Fix for issue #369

2017-09-19 20:11:09 +01:00 · 2017-09-19 20:11:09 +01:00 · e9a6f74d09
commit e9a6f74d09
parent 0676799d1c
8 changed files with 216 additions and 47 deletions
--- a/tasks/xpack/security/elasticsearch-security-native.yml
+++ b/tasks/xpack/security/elasticsearch-security-native.yml
@ -1,14 +1,15 @@
 ---
+- set_fact: change_api_password=false

 - set_fact: manage_native_users=false

 - set_fact: manage_native_users=true
-  when: es_users is defined and es_users.native is defined
+  when: es_users is defined and es_users.native is defined and es_users.native.keys() | length > 0

 - set_fact: manage_native_roles=false

 - set_fact: manage_native_roles=true
-  when: es_roles is defined and es_roles.native is defined
+  when: es_roles is defined and es_roles.native is defined and es_roles.native.keys() | length > 0

 # If playbook runs too fast, Native commands could fail as the Native Realm is not yet up
 - name: Wait 15 seconds for the Native Relm to come up
@ -28,15 +29,40 @@
  register: user_list_response
  when: manage_native_users

+- set_fact: reserved_users={{ user_list_response.json | filter_reserved }}
+  when: manage_native_users
+
 #Current users not inc. those reserved
- set_fact: current_users={{ user_list_response.json | filter_reserved }}
+- set_fact: current_users={{ user_list_response.json.keys() | difference (reserved_users) }}
  when: manage_native_users

-#Identify non declared users
- set_fact: users_to_remove={{ current_users | difference ( es_users.native.keys() ) }}
+#We are changing the es_api_basic_auth_username password, so we need to do it first and update the param
+- set_fact: native_users={{ es_users.native }}
  when: manage_native_users

-#Delete all non required users
+- set_fact: change_api_password=true
+  when: manage_native_users and es_api_basic_auth_username in native_users and native_users[es_api_basic_auth_username].password is defined
+
+- name: Update API User Password
+  uri:
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{es_api_basic_auth_username}}/_password
+    method: POST
+    body_format: json
+    body: "{ \"password\":\"{{native_users[es_api_basic_auth_username].password}}\" }"
+    status_code: 200
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+  when: change_api_password
+
+- set_fact: es_api_basic_auth_password={{native_users[es_api_basic_auth_username].password}}
+  when: change_api_password
+
+#Identify users that are present in ES but not declared and thus should be removed
+- set_fact: users_to_remove={{ current_users | difference ( native_users.keys() ) }}
+  when: manage_native_users
+
+#Delete all non required users NOT inc. reserved
 - name: Delete Native Users
  uri:
    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}
@ -45,26 +71,50 @@
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
-  when: manage_native_users and users_to_remove | length > 0
-  with_items: "{{users_to_remove | default([]) }}"
+  when: manage_native_users
+  with_items: "{{ users_to_remove | default([]) }}"

- set_fact: native_users={{ es_users.native }}
-  when: manage_native_users and es_users.native.keys() > 0
+- set_fact: users_to_ignore={{ native_users.keys() | intersect (reserved_users) }}
+  when: manage_native_users

-#Overwrite all other users
- name: Update Native Users
+- debug:
+    msg: "WARNING: YOU CAN ONLY CHANGE THE PASSWORD FOR RESERVED USERS IN THE NATIVE REALM. ANY ROLE CHANGES WILL BE IGNORED: {{users_to_ignore}}"
+  when: manage_native_users and users_to_ignore | length > 0
+
+#Update password on all reserved users
+- name: Update Reserved User Passwords
  uri:
-    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item.key}}
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}/_password
    method: POST
    body_format: json
-    body: "{{item.value | to_json}}"
+    body: "{ \"password\":\"{{native_users[item].password}}\" }"
    status_code: 200
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
-  when: manage_native_users and native_users.keys() > 0
+  when: native_users[item].password is defined
  no_log: True
-  with_dict: "{{native_users | default({}) }}"
+  with_items: "{{ users_to_ignore | default([]) }}"
+
+- set_fact: users_to_modify={{ native_users.keys() | difference (reserved_users) }}
+  when: manage_native_users
+
+#Overwrite all other users NOT inc. those reserved
+- name: Update Non-Reserved Native User Details
+  uri:
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}
+    method: POST
+    body_format: json
+    body: "{{ native_users[item] | to_json }}"
+    status_code: 200
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+  when: manage_native_users
+  no_log: True
+  with_items: "{{ users_to_modify | default([]) }}"
+
+## ROLE CHANGES

 #List current roles not. inc those reserved
 - name: List Native Roles
@ -79,16 +129,23 @@
  register: role_list_response
  when: manage_native_roles

- set_fact: current_roles={{ role_list_response.json | filter_reserved }}
+- set_fact: reserved_roles={{ role_list_response.json | filter_reserved }}
  when: manage_native_roles

- debug: msg="{{current_roles}}"
+- set_fact: current_roles={{ role_list_response.json.keys() | difference (reserved_roles) }}
  when: manage_native_roles

+- set_fact: roles_to_ignore={{ es_roles.native.keys() | intersect (reserved_roles) | default([]) }}
+  when: manage_native_roles
+
+- debug:
+    msg: "WARNING: YOU CANNOT CHANGE RESERVED ROLES. THE FOLLOWING WILL BE IGNORED: {{roles_to_ignore}}"
+  when: manage_native_roles and roles_to_ignore | length > 0
+
 - set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys()  ) }}
  when: manage_native_roles

-#Delete all non required roles
+#Delete all non required roles NOT inc. reserved
 - name: Delete Native Roles
  uri:
    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}}
@ -97,23 +154,22 @@
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
-  when: manage_native_roles and roles_to_remove | length > 0
+  when: manage_native_roles
  with_items: "{{roles_to_remove | default([]) }}"

+- set_fact: roles_to_modify={{ es_roles.native.keys() | difference (reserved_roles) }}
+  when: manage_native_roles

- set_fact: native_roles={{ es_roles.native }}
-  when: manage_native_roles and es_roles.native.keys() > 0
-
-#Update other roles
+#Update other roles - NOT inc. reserved roles
 - name: Update Native Roles
  uri:
-    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item.key}}
+    url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}}
    method: POST
    body_format: json
-    body: "{{item.value | to_json}}"
+    body: "{{ es_roles.native[item] | to_json}}"
    status_code: 200
    user: "{{es_api_basic_auth_username}}"
    password: "{{es_api_basic_auth_password}}"
    force_basic_auth: yes
-  when: manage_native_roles and native_roles.keys() > 0
-  with_dict: "{{ native_roles | default({})}}"
+  when: manage_native_roles
+  with_items: "{{ roles_to_modify | default([]) }}"