naming unnamed tasks
This commit is contained in:
Cloud Fox
parent
d7a5af8c33
commit
dd9b4aad97
12 changed files with 155 additions and 77 deletions
|
|
@ -1,8 +1,10 @@
|
|||
---
|
||||
|
||||
- set_fact: force_install=no
|
||||
- name: set fact force_install to no
|
||||
set_fact: force_install=no
|
||||
|
||||
- set_fact: force_install=yes
|
||||
- name: set fact force_install to yes
|
||||
set_fact: force_install=yes
|
||||
when: es_allow_downgrades
|
||||
|
||||
- name: Debian - Install apt-transport-https to support https APT downloads
|
||||
|
|
|
|||
|
|
@ -1,39 +1,52 @@
|
|||
# Check for mandatory parameters
|
||||
|
||||
- fail: msg="es_instance_name must be specified and cannot be blank"
|
||||
- name: fail when es_instance is not defined
|
||||
fail: msg="es_instance_name must be specified and cannot be blank"
|
||||
when: es_instance_name is not defined or es_instance_name == ''
|
||||
|
||||
- fail: msg="es_proxy_port must be specified and cannot be blank when es_proxy_host is defined"
|
||||
- name: fail when es_proxy_port is not defined or is blank
|
||||
fail: msg="es_proxy_port must be specified and cannot be blank when es_proxy_host is defined"
|
||||
when: (es_proxy_port is not defined or es_proxy_port == '') and (es_proxy_host is defined and es_proxy_host != '')
|
||||
|
||||
- debug: msg="WARNING - It is recommended you specify the parameter 'http.port'"
|
||||
- name: debug message
|
||||
debug: msg="WARNING - It is recommended you specify the parameter 'http.port'"
|
||||
when: es_config['http.port'] is not defined
|
||||
|
||||
- debug: msg="WARNING - It is recommended you specify the parameter 'transport.tcp.port'"
|
||||
- name: debug message
|
||||
debug: msg="WARNING - It is recommended you specify the parameter 'transport.tcp.port'"
|
||||
when: es_config['transport.tcp.port'] is not defined
|
||||
|
||||
- debug: msg="WARNING - It is recommended you specify the parameter 'discovery.zen.ping.unicast.hosts'"
|
||||
- name: debug message
|
||||
debug: msg="WARNING - It is recommended you specify the parameter 'discovery.zen.ping.unicast.hosts'"
|
||||
when: es_config['discovery.zen.ping.unicast.hosts'] is not defined
|
||||
|
||||
#If the user attempts to lock memory they must specify a heap size
|
||||
- fail: msg="If locking memory with bootstrap.memory_lock a heap size must be specified"
|
||||
- name: fail when heap size is not specified when using memory lock
|
||||
fail: msg="If locking memory with bootstrap.memory_lock a heap size must be specified"
|
||||
when: es_config['bootstrap.memory_lock'] is defined and es_config['bootstrap.memory_lock'] == True and es_heap_size is not defined
|
||||
|
||||
#Check if working with security we have an es_api_basic_auth_username and es_api_basic_auth_username - otherwise any http calls wont work
|
||||
- fail: msg="Enabling security requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations"
|
||||
- name: fail when api credentials are not declared when using security
|
||||
fail: msg="Enabling security requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations"
|
||||
when: es_enable_xpack and ("security" in es_xpack_features) and es_api_basic_auth_username is not defined and es_api_basic_auth_password is not defined
|
||||
|
||||
- set_fact: file_reserved_users={{ es_users.file.keys() | intersect (reserved_xpack_users) }}
|
||||
- name: set fact file_reserved_users
|
||||
set_fact: file_reserved_users={{ es_users.file.keys() | intersect (reserved_xpack_users) }}
|
||||
when: es_users is defined and es_users.file is defined and (es_users.file.keys() | length > 0) and (es_users.file.keys() | intersect (reserved_xpack_users) | length > 0)
|
||||
|
||||
- fail:
|
||||
- name: fail when changing users through file realm
|
||||
fail:
|
||||
msg: "ERROR: INVALID CONFIG - YOU CANNOT CHANGE RESERVED USERS THROUGH THE FILE REALM. THE FOLLOWING CANNOT BE CHANGED: {{file_reserved_users}}. USE THE NATIVE REALM."
