91 lines
3.1 KiB
YAML
91 lines
3.1 KiB
YAML
---
|
|
#Security specific configuration done here
|
|
|
|
#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6
|
|
|
|
#-----------------------------Create Bootstrap User-----------------------------------
|
|
### START BLOCK elasticsearch keystore ###
|
|
- name: create the elasticsearch keystore
|
|
block:
|
|
- name: create the keystore if it doesn't exist yet
|
|
become: yes
|
|
command: >
|
|
{{es_home}}/bin/elasticsearch-keystore create
|
|
args:
|
|
creates: "{{ es_conf_dir }}/elasticsearch.keystore"
|
|
environment:
|
|
ES_PATH_CONF: "{{ es_conf_dir }}"
|
|
|
|
- name: Check if bootstrap password is set
|
|
become: yes
|
|
command: >
|
|
{{es_home}}/bin/elasticsearch-keystore list
|
|
register: list_keystore
|
|
changed_when: False
|
|
environment:
|
|
ES_PATH_CONF: "{{ es_conf_dir }}"
|
|
check_mode: no
|
|
|
|
- name: Create Bootstrap password for elastic user
|
|
become: yes
|
|
shell: echo {{ es_api_basic_auth_password | quote }} | {{ es_home }}/bin/elasticsearch-keystore add -x 'bootstrap.password'
|
|
when:
|
|
- es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_lines
|
|
environment:
|
|
ES_PATH_CONF: "{{ es_conf_dir }}"
|
|
no_log: true
|
|
|
|
- name: Remove keystore entries
|
|
become: yes
|
|
command: >
|
|
echo {{ es_api_basic_auth_password | quote }} | {{ es_home }}/bin/elasticsearch-keystore remove '{{ item.key }}'
|
|
with_items: "{{ es_keystore_entries }}"
|
|
when:
|
|
- es_keystore_entries is defined and es_keystore_entries | length > 0
|
|
- item.state is defined and item.state == 'absent'
|
|
- item.key in list_keystore.stdout_lines
|
|
- ('bootstrap.password' not in item.key)
|
|
no_log: true
|
|
|
|
- name: Reload keystore entries
|
|
become: yes
|
|
command: >
|
|
{{es_home}}/bin/elasticsearch-keystore list
|
|
register: list_keystore
|
|
changed_when: False
|
|
environment:
|
|
ES_PATH_CONF: "{{ es_conf_dir }}"
|
|
check_mode: no
|
|
|
|
- name: Add keystore entries
|
|
become: yes
|
|
shell: echo {{ item.value | quote }} | {{ es_home }}/bin/elasticsearch-keystore add -x -f {{ item.key }}
|
|
with_items: "{{ es_keystore_entries }}"
|
|
when:
|
|
- es_keystore_entries is defined and es_keystore_entries | length > 0
|
|
- item.state is undefined or item.state == 'present'
|
|
- item.force|default(False) or ( not item.force|default(False) and item.key not in list_keystore.stdout_lines )
|
|
- ('bootstrap.password' not in item.key)
|
|
no_log: true
|
|
|
|
|
|
### END BLOCK elasticsearch keystore ###
|
|
|
|
#-----------------------------FILE BASED REALM----------------------------------------
|
|
|
|
- include: elasticsearch-security-file.yml
|
|
when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined)
|
|
|
|
#-----------------------------ROLE MAPPING ----------------------------------------
|
|
|
|
#Copy Roles files
|
|
- name: Copy role_mapping.yml file for instance
|
|
become: yes
|
|
template:
|
|
src: security/role_mapping.yml.j2
|
|
dest: "{{ es_conf_dir }}/role_mapping.yml"
|
|
owner: root
|
|
group: "{{ es_group }}"
|
|
mode: "0660"
|
|
force: yes
|
|
when: es_role_mapping is defined
|