ed..1bbbc11 100644 --- a/test/integration/helpers/serverspec/shared_spec.rb +++ b/test/integration/helpers/serverspec/shared_spec.rb @@ -138,7 +138,7 @@ shared_examples 'shared::init' do |vars| name = plugin['plugin'] describe file('/usr/share/elasticsearch/plugins/'+name) do it { should be_directory } - it { should be_owned_by vars['es_user'] } + it { should be_owned_by 'root' } end it 'should be installed and the right version' do plugins = curl_json("#{es_api_url}/_nodes/plugins", username=username, password=password) From 9bac169862d9e1fc27daeb68bb99ef221624f8eb Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 18 Sep 2019 10:57:07 +0200 Subject: [PATCH 16/17] use files permissions from official package --- tasks/elasticsearch-config.yml | 28 ++++++++++++------- tasks/elasticsearch-template.yml | 5 ++-- tasks/xpack/elasticsearch-xpack.yml | 3 +- .../security/elasticsearch-security-file.yml | 6 ++-- .../xpack/security/elasticsearch-security.yml | 2 +- .../helpers/serverspec/oss_spec.rb | 4 +-- .../helpers/serverspec/shared_spec.rb | 5 ++-- .../helpers/serverspec/xpack_upgrade_spec.rb | 6 ++-- 8 files changed, 34 insertions(+), 25 deletions(-) diff --git a/tasks/elasticsearch-config.yml b/tasks/elasticsearch-config.yml index e3437f2..c8bc1cf 100644 --- a/tasks/elasticsearch-config.yml +++ b/tasks/elasticsearch-config.yml @@ -1,27 +1,35 @@ --- # Configure Elasticsearch Node -#Create required directories -- name: Create Directories +#Create conf directory +- name: Create Configuration Directory become: yes - file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }} + file: path={{ es_conf_dir }} state=directory owner=root group={{ es_group }} mode=2750 + +#Create pid directory +- name: Create PID Directory + become: yes + file: path={{ es_pid_dir }} state=directory owner={{ es_user }} group={{ es_group }} mode=0755 + +#Create required directories +- name: Create Others Directories + become: yes + file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }} mode=2750 with_items: - - "{{ es_pid_dir }}" - "{{ es_log_dir }}" - - "{{ es_conf_dir }}" - "{{ es_data_dirs }}" #Copy the config template - name: Copy Configuration File become: yes - template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner=root group={{ es_group }} mode=0660 force=yes register: system_change notify: restart elasticsearch #Copy the default file - name: Copy Default File become: yes - template: src=elasticsearch.j2 dest={{ default_file }} mode=0644 force=yes + template: src=elasticsearch.j2 dest={{ default_file }} owner=root group={{ es_group }} mode=0660 force=yes notify: restart elasticsearch #Copy the systemd specific file if systemd is installed @@ -30,7 +38,7 @@ block: - name: Make sure destination dir exists file: path={{ sysd_config_file | dirname }} state=directory mode=0755 - + - name: Copy specific ElasticSearch Systemd config file ini_file: path={{ sysd_config_file }} section=Service option=LimitMEMLOCK value=infinity mode=0644 notify: @@ -40,10 +48,10 @@ #Copy the logging.yml - name: Copy log4j2.properties File become: yes - template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner=root group={{ es_group }} mode=0660 force=yes notify: restart elasticsearch - name: Copy jvm.options File become: yes - template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner=root group={{ es_group }} mode=0660 force=yes notify: restart elasticsearch diff --git a/tasks/elasticsearch-template.yml b/tasks/elasticsearch-template.yml index beb512e..41f5f41 100644 --- a/tasks/elasticsearch-template.yml +++ b/tasks/elasticsearch-template.yml @@ -4,11 +4,12 @@ file: path: "{{ es_conf_dir }}/templates" state: directory - owner: "{{ es_user }}" + owner: root group: "{{ es_group }}" + mode: 2750 - name: Copy templates to elasticsearch - copy: src={{ item }} dest={{ es_conf_dir }}/templates owner={{ es_user }} group={{ es_group }} + copy: src={{ item }} dest={{ es_conf_dir }}/templates owner=root group={{ es_group }} mode=0660 register: load_templates with_fileglob: - "{{ es_templates_fileglob | default('') }}" diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index a8f04f7..263af93 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -8,5 +8,4 @@ #Make sure elasticsearch.keystore has correct Permissions - name: Set elasticsearch.keystore Permissions become: yes - file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner={{ es_user }} group={{ es_group }} - when: es_enable_xpack + file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner=root group={{ es_group }} mode=0660 diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index c4e02ec..1d5d222 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -18,7 +18,7 @@ src: "{{ es_conf_dir }}/x-pack/users" dest: "{{ es_conf_dir }}/users" group: "{{ es_group }}" - owner: "{{ es_user }}" + owner: root when: old_users_file.stat.exists # End of users migrations @@ -95,11 +95,11 @@ #Copy Roles files - name: Copy roles.yml File for Instance become: yes - template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner=root group={{ es_group }} mode=0660 force=yes when: es_roles is defined and es_roles.file is defined #Overwrite users_roles file - name: Copy User Roles become: yes - template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner=root group={{ es_group }} mode=0660 force=yes when: manage_file_users and users_roles | length > 0 diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 2678611..f735358 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -46,5 +46,5 @@ #Copy Roles files - name: Copy role_mapping.yml File for Instance become: yes - template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner=root group={{ es_group }} mode=0660 force=yes when: es_role_mapping is defined diff --git a/test/integration/helpers/serverspec/oss_spec.rb b/test/integration/helpers/serverspec/oss_spec.rb index abe9df3..0f4ff00 100644 --- a/test/integration/helpers/serverspec/oss_spec.rb +++ b/test/integration/helpers/serverspec/oss_spec.rb @@ -3,11 +3,11 @@ require 'spec_helper' shared_examples 'oss::init' do |vars| describe file("/etc/elasticsearch/log4j2.properties") do it { should be_file } - it { should be_owned_by 'elasticsearch' } + it { should be_owned_by 'root' } it { should_not contain 'CUSTOM LOG4J FILE' } end describe file("/etc/elasticsearch/jvm.options") do it { should be_file } - it { should be_owned_by vars['es_user'] } + it { should be_owned_by 'root' } end end diff --git a/test/integration/helpers/serverspec/shared_spec.rb b/test/integration/helpers/serverspec/shared_spec.rb index 1bbbc11..93d3025 100644 --- a/test/integration/helpers/serverspec/shared_spec.rb +++ b/test/integration/helpers/serverspec/shared_spec.rb @@ -108,11 +108,11 @@ shared_examples 'shared::init' do |vars| if vars['es_templates'] describe file('/etc/elasticsearch/templates') do it { should be_directory } - it { should be_owned_by vars['es_user'] } + it { should be_owned_by 'root' } end describe file('/etc/elasticsearch/templates/basic.json') do it { should be_file } - it { should be_owned_by vars['es_user'] } + it { should be_owned_by 'root' } end #This is possibly subject to format changes in the response across versions so may fail in the future describe 'Template Contents Correct' do @@ -152,6 +152,7 @@ shared_examples 'shared::init' do |vars| end end describe file("/etc/elasticsearch/elasticsearch.yml") do + it { should be_owned_by 'root' } it { should contain "node.name: localhost" } it { should contain 'cluster.name: elasticsearch' } it { should_not contain "path.conf: /etc/elasticsearch" } diff --git a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb index aadf9e9..62c9528 100644 --- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb +++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb @@ -5,13 +5,13 @@ vars = JSON.parse(File.read('/tmp/vars.json')) shared_examples 'xpack_upgrade::init' do |vars| #Test users file, users_roles and roles.yml describe file("/etc/elasticsearch/users_roles") do - it { should be_owned_by 'elasticsearch' } + it { should be_owned_by 'root' } it { should contain 'admin:es_admin' } it { should contain 'power_user:testUser' } end describe file("/etc/elasticsearch/users") do - it { should be_owned_by 'elasticsearch' } + it { should be_owned_by 'root' } it { should contain 'testUser:' } it { should contain 'es_admin:' } end @@ -37,7 +37,7 @@ shared_examples 'xpack_upgrade::init' do |vars| #Test contents of role_mapping.yml describe file("/etc/elasticsearch/role_mapping.yml") do - it { should be_owned_by 'elasticsearch' } + it { should be_owned_by 'root' } it { should contain 'power_user:' } it { should contain '- cn=admins,dc=example,dc=com' } it { should contain 'user:' } From 1befe6c0d9ac3140d41f1ecd26e5f7a7fec3b4ad Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 18 Sep 2019 10:57:58 +0200 Subject: [PATCH 17/17] stop trying to create users file as it's already created by the official package --- tasks/xpack/security/elasticsearch-security-file.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index 1d5d222..f81117a 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -22,15 +22,6 @@ when: old_users_file.stat.exists # End of users migrations -- name: Create the users file if it doesn't exist - copy: - content: "" - dest: "{{ es_conf_dir }}/users" - force: no # this ensures it only creates it if it does not exist - group: "{{ es_group }}" - owner: "{{ es_user }}" - mode: 0555 - #List current users - name: List Users become: yes