From 1e8cc831cfbd0cd9be2c6c03d3ca986a5116f557 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 9 Oct 2019 16:47:41 +0200 Subject: [PATCH 1/5] Remove become from local task --- .../elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 1d338cf7..855be9b9 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -138,7 +138,6 @@ unarchive: src: "{{ master_certs_path }}/certs.zip" dest: "{{ master_certs_path }}/" - become: true delegate_to: "127.0.0.1" when: - node_certs_generator From 9c125c6b1c16d2873882c68b9f976db824da7185 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 9 Oct 2019 16:59:58 +0200 Subject: [PATCH 2/5] Move user creation to main file --- .../ansible-elasticsearch/tasks/main.yml | 15 +++++++++++++++ .../tasks/xpack_security.yml | 16 ---------------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 706de27e..8146eaee 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -119,3 +119,18 @@ - import_tasks: "RMDebian.yml" when: ansible_os_family == "Debian" + +- name: Create elasticsearch users + uri: + url: "https://{{ node_certs_generator_ip }}:{{ elasticsearch_http_port }}/_security/user/{{ item.key }}" + method: POST + body_format: json + user: "{{ elasticsearch_xpack_security_user }}" + password: "{{ elasticsearch_xpack_security_password }}" + body: '{ "password" : "{{ item.value["password"] }}", "roles" : {{ item.value["roles"] }} }' + validate_certs: no + loop: "{{ elasticsearch_xpack_users|default({})|dict2items }}" + register: http_response + failed_when: http_response.status != 200 + when: + - elasticsearch_xpack_users is defined diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 855be9b9..e9261956 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -193,19 +193,3 @@ when: - node_certs_generator tags: molecule-idempotence-notest - -- name: Create elasticsearch users - uri: - url: "https://{{ elasticsearch_reachable_host }}:9200/_security/user/{{ item.key }}" - method: POST - body_format: json - user: "{{ elasticsearch_xpack_security_user }}" - password: "{{ elasticsearch_xpack_security_password }}" - body: '{ "password" : "{{ item.value["password"] }}", "roles" : {{ item.value["roles"] }} }' - validate_certs: no - loop: "{{ elasticsearch_xpack_users|default({})|dict2items }}" - register: http_response - failed_when: http_response.status != 200 - when: - - elasticsearch_xpack_users is defined - - node_certs_generator From dcc7624d59317f784c8d98b7dde050e4177095ac Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 9 Oct 2019 17:00:47 +0200 Subject: [PATCH 3/5] Add waiting task before creating users Wait for elasticsearch API to be ready before attempting to add users --- .../ansible-elasticsearch/tasks/main.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 8146eaee..aef459e2 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -120,6 +120,22 @@ - import_tasks: "RMDebian.yml" when: ansible_os_family == "Debian" +- name: Wait for Elasticsearch API + uri: + url: "https://{{ node_certs_generator_ip }}:{{ elasticsearch_http_port }}/_cluster/health/" + user: "{{ elasticsearch_xpack_security_user }}" + password: "{{ elasticsearch_xpack_security_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: ( _result.json is defined) and (_result.json.status == "green") + retries: 24 + delay: 5 + when: + - elasticsearch_xpack_users is defined + - name: Create elasticsearch users uri: url: "https://{{ node_certs_generator_ip }}:{{ elasticsearch_http_port }}/_security/user/{{ item.key }}" From 9b0bcf9fe64d533b671d7d7d323e5aba36aee4c9 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 9 Oct 2019 17:12:01 +0200 Subject: [PATCH 4/5] Add docs on user creation --- .../ansible-elasticsearch/README.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/README.md b/roles/elastic-stack/ansible-elasticsearch/README.md index b10a2152..288628e7 100644 --- a/roles/elastic-stack/ansible-elasticsearch/README.md +++ b/roles/elastic-stack/ansible-elasticsearch/README.md @@ -55,7 +55,9 @@ Example Playbook - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.163', elasticsearch_master_candidate: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']} ``` + - Three nodes Elasticsearch cluster with XPack security + ``` --- - hosts: elastic-1 @@ -79,13 +81,6 @@ Example Playbook node_certs_generator_ip: 172.16.0.111 vars: - elasticsearch_xpack_users: - anne: - password: 'PasswordHere' - roles: '["kibana_user", "monitoring_user"]' - jack: - password: 'PasswordHere' - roles: '["superuser"]' instances: node-1: name: node-1 @@ -124,9 +119,19 @@ Example Playbook - 172.16.0.111 - 172.16.0.112 - 172.16.0.113 + vars: + elasticsearch_xpack_users: + anne: + password: 'PasswordHere' + roles: '["kibana_user", "monitoring_user"]' + jack: + password: 'PasswordHere' + roles: '["superuser"]' ``` +It is possible to define users directly on the playbook, these must be defined on a variable `elasticsearch_xpack_users` on the last node of the cluster as in the example. + License and copyright --------------------- From 56e7d1093721dc3cdc13eb0923670d933a733ffd Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 9 Oct 2019 17:13:11 +0200 Subject: [PATCH 5/5] Fix space typo --- roles/elastic-stack/ansible-elasticsearch/README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/README.md b/roles/elastic-stack/ansible-elasticsearch/README.md index 288628e7..388affce 100644 --- a/roles/elastic-stack/ansible-elasticsearch/README.md +++ b/roles/elastic-stack/ansible-elasticsearch/README.md @@ -55,9 +55,7 @@ Example Playbook - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.163', elasticsearch_master_candidate: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']} ``` - - Three nodes Elasticsearch cluster with XPack security - ``` --- - hosts: elastic-1