|
||||
when: file_reserved_users | default([]) | length > 0
|
||||
|
||||
- set_fact: instance_default_file={{default_file | dirname}}/{{es_instance_name}}_{{default_file | basename}}
|
||||
- set_fact: instance_init_script={{init_script | dirname }}/{{es_instance_name}}_{{init_script | basename}}
|
||||
- set_fact: conf_dir={{ es_conf_dir }}/{{es_instance_name}}
|
||||
- set_fact: m_lock_enabled={{ es_config['bootstrap.memory_lock'] is defined and es_config['bootstrap.memory_lock'] == True }}
|
||||
- name: set fact instance_default_file
|
||||
set_fact: instance_default_file={{default_file | dirname}}/{{es_instance_name}}_{{default_file | basename}}
|
||||
- name: set fact instance_init_script
|
||||
set_fact: instance_init_script={{init_script | dirname }}/{{es_instance_name}}_{{init_script | basename}}
|
||||
- name: set fact conf_dir
|
||||
set_fact: conf_dir={{ es_conf_dir }}/{{es_instance_name}}
|
||||
- name: set fact m_lock_enabled
|
||||
set_fact: m_lock_enabled={{ es_config['bootstrap.memory_lock'] is defined and es_config['bootstrap.memory_lock'] == True }}
|
||||
|
||||
#TODO - if transport.host is not local maybe error on boostrap checks
|
||||
|
||||
|
|
@ -44,13 +57,19 @@
|
|||
#Centos 7 and up
|
||||
#Relies on elasticsearch distribution installing a serviced script to determine whether one should be copied.
|
||||
|
||||
- set_fact: use_system_d={{(ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', '>=')) or (ansible_distribution in ['RedHat','CentOS'] and ansible_distribution_version | version_compare('7', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version | version_compare('15', '>=')) }}
|
||||
- name: set fact use_system_d
|
||||
set_fact: use_system_d={{(ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', '>=')) or (ansible_distribution in ['RedHat','CentOS'] and ansible_distribution_version | version_compare('7', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version | version_compare('15', '>=')) }}
|
||||
|
||||
- set_fact: instance_sysd_script={{sysd_script | dirname }}/{{es_instance_name}}_{{sysd_script | basename}}
|
||||
- name: set fact instance_sysd_script
|
||||
set_fact: instance_sysd_script={{sysd_script | dirname }}/{{es_instance_name}}_{{sysd_script | basename}}
|
||||
when: use_system_d
|
||||
#For directories we also use the {{inventory_hostname}}-{{ es_instance_name }} - this helps if we have a shared SAN.
|
||||
|
||||
- set_fact: instance_suffix={{inventory_hostname}}-{{ es_instance_name }}
|
||||
- set_fact: pid_dir={{ es_pid_dir }}/{{instance_suffix}}
|
||||
- set_fact: log_dir={{ es_log_dir }}/{{instance_suffix}}
|
||||
- set_fact: data_dirs={{ es_data_dirs | append_to_list('/'+instance_suffix) }}
|
||||
- name: set fact instance_suffix
|
||||
set_fact: instance_suffix={{inventory_hostname}}-{{ es_instance_name }}
|
||||
- name: set fact pid_dir
|
||||
set_fact: pid_dir={{ es_pid_dir }}/{{instance_suffix}}
|
||||
- name: set fact log_dir
|
||||
set_fact: log_dir={{ es_log_dir }}/{{instance_suffix}}
|
||||
- name: set fact log_dir
|
||||
set_fact: data_dirs={{ es_data_dirs | append_to_list('/'+instance_suffix) }}
|
||||
|
|
|
|||
|
|
@ -2,12 +2,15 @@
|
|||
|
||||
# es_plugins_reinstall will be set to true if elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed
|
||||
# i.e. we have changed ES version(or we have clean installation of ES), or if no plugins listed. Otherwise it is false and requires explicitly setting.
