forked from elastic/ansible-elasticsearch
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathelasticsearch-security-file.yml
110 lines (98 loc) · 3.21 KB
/
elasticsearch-security-file.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
---
- set_fact: manage_file_users=false
- set_fact: manage_file_users=true
when: es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0
# Users migration from elasticsearch < 6.3 versions
- name: Check if old users file exists
become: yes
stat:
path: '{{ es_conf_dir }}/x-pack/users'
register: old_users_file
check_mode: no
- name: Copy the old users file from the old deprecated location
become: yes
copy:
remote_src: yes
force: no # only copy it if the new path doesn't exist yet
src: "{{ es_conf_dir }}/x-pack/users"
dest: "{{ es_conf_dir }}/users"
group: "{{ es_group }}"
owner: root
when: old_users_file.stat.exists
# End of users migrations
#List current users
- name: List Users
become: yes
shell: cat {{ es_conf_dir }}/users | awk -F':' '{print $1}'
register: current_file_users
when: manage_file_users
changed_when: False
check_mode: no
- name: set fact users_to_remove
set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys() | list) }}
when: manage_file_users and es_delete_unmanaged_file
#Remove users
- name: Remove Users
become: yes
command: >
{{es_home}}/bin/elasticsearch-users userdel {{item}}
with_items: "{{users_to_remove | default([])}}"
when: manage_file_users
environment:
CONF_DIR: "{{ es_conf_dir }}"
ES_PATH_CONF: "{{ es_conf_dir }}"
ES_HOME: "{{es_home}}"
- name: set fact users_to_add
set_fact: users_to_add={{ es_users.file.keys() | list | difference (current_file_users.stdout_lines) }}
when: manage_file_users and es_delete_unmanaged_file
#Add users
- name: Add Users
become: yes
command: >
{{es_home}}/bin/elasticsearch-users useradd {{item}} -p {{es_users.file[item].password}}
with_items: "{{ users_to_add | default([]) }}"
when: manage_file_users
no_log: True
environment:
CONF_DIR: "{{ es_conf_dir }}"
ES_PATH_CONF: "{{ es_conf_dir }}"
ES_HOME: "{{es_home}}"
#Set passwords for all users declared - Required as the useradd will not change existing user passwords
- name: Set User Passwords
become: yes
command: >
{{es_home}}/bin/elasticsearch-users passwd {{ item }} -p {{es_users.file[item].password}}
with_items: "{{ es_users.file.keys() | list }}"
when: manage_file_users
#Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip.
changed_when: False
no_log: True
environment:
CONF_DIR: "{{ es_conf_dir }}"
ES_PATH_CONF: "{{ es_conf_dir }}"
ES_HOME: "{{es_home}}"
- name: set fact users_roles
set_fact: users_roles={{es_users.file | extract_role_users () }}
when: manage_file_users
#Copy Roles files
- name: Copy roles.yml File for Instance
become: yes
template:
src: security/roles.yml.j2
dest: "{{ es_conf_dir }}/roles.yml"
owner: root
group: "{{ es_group }}"
mode: "0660"
force: yes
when: es_roles is defined and es_roles.file is defined
#Overwrite users_roles file
- name: Copy User Roles
become: yes
template:
src: security/users_roles.j2
dest: "{{ es_conf_dir }}/users_roles"
owner: root
group: "{{ es_group }}"
mode: "0660"
force: yes
when: manage_file_users and users_roles | length > 0