forked from elastic/ansible-elasticsearch
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathelasticsearch-security.yml
91 lines (78 loc) · 3.08 KB
/
elasticsearch-security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
---
#Security specific configuration done here
#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6
#-----------------------------Create Bootstrap User-----------------------------------
### START BLOCK elasticsearch keystore ###
- name: create the elasticsearch keystore
block:
- name: create the keystore if it doesn't exist yet
become: yes
command: >
{{es_home}}/bin/elasticsearch-keystore create
args:
creates: "{{ es_conf_dir }}/elasticsearch.keystore"
environment:
ES_PATH_CONF: "{{ es_conf_dir }}"
- name: Check if bootstrap password is set
become: yes
command: >
{{es_home}}/bin/elasticsearch-keystore list
register: list_keystore
changed_when: False
environment:
ES_PATH_CONF: "{{ es_conf_dir }}"
check_mode: no
- name: Create Bootstrap password for elastic user
become: yes
shell: echo {{ es_api_basic_auth_password | quote }} | {{ es_home }}/bin/elasticsearch-keystore add -x 'bootstrap.password'
when:
- es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_lines
environment:
ES_PATH_CONF: "{{ es_conf_dir }}"
no_log: true
- name: Remove keystore entries
become: yes
command: >
{{ es_home }}/bin/elasticsearch-keystore remove '{{ item.key }}'
with_items: "{{ es_keystore_entries }}"
when:
- es_keystore_entries is defined and es_keystore_entries | length > 0
- item.state is defined and item.state == 'absent'
- item.key in list_keystore.stdout_lines
- ('bootstrap.password' not in item.key)
no_log: true
- name: Reload keystore entries
become: yes
command: >
{{es_home}}/bin/elasticsearch-keystore list
register: list_keystore
changed_when: False
environment:
ES_PATH_CONF: "{{ es_conf_dir }}"
check_mode: no
- name: Add keystore entries
become: yes
shell: echo {{ item.value | quote }} | {{ es_home }}/bin/elasticsearch-keystore add -x -f {{ item.key }}
with_items: "{{ es_keystore_entries }}"
when:
- es_keystore_entries is defined and es_keystore_entries | length > 0
- item.state is undefined or item.state == 'present'
- item.force|default(False) or ( not item.force|default(False) and item.key not in list_keystore.stdout_lines )
- ('bootstrap.password' not in item.key)
no_log: true
### END BLOCK elasticsearch keystore ###
#-----------------------------FILE BASED REALM----------------------------------------
- include: elasticsearch-security-file.yml
when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined)
#-----------------------------ROLE MAPPING ----------------------------------------
#Copy Roles files
- name: Copy role_mapping.yml file for instance
become: yes
template:
src: security/role_mapping.yml.j2
dest: "{{ es_conf_dir }}/role_mapping.yml"
owner: root
group: "{{ es_group }}"
mode: "0660"
force: yes
when: es_role_mapping is defined