|
||||
- set_fact: es_plugins_reinstall=true
|
||||
- name: set fact es_plugins_reinstall to true
|
||||
set_fact: es_plugins_reinstall=true
|
||||
when: (((debian_elasticsearch_install_from_repo is defined and debian_elasticsearch_install_from_repo.changed) or (redhat_elasticsearch_install_from_repo is defined and redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) or es_plugins is not defined or es_plugins is none
|
||||
|
||||
- set_fact: list_command=""
|
||||
- name: set fact list_command
|
||||
set_fact: list_command=""
|
||||
#If we are reinstalling all plugins, e.g. to a version change, we need to remove all plugins (inc. x-pack) to install any plugins. Otherwise we don't consider x-pack so the role stays idempotent.
|
||||
- set_fact: list_command="| grep -vE 'x-pack'"
|
||||
- name: set fact list_command check for x-pack
|
||||
set_fact: list_command="| grep -vE 'x-pack'"
|
||||
when: not es_plugins_reinstall
|
||||
|
||||
#List currently installed plugins. We have to list the directories as the list commmand fails if the ES version is different than the plugin version.
|
||||
|
|
@ -23,19 +26,23 @@
|
|||
ES_INCLUDE: "{{ instance_default_file }}"
|
||||
|
||||
#if es_plugins_reinstall is set to true we remove ALL plugins
|
||||
- set_fact: plugins_to_remove="{{ installed_plugins.stdout_lines | default([]) }}"
|
||||
- name: set fact plugins_to_remove to install_plugins.stdout_lines
|
||||
set_fact: plugins_to_remove="{{ installed_plugins.stdout_lines | default([]) }}"
|
||||
when: es_plugins_reinstall
|
||||
|
||||
#if the plugins listed are different than those requested, we remove those installed but not listed in the config
|
||||
- set_fact: plugins_to_remove="{{ installed_plugins.stdout_lines | difference(es_plugins | json_query('[*].plugin')) | default([]) }}"
|
||||
- name: set fact plugins_to_remove to delete plugins installed but not listed in es_plugins
|
||||
set_fact: plugins_to_remove="{{ installed_plugins.stdout_lines | difference(es_plugins | json_query('[*].plugin')) | default([]) }}"
|
||||
when: not es_plugins_reinstall
|
||||
|
||||
#if es_plugins_reinstall is set to true we (re)install ALL plugins
|
||||
- set_fact: plugins_to_install="{{ es_plugins | json_query('[*].plugin') | default([]) }}"
|
||||
- name: set fact plugins_to_install to es_plugins
|
||||
set_fact: plugins_to_install="{{ es_plugins | json_query('[*].plugin') | default([]) }}"
|
||||
when: es_plugins_reinstall
|
||||
|
||||
#if the plugins listed are different than those requested, we install those not installed but listed in the config
|
||||
- set_fact: plugins_to_install="{{ es_plugins | json_query('[*].plugin') | difference(installed_plugins.stdout_lines) | default([]) }}"
|
||||
- name: set fact to plugins_to_install to those in es_config but not installed
|
||||
set_fact: plugins_to_install="{{ es_plugins | json_query('[*].plugin') | difference(installed_plugins.stdout_lines) | default([]) }}"
|
||||
when: not es_plugins_reinstall
|
||||
|
||||
# This removes any currently installed plugins (to prevent errors when reinstalling)
|
||||
|
|
|
|||
|
|
@ -1,10 +1,12 @@
|
|||
---
|
||||
|
||||
- set_fact: es_script_dir={{ es_conf_dir }}/{{es_instance_name}}
|
||||
- name: set fact es_script_dir
|
||||
set_fact: es_script_dir={{ es_conf_dir }}/{{es_instance_name}}
|
||||
tags:
|
||||
- always
|
||||
|
||||
- set_fact: es_script_dir={{es_config['path.scripts']}}
|
||||
- name: set fact es_script_dir when path.scripts
|
||||
set_fact: es_script_dir={{es_config['path.scripts']}}
|
||||
when: es_config['path.scripts'] is defined
|
||||
tags:
|
||||
- always
|
||||
|
|
|
|||
|
|
@ -1,6 +1,11 @@
|
|||
---
|
||||
|
||||
- file: path=/etc/elasticsearch/templates state=directory owner={{ es_user }} group={{ es_group }}
|
||||
- name: ensure templates dir is created
|
||||
file:
|
||||
path: /etc/elasticsearch/templates
