f339345a0b
Without become option stat operation for old users file will work only if user is in elasticsearch group, but copying of old file will fail because user have no write access in elasticsearch config dir.
110 lines
3.2 KiB
YAML
110 lines
3.2 KiB
YAML
---
|
|
- set_fact: manage_file_users=false
|
|
|
|
- set_fact: manage_file_users=true
|
|
when: es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0
|
|
|
|
# Users migration from elasticsearch < 6.3 versions
|
|
- name: Check if old users file exists
|
|
become: yes
|
|
stat:
|
|
path: '{{ es_conf_dir }}/x-pack/users'
|
|
register: old_users_file
|
|
check_mode: no
|
|
|
|
- name: Copy the old users file from the old deprecated location
|
|
become: yes
|
|
copy:
|
|
remote_src: yes
|
|
force: no # only copy it if the new path doesn't exist yet
|
|
src: "{{ es_conf_dir }}/x-pack/users"
|
|
dest: "{{ es_conf_dir }}/users"
|
|
group: "{{ es_group }}"
|
|
owner: root
|
|
when: old_users_file.stat.exists
|
|
# End of users migrations
|
|
|
|
#List current users
|
|
- name: List Users
|
|
become: yes
|
|
shell: cat {{ es_conf_dir }}/users | awk -F':' '{print $1}'
|
|
register: current_file_users
|
|
when: manage_file_users
|
|
changed_when: False
|
|
check_mode: no
|
|
|
|
- name: set fact users_to_remove
|
|
set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys() | list) }}
|
|
when: manage_file_users and es_delete_unmanaged_file
|
|
|
|
#Remove users
|
|
- name: Remove Users
|
|
become: yes
|
|
command: >
|
|
{{es_home}}/bin/elasticsearch-users userdel {{item}}
|
|
with_items: "{{users_to_remove | default([])}}"
|
|
when: manage_file_users
|
|
environment:
|
|
CONF_DIR: "{{ es_conf_dir }}"
|
|
ES_PATH_CONF: "{{ es_conf_dir }}"
|
|
ES_HOME: "{{es_home}}"
|
|
|
|
- name: set fact users_to_add
|
|
set_fact: users_to_add={{ es_users.file.keys() | list | difference (current_file_users.stdout_lines) }}
|
|
when: manage_file_users and es_delete_unmanaged_file
|
|
|
|
#Add users
|
|
- name: Add Users
|
|
become: yes
|
|
command: >
|
|
{{es_home}}/bin/elasticsearch-users useradd {{item}} -p {{es_users.file[item].password}}
|
|
with_items: "{{ users_to_add | default([]) }}"
|
|
when: manage_file_users
|
|
no_log: True
|
|
environment:
|
|
CONF_DIR: "{{ es_conf_dir }}"
|
|
ES_PATH_CONF: "{{ es_conf_dir }}"
|
|
ES_HOME: "{{es_home}}"
|
|
|
|
#Set passwords for all users declared - Required as the useradd will not change existing user passwords
|
|
- name: Set User Passwords
|
|
become: yes
|
|
command: >
|
|
{{es_home}}/bin/elasticsearch-users passwd {{ item }} -p {{es_users.file[item].password}}
|
|
with_items: "{{ es_users.file.keys() | list }}"
|
|
when: manage_file_users
|
|
#Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip.
|
|
changed_when: False
|
|
no_log: True
|
|
environment:
|
|
CONF_DIR: "{{ es_conf_dir }}"
|
|
ES_PATH_CONF: "{{ es_conf_dir }}"
|
|
ES_HOME: "{{es_home}}"
|
|
|
|
- name: set fact users_roles
|
|
set_fact: users_roles={{es_users.file | extract_role_users () }}
|
|
when: manage_file_users
|
|
|
|
#Copy Roles files
|
|
- name: Copy roles.yml File for Instance
|
|
become: yes
|
|
template:
|
|
src: security/roles.yml.j2
|
|
dest: "{{ es_conf_dir }}/roles.yml"
|
|
owner: root
|
|
group: "{{ es_group }}"
|
|
mode: "0660"
|
|
force: yes
|
|
when: es_roles is defined and es_roles.file is defined
|
|
|
|
#Overwrite users_roles file
|
|
- name: Copy User Roles
|
|
become: yes
|
|
template:
|
|
src: security/users_roles.j2
|
|
dest: "{{ es_conf_dir }}/users_roles"
|
|
owner: root
|
|
group: "{{ es_group }}"
|
|
mode: "0660"
|
|
force: yes
|
|
when: manage_file_users and users_roles | length > 0
|