From 3d3b3bc1d05b3edfc8f933b8e438a1619d572b28 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 8 Aug 2019 17:41:53 +0200 Subject: [PATCH] Fix permissions and add password option --- .../tasks/xpack_security.yml | 80 +++++++++++-------- 1 file changed, 48 insertions(+), 32 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 890db757..e64b71df 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -41,18 +41,22 @@ - name: Importing custom CA key copy: - src: "{{ master_certs_destination }}/ca/{{ ca_key_name }}" + src: "{{ master_certs_path }}/ca/{{ ca_key_name }}" dest: "{{ node_certs_source }}/{{ ca_key_name }}" + mode: '0664' when: - not generate_CA + - node_certs_generator tags: xpack-security - name: Importing custom CA cert copy: - src: "{{ master_certs_destination }}/ca/{{ ca_cert_name }}" + src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}" dest: "{{ node_certs_source }}/{{ ca_cert_name }}" + mode: '0664' when: - not generate_CA + - node_certs_generator tags: xpack-security - name: Generating certificates for Elasticsearch security (generating CA) @@ -65,17 +69,34 @@ - generate_CA tags: xpack-security -- name: Generating certificates for Elasticsearch security (using provided CA) - shell: /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip +- name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password) + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - not xpack_certs_zip.stat.exists - not generate_CA - tags: xpack-security + - ca_password == "" + tags: xpack-security +- name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password) + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + --ca-pass {{ca_password}} + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + - not generate_CA + - ca_password != "" + tags: xpack-security + - name: Verify the Elastic certificates directory file: - path: "{{ master_certs_destination }}" + path: "{{ master_certs_path }}" state: directory mode: '0700' delegate_to: "127.0.0.1" @@ -84,7 +105,7 @@ - name: Verify the Certificates Authority directory file: - path: "{{ master_certs_destination }}/ca/" + path: "{{ master_certs_path }}/ca/" state: directory mode: '0700' delegate_to: "127.0.0.1" @@ -94,7 +115,7 @@ - name: Copying certificates to Ansible master fetch: src: "{{ node_certs_source }}/certs.zip" - dest: "{{ master_certs_destination }}/" + dest: "{{ master_certs_path }}/" flat: yes mode: 0700 when: @@ -110,38 +131,22 @@ - name: Unzip generated certs.zip unarchive: - src: "{{master_certs_destination}}/certs.zip" - dest: "{{master_certs_destination}}/" + src: "{{master_certs_path}}/certs.zip" + dest: "{{master_certs_path}}/" become: true delegate_to: "127.0.0.1" when: - node_certs_generator tags: xpack-security -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - state: directory - recurse: yes - owner: elasticsearch - group: elasticsearch - tags: xpack-security - -- name: Ensuring certificates folder permissions - file: - path: "{{ node_certs_destination }}/" - mode: '0770' - recurse: yes - tags: xpack-security - - name: Copying node's certificate from master copy: src: "{{item}}" dest: "{{node_certs_destination}}/" with_items: - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_destination}}/ca/ca.crt" + - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" + - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" + - "{{master_certs_path}}/ca/ca.crt" when: - generate_CA tags: xpack-security @@ -151,13 +156,24 @@ src: "{{item}}" dest: "{{node_certs_destination}}/" with_items: - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_destination}}/ca/{{ca_cert_name}}" + - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" + - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" + - "{{master_certs_path}}/ca/{{ca_cert_name}}" when: - not generate_CA tags: xpack-security +- name: Ensuring folder permissions + file: + path: "{{ node_certs_destination }}/" + mode: '0774' + state: directory + recurse: yes + when: + - elasticsearch_xpack_security + - generate_CA + tags: xpack-security + - name: Set elasticsearch bootstrap password shell: >- echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password