|
||||
state: directory
|
||||
owner: "{{ es_user }}"
|
||||
group: "{{ es_group }}"
|
||||
|
||||
- name: Copy templates to elasticsearch
|
||||
copy: src={{ item }} dest=/etc/elasticsearch/templates owner={{ es_user }} group={{ es_group }}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,10 @@
|
|||
---
|
||||
|
||||
- set_fact: java_state="present"
|
||||
- name: set fact java_state to present
|
||||
set_fact: java_state="present"
|
||||
|
||||
- set_fact: java_state="latest"
|
||||
- name: set fact java_state to latest
|
||||
set_fact: java_state="latest"
|
||||
when: update_java == true
|
||||
|
||||
- name: RedHat - Ensure Java is installed
|
||||
|
|
@ -35,7 +37,8 @@
|
|||
apt: name={{ java }} state={{java_state}}
|
||||
when: ansible_os_family == 'Debian'
|
||||
|
||||
- shell: java -version 2>&1 | grep OpenJDK
|
||||
- name: register open_jdk version
|
||||
shell: java -version 2>&1 | grep OpenJDK
|
||||
register: open_jdk
|
||||
ignore_errors: yes
|
||||
changed_when: false
|
||||
|
|
|
|||
|
|
@ -9,35 +9,42 @@
|
|||
tags:
|
||||
- always
|
||||
|
||||
- include: java.yml
|
||||
- name: include java.yml
|
||||
include: java.yml
|
||||
when: es_java_install
|
||||
tags:
|
||||
- java
|
||||
|
||||
- include: elasticsearch.yml
|
||||
- name: include elasticsearch.yml
|
||||
include: elasticsearch.yml
|
||||
tags:
|
||||
- install
|
||||
|
||||
- include: elasticsearch-config.yml
|
||||
- name: include elasticsearch-config.yml
|
||||
include: elasticsearch-config.yml
|
||||
tags:
|
||||
- config
|
||||
|
||||
- include: elasticsearch-scripts.yml
|
||||
- name: include elasticsearch-scripts.yml
|
||||
include: elasticsearch-scripts.yml
|
||||
when: es_scripts
|
||||
tags:
|
||||
- scripts
|
||||
|
||||
- include: elasticsearch-plugins.yml
|
||||
- name: include elasticsearch-plugins.yml
|
||||
include: elasticsearch-plugins.yml
|
||||
when: es_plugins is defined or es_plugins_reinstall
|
||||
tags:
|
||||
- plugins
|
||||
|
||||
#We always execute xpack as we may need to remove features
|
||||
- include: xpack/elasticsearch-xpack.yml
|
||||
- name: include xpack/elasticsearch-xpack.yml
|
||||
include: xpack/elasticsearch-xpack.yml
|
||||
tags:
|
||||
- xpack
|
||||
|
||||
- meta: flush_handlers
|
||||
- name: flush handlers
|
||||
meta: flush_handlers
|
||||
|
||||
- name: Make sure elasticsearch is started
|
||||
service: name={{instance_init_script | basename}} state=started enabled=yes
|
||||
|
|
@ -47,9 +54,11 @@
|
|||
wait_for: host={{es_api_host}} port={{es_api_port}} delay=5 connect_timeout=1
|
||||
when: es_restarted is defined and es_restarted.changed and es_start_service
|
||||
|
||||
- set_fact: manage_native_realm=false
|
||||
- name: set fact manage_native_realm to false
|
||||
set_fact: manage_native_realm=false
|
||||
|
||||
- set_fact: manage_native_realm=true
|
||||
- name: set fact manage_native_realm to true
|
||||
set_fact: manage_native_realm=true
|
||||
when: es_start_service and (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
|
||||
|
||||
# If playbook runs too fast, Native commands could fail as the Native Realm is not yet up
|
||||
|
|
@ -62,12 +71,14 @@
|
|||
when: es_start_service and es_enable_xpack and es_xpack_license is defined and es_xpack_license != ''
|
||||
|
||||
#perform security actions here now elasticsearch is started
|
||||
- include: ./xpack/security/elasticsearch-security-native.yml
|
||||
- name: include xpack/security/elasticsearch-security-native.yml
|
||||
include: ./xpack/security/elasticsearch-security-native.yml
|
||||
when: manage_native_realm
|
||||
|
||||
#Templates done after restart - handled by flushing the handlers. e.g. suppose user removes security on a running node and doesn't specify es_api_basic_auth_username and es_api_basic_auth_password. The templates will subsequently not be removed if we don't wait for the node to restart.
|
||||
#We also do after the native realm to ensure any changes are applied here first and its denf up.
|
||||
- include: elasticsearch-template.yml
|
||||
- name: include elasticsearch-template.yml
|
||||
include: elasticsearch-template.yml
|
||||
when: es_templates
|
||||
tags:
|
||||
- templates
|
||||
- templates
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
---
|
||||
|
||||
#Test if feature is installed
|
||||
- shell: "{{es_home}}/bin/elasticsearch-plugin list | grep x-pack"
|
||||
- name: Test if x-pack is installed
|
||||
shell: "{{es_home}}/bin/elasticsearch-plugin list | grep x-pack"
|
||||
become: yes
|
||||
register: x_pack_installed
|
||||
changed_when: False
|
||||
|
|
|
|||
|
|
@ -1,11 +1,14 @@
|
|||
---
|
||||
|
||||
- set_fact: es_version_changed={{ ((elasticsearch_install_from_package is defined and (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) }}
|
||||
- name: set fact es_version_changed
|
||||
set_fact: es_version_changed={{ ((elasticsearch_install_from_package is defined and (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) }}
|
||||
|
||||
- include: elasticsearch-xpack-install.yml
|
||||
- name: include elasticsearch-xpack-install.yml
|
||||
include: elasticsearch-xpack-install.yml
|
||||
|
||||
#Security configuration
|
||||
- include: security/elasticsearch-security.yml
|
||||
- name: include security/elasticsearch-security.yml
|
||||
include: security/elasticsearch-security.yml
|
||||
|
||||
#Add any feature specific configuration here
|
||||
- name: Set Plugin Directory Permissions
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- set_fact: manage_file_users=es_users is defined and es_users.file is defined and es_users.file.keys() | length > 0
|
||||
- name: set fact manage_file_users
|
||||
set_fact: manage_file_users=es_users is defined and es_users.file is defined and es_users.file.keys() | length > 0
|
||||
|
||||
#List current users
|
||||
- name: List Users
|
||||
|
|
@ -9,7 +10,8 @@
|
|||
when: manage_file_users
|
||||
changed_when: False
|
||||
|
||||
- set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys()) }}
|
||||
- name: set fact users_to_remove
|
||||
set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys()) }}
|
||||
when: manage_file_users
|
||||
|
||||
#Remove users
|
||||
|
|
@ -24,7 +26,8 @@
|
|||
ES_PATH_CONF: "{{ conf_dir }}"
|
||||
ES_HOME: "{{es_home}}"
|
||||
|
||||
- set_fact: users_to_add={{ es_users.file.keys() | difference (current_file_users.stdout_lines) }}
|
||||
- name: set fact users_to_add
|
||||
set_fact: users_to_add={{ es_users.file.keys() | difference (current_file_users.stdout_lines) }}
|
||||
when: manage_file_users
|
||||
|
||||
#Add users
|
||||
|
|
@ -55,7 +58,8 @@
|
|||
ES_PATH_CONF: "{{ conf_dir }}"
|
||||
ES_HOME: "{{es_home}}"
|
||||
|
||||
- set_fact: users_roles={{es_users.file | extract_role_users () }}
|
||||
- name: set fact users_roles
|
||||
set_fact: users_roles={{es_users.file | extract_role_users () }}
|
||||
when: manage_file_users
|
||||
|
||||
#Copy Roles files
|
||||
|
|
|
|||
|
|
@ -1,14 +1,19 @@
|
|||
---
|
||||
- set_fact: change_api_password=false
|
||||
- name: set fact change_api_password to false
|
||||
set_fact: change_api_password=false
|
||||
|
||||
- set_fact: manage_native_users=false
|
||||
- name: set fact manage_native_users to false
|
||||
set_fact: manage_native_users=false
|
||||
|
||||
- set_fact: manage_native_users=true
|
||||
- name: set fact manage_native_users to true
|
||||
set_fact: manage_native_users=true
|
||||
when: es_users is defined and es_users.native is defined and es_users.native.keys() | length > 0
|
||||
|
||||
- set_fact: manage_native_roles=false
|
||||
- name: set fact manage_native_role to false
|
||||
set_fact: manage_native_roles=false
|
||||
|
||||
- set_fact: manage_native_roles=true
|
||||
- name: set fact manange_native_roles to true
|
||||
set_fact: manage_native_roles=true
|
||||
when: es_roles is defined and es_roles.native is defined and es_roles.native.keys() | length > 0
|
||||
|
||||
#If the node has just has security installed it maybe either stopped or started 1. if stopped, we need to start to load native realms 2. if started, we need to restart to load
|
||||
|
|
@ -25,18 +30,22 @@
|
|||
register: user_list_response
|
||||
when: manage_native_users
|
||||
|
||||
- set_fact: reserved_users={{ user_list_response.json | filter_reserved }}
|
||||
- name: set fact reserved_users equals user_list_response.json
|
||||
set_fact: reserved_users={{ user_list_response.json | filter_reserved }}
|
||||
when: manage_native_users
|
||||
|
||||
#Current users not inc. those reserved
|
||||
- set_fact: current_users={{ user_list_response.json.keys() | difference (reserved_users) }}
|
||||
- name: set fact current_users equals user_list_response.json.keys not including reserved
|
||||
set_fact: current_users={{ user_list_response.json.keys() | difference (reserved_users) }}
|
||||
when: manage_native_users
|
||||
|
||||
#We are changing the es_api_basic_auth_username password, so we need to do it first and update the param
|
||||
- set_fact: native_users={{ es_users.native }}
|
||||
- name: set fact native_users
|
||||
set_fact: native_users={{ es_users.native }}
|
||||
when: manage_native_users
|
||||
|
||||
- set_fact: change_api_password=true
|
||||
- name: set fact change_api_password to true
|
||||
set_fact: change_api_password=true
|
||||
when: manage_native_users and es_api_basic_auth_username in native_users and native_users[es_api_basic_auth_username].password is defined
|
||||
|
||||
- name: Update API User Password
|
||||
|
|
@ -51,11 +60,13 @@
|
|||
force_basic_auth: yes
|
||||
when: change_api_password
|
||||
|
||||
- set_fact: es_api_basic_auth_password={{native_users[es_api_basic_auth_username].password}}
|
||||
- name: set fact es_api_basic_auth_password
|
||||
set_fact: es_api_basic_auth_password={{native_users[es_api_basic_auth_username].password}}
|
||||
when: change_api_password
|
||||
|
||||
#Identify users that are present in ES but not declared and thus should be removed
|
||||
- set_fact: users_to_remove={{ current_users | difference ( native_users.keys() ) }}
|
||||
- name: set fact users_to_remove
|
||||
set_fact: users_to_remove={{ current_users | difference ( native_users.keys() ) }}
|
||||
when: manage_native_users
|
||||
|
||||
#Delete all non required users NOT inc. reserved
|
||||
|
|
@ -70,10 +81,12 @@
|
|||
when: manage_native_users
|
||||
with_items: "{{ users_to_remove | default([]) }}"
|
||||
|
||||
- set_fact: users_to_ignore={{ native_users.keys() | intersect (reserved_users) }}
|
||||
- name: set fact users_to_ignore
|
||||
set_fact: users_to_ignore={{ native_users.keys() | intersect (reserved_users) }}
|
||||
when: manage_native_users
|
||||
|
||||
- debug:
|
||||
- name: debug message
|
||||
debug:
|
||||
msg: "WARNING: YOU CAN ONLY CHANGE THE PASSWORD FOR RESERVED USERS IN THE NATIVE REALM. ANY ROLE CHANGES WILL BE IGNORED: {{users_to_ignore}}"
|
||||
when: manage_native_users and users_to_ignore | length > 0
|
||||
|
||||
|
|
@ -92,7 +105,8 @@
|
|||
no_log: True
|
||||
with_items: "{{ users_to_ignore | default([]) }}"
|
||||
|
||||
- set_fact: users_to_modify={{ native_users.keys() | difference (reserved_users) }}
|
||||
- name: set fact users_to_modify
|
||||
set_fact: users_to_modify={{ native_users.keys() | difference (reserved_users) }}
|
||||
when: manage_native_users
|
||||
|
||||
#Overwrite all other users NOT inc. those reserved
|
||||
|
|
@ -125,20 +139,25 @@
|
|||
register: role_list_response
|
||||
when: manage_native_roles
|
||||
|
||||
- set_fact: reserved_roles={{ role_list_response.json | filter_reserved }}
|
||||
- name: set fact reserved roles
|
||||
set_fact: reserved_roles={{ role_list_response.json | filter_reserved }}
|
||||
when: manage_native_roles
|
||||
|
||||
- set_fact: current_roles={{ role_list_response.json.keys() | difference (reserved_roles) }}
|
||||
- name: set fact current roles
|
||||
set_fact: current_roles={{ role_list_response.json.keys() | difference (reserved_roles) }}
|
||||
when: manage_native_roles
|
||||
|
||||
- set_fact: roles_to_ignore={{ es_roles.native.keys() | intersect (reserved_roles) | default([]) }}
|
||||
- name: set fact roles to ignore
|
||||
set_fact: roles_to_ignore={{ es_roles.native.keys() | intersect (reserved_roles) | default([]) }}
|
||||
when: manage_native_roles
|
||||
|
||||
- debug:
|
||||
- name: debug message
|
||||
debug:
|
||||
msg: "WARNING: YOU CANNOT CHANGE RESERVED ROLES. THE FOLLOWING WILL BE IGNORED: {{roles_to_ignore}}"
|
||||
when: manage_native_roles and roles_to_ignore | length > 0
|
||||
|
||||
- set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys() ) }}
|
||||
- name: set fact roles_to_remove
|
||||
set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys() ) }}
|
||||
when: manage_native_roles
|
||||
|
||||
#Delete all non required roles NOT inc. reserved
|
||||
|
|
@ -153,7 +172,8 @@
|
|||
when: manage_native_roles
|
||||
with_items: "{{roles_to_remove | default([]) }}"
|
||||
|
||||
- set_fact: roles_to_modify={{ es_roles.native.keys() | difference (reserved_roles) }}
|
||||
- name: set fact roles_to_modify
|
||||
set_fact: roles_to_modify={{ es_roles.native.keys() | difference (reserved_roles) }}
|
||||
when: manage_native_roles
|
||||
|
||||
#Update other roles - NOT inc. reserved roles
|
||||
|
|
@ -168,4 +188,4 @@
|
|||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
when: manage_native_roles
|
||||
with_items: "{{ roles_to_modify | default([]) }}"
|
||||
with_items: "{{ roles_to_modify | default([]) }}"
|
||||
|
|
|
|||
|
|
@ -20,12 +20,13 @@
|
|||
environment:
|
||||
ES_PATH_CONF: "{{ conf_dir }}"
|
||||
when:
|
||||
- (es_enable_xpack and '"security" in es_xpack_features') and (es_version | version_compare('6.0.0', '>'))
|
||||
- (es_enable_xpack and '"security" in es_xpack_features') and (es_version | version_compare('6.0.0', '>'))
|
||||
|
||||
- name: Create Bootstrap password for elastic user
|
||||
shell: echo "{{es_api_basic_auth_password}}" | {{es_home}}/bin/elasticsearch-keystore add -x 'bootstrap.password'
|
||||
when:
|
||||
- (es_enable_xpack and '"security" in es_xpack_features') and (es_version | version_compare('6.0.0', '>')) and es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_lines
|
||||
- (es_enable_xpack and '"security" in es_xpack_features') and (es_version | version_compare('6.0.0', '>')) and es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_line
|
||||
|
||||
environment:
|
||||
ES_PATH_CONF: "{{ conf_dir }}"
|
||||
no_log: true
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue