From dbeb8b31fb18d802f23780df5f8070f946caddf9 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Tue, 7 Apr 2020 18:54:12 +0200 Subject: [PATCH 01/22] First OpenDistro default installation --- playbooks/wazuh-opendistro.yml | 4 + .../defaults/main.yml | 19 +++ .../handlers/main.yml | 3 + .../opendistro-elasticsearch/meta/main.yml | 24 ++++ .../tasks/RMRedHat.yml | 6 + .../opendistro-elasticsearch/tasks/RedHat.yml | 36 ++++++ .../opendistro-elasticsearch/tasks/main.yml | 58 +++++++++ .../templates/jvm.options.j2 | 117 ++++++++++++++++++ 8 files changed, 267 insertions(+) create mode 100644 playbooks/wazuh-opendistro.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/defaults/main.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/handlers/main.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/meta/main.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/main.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 diff --git a/playbooks/wazuh-opendistro.yml b/playbooks/wazuh-opendistro.yml new file mode 100644 index 00000000..d146ee3c --- /dev/null +++ b/playbooks/wazuh-opendistro.yml @@ -0,0 +1,4 @@ +--- +- hosts: 172.16.0.161 + roles: + - role: ../roles/opendistro/opendistro-elasticsearch diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml new file mode 100644 index 00000000..f6dd905b --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -0,0 +1,19 @@ +--- +# The OpenDistro version +opendistro_version: 1.6.0 + +# The OpenDistro package repository +package_repos: + yum: + opendistro: + baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/' + gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch' + elasticsearch_oss: + baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + +# Security password +opendistro_security_password: admin + +# Set JVM memory limits +elasticsearch_jvm_xms: null \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml new file mode 100644 index 00000000..a4c1162a --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart elasticsearch + service: name=elasticsearch state=restarted diff --git a/roles/opendistro/opendistro-elasticsearch/meta/main.yml b/roles/opendistro/opendistro-elasticsearch/meta/main.yml new file mode 100644 index 00000000..e09933c7 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/meta/main.yml @@ -0,0 +1,24 @@ +--- +galaxy_info: + author: Wazuh + description: Installing and maintaining Opendistro server. + company: wazuh.com + license: license (GPLv3) + min_ansible_version: 2.0 + platforms: + - name: EL + versions: + - all + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - all + - name: Fedora + versions: + - all + galaxy_tags: + - web + - system + - monitoring diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml new file mode 100644 index 00000000..46989361 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml @@ -0,0 +1,6 @@ +--- +- name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata) + yum_repository: + name: elastic_repo_7 + state: absent + changed_when: false diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml new file mode 100644 index 00000000..c212b007 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -0,0 +1,36 @@ +--- + +- name: RedHat/CentOS/Fedora | Add OpenDistro repo + yum_repository: + file: opendistro + name: opendistro_repo + description: Opendistro yum repository + baseurl: "{{ package_repos.yum.opendistro.baseurl }}" + gpgkey: "{{ package_repos.yum.opendistro.gpg }}" + gpgcheck: true + changed_when: false + +- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo + yum_repository: + file: opendistro + name: elasticsearch_oss_repo + description: Elasticsearch-oss yum repository + baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}" + gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}" + gpgcheck: true + changed_when: false + +- name: RedHat/CentOS/Fedora | Install OpenJDK 11 + yum: name=java-11-openjdk-devel state=present + +- name: RedHat/CentOS/Fedora | Install OpenDistro dependencies + yum: + name: "{{ packages }}" + vars: + packages: + - wget + - unzip + +- name: RedHat/CentOS/Fedora | Install OpenDistro + package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present + tags: install diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml new file mode 100644 index 00000000..b58afe7a --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -0,0 +1,58 @@ +--- +- import_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' + +- import_tasks: Debian.yml + when: ansible_os_family == "Debian" + +- name: Configure OpenDistro Elasticsearch JVM memmory. + template: + src: jvm.options.j2 + dest: /etc/elasticsearch/jvm.options + owner: root + group: elasticsearch + mode: 0660 + notify: restart elasticsearch + tags: configure + +# fix in new PR (ignore_errors) + +- import_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + + +- name: Ensure Elasticsearch started and enabled + service: + name: elasticsearch + enabled: true + state: started + tags: + - configure + - init + +- name: Make sure Elasticsearch is running before proceeding + wait_for: host=localhost port=9200 delay=3 timeout=400 + tags: + - configure + - init + +- import_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + +- import_tasks: "RMDebian.yml" + when: ansible_os_family == "Debian" + +- name: Wait for Elasticsearch API + uri: + url: "https://localhost:9200/_cluster/health/" + user: "admin" # Default Elasticsearch user is always "elastic" + password: "{{ opendistro_security_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: ( _result.json is defined) and (_result.json.status == "green") + retries: 24 + delay: 5 + diff --git a/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 b/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 new file mode 100644 index 00000000..c43ce401 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 @@ -0,0 +1,117 @@ +#jinja2: trim_blocks:False +# {{ ansible_managed }} +## JVM configuration + +################################################################ +## IMPORTANT: JVM heap size +################################################################ +## +## You should always set the min and max JVM heap +## size to the same value. For example, to set +## the heap to 4 GB, set: +## +## -Xms4g +## -Xmx4g +## +## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html +## for more information +## +################################################################ + +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space + +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space +{% if elasticsearch_jvm_xms is not none %} +{% if elasticsearch_jvm_xms < 32000 %} +-Xms{{ elasticsearch_jvm_xms }}m +-Xmx{{ elasticsearch_jvm_xms }}m +{% else %} +-Xms32000m +-Xmx32000m +{% endif %} +{% else %} +-Xms{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %} +-Xmx{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %} +{% endif %} + +################################################################ +## Expert settings +################################################################ +## +## All settings below this section are considered +## expert settings. Don't tamper with them unless +## you understand what you are doing +## +################################################################ + +## GC configuration +-XX:+UseConcMarkSweepGC +-XX:CMSInitiatingOccupancyFraction=75 +-XX:+UseCMSInitiatingOccupancyOnly + +## optimizations + +# pre-touch memory pages used by the JVM during initialization +-XX:+AlwaysPreTouch + +## basic + +# force the server VM +-server + +# explicitly set the stack size +-Xss1m + +# set to headless, just in case +-Djava.awt.headless=true + +# ensure UTF-8 encoding by default (e.g. filenames) +-Dfile.encoding=UTF-8 + +# use our provided JNA always versus the system one +-Djna.nosys=true + +# turn off a JDK optimization that throws away stack traces for common +# exceptions because stack traces are important for debugging +-XX:-OmitStackTraceInFastThrow + +# flags to configure Netty +-Dio.netty.noUnsafe=true +-Dio.netty.noKeySetOptimization=true +-Dio.netty.recycler.maxCapacityPerThread=0 + +# log4j 2 +-Dlog4j.shutdownHookEnabled=false +-Dlog4j2.disable.jmx=true + +## heap dumps + +# generate a heap dump when an allocation from the Java heap fails +# heap dumps are created in the working directory of the JVM +-XX:+HeapDumpOnOutOfMemoryError + +# specify an alternative path for heap dumps +# ensure the directory exists and has sufficient space +-XX:HeapDumpPath=/var/lib/elasticsearch + +## GC logging + +#-XX:+PrintGCDetails +#-XX:+PrintGCTimeStamps +#-XX:+PrintGCDateStamps +#-XX:+PrintClassHistogram +#-XX:+PrintTenuringDistribution +#-XX:+PrintGCApplicationStoppedTime + +# log GC status to a file with time stamps +# ensure the directory exists +#-Xloggc:${loggc} + +# By default, the GC log file will not rotate. +# By uncommenting the lines below, the GC log file +# will be rotated every 128MB at most 32 times. +#-XX:+UseGCLogFileRotation +#-XX:NumberOfGCLogFiles=32 +#-XX:GCLogFileSize=128M From 9fc2b1e3c493ecc33cf34a708b7b1362d989bb4c Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 8 Apr 2020 17:38:44 +0200 Subject: [PATCH 02/22] Added opendistro tasks and templates --- .../defaults/main.yml | 69 ++++++++++- .../opendistro-elasticsearch/tasks/RedHat.yml | 115 ++++++++++++++++++ .../opendistro-elasticsearch/tasks/main.yml | 21 +--- .../templates/elasticsearch.yml.j2 | 22 ++++ .../templates/tlsconfig.yml.j2 | 47 +++++++ 5 files changed, 257 insertions(+), 17 deletions(-) create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index f6dd905b..f1bff651 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -2,6 +2,19 @@ # The OpenDistro version opendistro_version: 1.6.0 +elasticsearch_cluster_name: wazuh-cluster + +# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster +minimum_master_nodes: 2 + +# Elasticsearch version +es_version: "7.3.2" +es_major_version: "7.x" + +# Configure hostnames for Elasticsearch nodes +# Example es1.example.com, es2.example.com +domain_name: example.com + # The OpenDistro package repository package_repos: yum: @@ -12,8 +25,60 @@ package_repos: baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum' gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' +populate_inventory_to_hosts_file: true + +es_plugin_bin_path: /usr/share/elasticsearch/bin/elasticsearch-plugin +es_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig +es_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools + +es_nodes: |- + {% for item in groups['es-cluster'] -%} + {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} + {%- endfor %} + # Security password opendistro_security_password: admin - # Set JVM memory limits -elasticsearch_jvm_xms: null \ No newline at end of file +opendistro_jvm_xms: null + +opendistro_http_port: 9200 +opendistro_network_host: 127.0.0.1 +opendistro_reachable_host: 127.0.0.1 +opendistro_jvm_xms: null +elastic_stack_version: 7.6.1 +opendistro_lower_disk_requirements: false + +elasticrepo: + apt: 'https://artifacts.elastic.co/packages/7.x/apt' + yum: 'https://artifacts.elastic.co/packages/7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro' + key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' + +# Cluster Settings +single_node: true +opendistro_cluster_name: wazuh +opendistro_node_name: node-1 +opendistro_bootstrap_node: false +opendistro_node_master: false +opendistro_cluster_nodes: + - 127.0.0.1 +opendistro_discovery_nodes: + - 127.0.0.1 +opendistro_node_data: true +opendistro_node_ingest: true + +# X-Pack Security +opendistro_xpack_security: false +opendistro_xpack_security_user: elastic +opendistro_xpack_security_password: elastic_pass + +node_certs_generator: false +node_certs_source: /usr/share/elasticsearch +node_certs_destination: /etc/elasticsearch/certs + +# CA generation +master_certs_path: /es_certs +generate_CA: true +ca_key_name: "" +ca_cert_name: "" +ca_password: "" diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index c212b007..64b48b7f 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -34,3 +34,118 @@ - name: RedHat/CentOS/Fedora | Install OpenDistro package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present tags: install + +## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer +## Using searchguard offline TLS tool to create node & root certificates +- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation + local_action: + module: file + path: /tmp/opendistro-nodecerts + state: directory + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Download certificates generation tool + local_action: + module: get_url + url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.zip + dest: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Extract the certificates generation tool + local_action: command chdir=/tmp/opendistro-nodecerts tar -xvf search-guard-tlstool.zip + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Add the execution bit to the binary + local_action: + module: file + dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + mode: a+x + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file + local_action: + module: template + src: tlsconfig.yml + dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local + local_action: + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster + copy: + src: "/tmp/opendistro-nodecerts/config/{{ item }}" + dest: /etc/elasticsearch/ + mode: 0644 + with_items: + - root-ca.pem + - root-ca.key + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" + - "{{ inventory_hostname }}_http.key" + - "{{ inventory_hostname }}_http.pem" + - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" + - admin.key + - admin.pem + when: install.changed + +- name: RedHat/CentOS/Fedora | Copy the opendistro security configuration file to cluster + blockinfile: + block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + dest: "{{ conf_dir }}/elasticsearch.yml" + backup: yes + insertafter: EOF + marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" + when: install.changed + +- name: RedHat/CentOS/Fedora | Prepare the opendistro security configuration file + command: sed -i 's/searchguard/opendistro_security/g' {{ conf_dir }}/elasticsearch.yml + when: install.changed + +- name: RedHat/CentOS/Fedora | Restart elasticsearch with security configuration + systemd: + name: elasticsearch + state: restarted + when: install.changed + +- name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template + template: + src: internal_users.yml + dest: "{{ es_sec_plugin_conf_path }}/internal_users.yml" + mode: 0644 + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Set the Admin user password + shell: > + sed -i 's,{{ admin_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' + {{ es_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Set the kibanaserver user pasword + shell: > + sed -i 's,{{ kibanaserver_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' + {{ es_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Initialize the opendistro security index in elasticsearch + shell: > + sh {{ es_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ conf_dir }}/root-ca.pem + -cert {{ conf_dir }}/admin.pem + -key {{ conf_dir }}/admin.key + -cd {{ es_sec_plugin_conf_path }}/ + -nhnv -icl + -h {{ hostvars[inventory_hostname]['ip'] }} + run_once: true + when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index b58afe7a..9f4c438c 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -11,7 +11,8 @@ dest: /etc/elasticsearch/jvm.options owner: root group: elasticsearch - mode: 0660 + mode: 0644 + force: yes notify: restart elasticsearch tags: configure @@ -20,6 +21,10 @@ - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" +- name: Copy Configuration File + template: src=elasticsearch.yml dest={{conf_dir}}/elasticsearch.yml group=elasticsearch mode=0644 backup=yes + register: system_change + notify: restart elasticsearch - name: Ensure Elasticsearch started and enabled service: @@ -42,17 +47,3 @@ - import_tasks: "RMDebian.yml" when: ansible_os_family == "Debian" -- name: Wait for Elasticsearch API - uri: - url: "https://localhost:9200/_cluster/health/" - user: "admin" # Default Elasticsearch user is always "elastic" - password: "{{ opendistro_security_password }}" - validate_certs: no - status_code: 200,401 - return_content: yes - timeout: 4 - register: _result - until: ( _result.json is defined) and (_result.json.status == "green") - retries: 24 - delay: 5 - diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 new file mode 100644 index 00000000..6b025674 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 @@ -0,0 +1,22 @@ +cluster.name: "{{ elasticsearch_cluster_name }}" + +node.name: "{{ inventory_hostname }}" + +path.data: /var/lib/elasticsearch + +path.logs: /var/log/elasticsearch + +network.host: "{{ hostvars[inventory_hostname]['ip'] }}" + +http.port: "{{ opendistro_http_port }}" + +discovery.seed_hosts: ["{{ es_nodes }}"] + +cluster.initial_master_nodes: ["{{ es_nodes }}"] + +discovery.zen.minimum_master_nodes: "{{ minimum_master_nodes }}" +opendistro_security.allow_default_init_securityindex: true +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] diff --git a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 new file mode 100644 index 00000000..85792a6a --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 @@ -0,0 +1,47 @@ +ca: + root: + dn: CN=root.ca.{{ domain_name }},OU=CA,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + keysize: 2048 + validityDays: 730 + pkPassword: none + file: root-ca.pem + +### Default values and global settings +defaults: + validityDays: 730 + pkPassword: none + # Set this to true in order to generate config and certificates for + # the HTTP interface of nodes + httpsEnabled: true + reuseTransportCertificatesForHttp: false + verifyHostnames: false + resolveHostnames: false + + +### +### Nodes +### +# +# Specify the nodes of your ES cluster here +# +nodes: +{% for item in groups['es-cluster'] %} + - name: {{ item }} + dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + dns: {{ item }}.{{ domain_name }} + ip: {{ hostvars[item]['ip'] }} +{% endfor %} + +### +### Clients +### +# +# Specify the clients that shall access your ES cluster with certificate authentication here +# +# At least one client must be an admin user (i.e., a super-user). Admin users can +# be specified with the attribute admin: true +# +clients: + - name: admin + dn: CN=admin.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + admin: true From 7bed850905a8c89caa6c90615c6f77693b6b33b9 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 24 Apr 2020 18:07:37 +0200 Subject: [PATCH 03/22] Changes tasks --- playbooks/wazuh-opendistro.yml | 2 +- .../opendistro-elasticsearch/defaults/main.yml | 2 +- .../opendistro-elasticsearch/tasks/RedHat.yml | 12 +++--------- .../opendistro-elasticsearch/tasks/main.yml | 9 +-------- 4 files changed, 6 insertions(+), 19 deletions(-) diff --git a/playbooks/wazuh-opendistro.yml b/playbooks/wazuh-opendistro.yml index d146ee3c..ede8ca93 100644 --- a/playbooks/wazuh-opendistro.yml +++ b/playbooks/wazuh-opendistro.yml @@ -1,4 +1,4 @@ --- -- hosts: 172.16.0.161 +- hosts: es-cluster roles: - role: ../roles/opendistro/opendistro-elasticsearch diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index f1bff651..8c791a04 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -13,7 +13,7 @@ es_major_version: "7.x" # Configure hostnames for Elasticsearch nodes # Example es1.example.com, es2.example.com -domain_name: example.com +domain_name: wazuh.com # The OpenDistro package repository package_repos: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 64b48b7f..642e7f41 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -43,20 +43,17 @@ path: /tmp/opendistro-nodecerts state: directory run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Download certificates generation tool local_action: module: get_url url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.zip dest: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - run_once: true - when: install.changed + run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - name: RedHat/CentOS/Fedora | Extract the certificates generation tool - local_action: command chdir=/tmp/opendistro-nodecerts tar -xvf search-guard-tlstool.zip + local_action: command chdir=/tmp/opendistro-nodecerts unzip search-guard-tlstool.zip run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Add the execution bit to the binary local_action: @@ -64,21 +61,18 @@ dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh mode: a+x run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Prepare the certificates generation template file local_action: module: template - src: tlsconfig.yml + src: ../templates/tlsconfig.yml dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local local_action: module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster copy: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 9f4c438c..f8727637 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -2,9 +2,6 @@ - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' -- import_tasks: Debian.yml - when: ansible_os_family == "Debian" - - name: Configure OpenDistro Elasticsearch JVM memmory. template: src: jvm.options.j2 @@ -42,8 +39,4 @@ - init - import_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" - -- import_tasks: "RMDebian.yml" - when: ansible_os_family == "Debian" - + when: ansible_os_family == "RedHat" \ No newline at end of file From b91ea1c6aa05e27bede9c6afbdd912aeccd61fd7 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 27 Apr 2020 14:00:49 +0200 Subject: [PATCH 04/22] Fixed register install --- roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 642e7f41..9558094a 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -33,7 +33,7 @@ - name: RedHat/CentOS/Fedora | Install OpenDistro package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present - tags: install + register: install ## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer ## Using searchguard offline TLS tool to create node & root certificates @@ -65,7 +65,7 @@ - name: RedHat/CentOS/Fedora | Prepare the certificates generation template file local_action: module: template - src: ../templates/tlsconfig.yml + src: opendistro/opendistro-elasticsearch/templates/tlsconfig.yml dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml run_once: true From 53ad5c62ccb9b09f80f7c0b1743610346a5fc93d Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 27 Apr 2020 15:26:13 +0200 Subject: [PATCH 05/22] Fixed unzip task and added templates --- .../opendistro-elasticsearch/tasks/RedHat.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 9558094a..dca70b8d 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -52,8 +52,10 @@ run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - name: RedHat/CentOS/Fedora | Extract the certificates generation tool - local_action: command chdir=/tmp/opendistro-nodecerts unzip search-guard-tlstool.zip - run_once: true + local_action: + module: unarchive + src: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + dest: /tmp/opendistro-nodecerts/ - name: RedHat/CentOS/Fedora | Add the execution bit to the binary local_action: @@ -65,7 +67,7 @@ - name: RedHat/CentOS/Fedora | Prepare the certificates generation template file local_action: module: template - src: opendistro/opendistro-elasticsearch/templates/tlsconfig.yml + src: "templates/tlsconfig.yml.j2" dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml run_once: true @@ -112,7 +114,7 @@ - name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template template: - src: internal_users.yml + src: "templates/internal_users.yml.j2" dest: "{{ es_sec_plugin_conf_path }}/internal_users.yml" mode: 0644 run_once: true From ae160cf6c33d50b0658e6071886988ee8cfbe9d8 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 29 Apr 2020 15:54:29 +0200 Subject: [PATCH 06/22] Decoupled local actions and updated SearchGuard certificate generator binary --- .../tasks/LocalActions.yml | 40 +++++++++++++++++++ .../opendistro-elasticsearch/tasks/RedHat.yml | 40 ------------------- .../opendistro-elasticsearch/tasks/main.yml | 11 ++++- 3 files changed, 49 insertions(+), 42 deletions(-) create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml new file mode 100644 index 00000000..e33ce7e5 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -0,0 +1,40 @@ +--- + +- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation + local_action: + module: file + path: /tmp/opendistro-nodecerts + state: directory + run_once: true + +- name: RedHat/CentOS/Fedora | Download certificates generation tool + local_action: + module: get_url + url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + +- name: RedHat/CentOS/Fedora | Extract the certificates generation tool + local_action: + module: unarchive + src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/ + +- name: RedHat/CentOS/Fedora | Add the execution bit to the binary + local_action: + module: file + dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + mode: a+x + run_once: true + +- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file + local_action: + module: template + src: "templates/tlsconfig.yml.j2" + dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + run_once: true + +- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local + local_action: + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f + run_once: true \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index dca70b8d..d396960b 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -35,46 +35,6 @@ package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present register: install -## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer -## Using searchguard offline TLS tool to create node & root certificates -- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation - local_action: - module: file - path: /tmp/opendistro-nodecerts - state: directory - run_once: true - -- name: RedHat/CentOS/Fedora | Download certificates generation tool - local_action: - module: get_url - url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.zip - dest: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - -- name: RedHat/CentOS/Fedora | Extract the certificates generation tool - local_action: - module: unarchive - src: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - dest: /tmp/opendistro-nodecerts/ - -- name: RedHat/CentOS/Fedora | Add the execution bit to the binary - local_action: - module: file - dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh - mode: a+x - run_once: true - -- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file - local_action: - module: template - src: "templates/tlsconfig.yml.j2" - dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml - run_once: true - -- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local - local_action: - module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ - run_once: true - name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster copy: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index f8727637..728f4970 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -1,10 +1,12 @@ --- +- import_tasks: LocalActions.yml + - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' - name: Configure OpenDistro Elasticsearch JVM memmory. template: - src: jvm.options.j2 + src: "templates/jvm.options.j2" dest: /etc/elasticsearch/jvm.options owner: root group: elasticsearch @@ -19,7 +21,12 @@ when: ansible_os_family == "RedHat" - name: Copy Configuration File - template: src=elasticsearch.yml dest={{conf_dir}}/elasticsearch.yml group=elasticsearch mode=0644 backup=yes + template: + src: "templates/elasticsearch.ym.j2" + dest: "{{conf_dir}}/elasticsearch.yml" + group: elasticsearch + mode: 0644 + backup: yes register: system_change notify: restart elasticsearch From 7e47b561e0b1f235b54230b47d11c35409250737 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 29 Apr 2020 16:51:49 +0200 Subject: [PATCH 07/22] Added internal_users template --- .../templates/internal_users.yml.j2 | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 diff --git a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 new file mode 100644 index 00000000..7bb089f3 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 @@ -0,0 +1,21 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +admin: + hash: "{{ admin_password }}" + reserved: true + backend_roles: + - "admin" + description: "admin user" + +kibanaserver: + hash: "{{ kibanaserver_password }}" + reserved: true + description: "kibanaserver user" From 34920f5fe560fcc479581efcfb2e4c88df744960 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 29 Apr 2020 17:27:34 +0200 Subject: [PATCH 08/22] Added task to check if root ca already exist --- .../opendistro-elasticsearch/tasks/LocalActions.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml index e33ce7e5..432a4423 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -34,7 +34,14 @@ dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml run_once: true +- name: RedHat/CentOS/Fedora | Check if root CA file exists + local_action: + module: stat + path: /tmp/opendistro-nodecerts/config/root-ca.key + register: root_ca_file + - name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local local_action: - module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f - run_once: true \ No newline at end of file + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o + run_once: true + when: root_ca_file.stat.exists == False \ No newline at end of file From 7269b15041d6417cfc5d7a2a221bbd4d421d7cf0 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 29 Apr 2020 18:01:11 +0200 Subject: [PATCH 09/22] Modified several variables --- .../defaults/main.yml | 31 +++---------------- .../opendistro-elasticsearch/tasks/RedHat.yml | 24 +++++++------- .../opendistro-elasticsearch/tasks/main.yml | 4 +-- .../templates/elasticsearch.yml.j2 | 2 +- .../templates/jvm.options.j2 | 8 ++--- 5 files changed, 23 insertions(+), 46 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 8c791a04..bca544e6 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -1,7 +1,6 @@ --- # The OpenDistro version opendistro_version: 1.6.0 - elasticsearch_cluster_name: wazuh-cluster # Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster @@ -25,12 +24,9 @@ package_repos: baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum' gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' -populate_inventory_to_hosts_file: true - -es_plugin_bin_path: /usr/share/elasticsearch/bin/elasticsearch-plugin -es_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig -es_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools - +opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig +opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools +opendistro_conf_path: /etc/elasticsearch/ es_nodes: |- {% for item in groups['es-cluster'] -%} {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} @@ -42,11 +38,6 @@ opendistro_security_password: admin opendistro_jvm_xms: null opendistro_http_port: 9200 -opendistro_network_host: 127.0.0.1 -opendistro_reachable_host: 127.0.0.1 -opendistro_jvm_xms: null -elastic_stack_version: 7.6.1 -opendistro_lower_disk_requirements: false elasticrepo: apt: 'https://artifacts.elastic.co/packages/7.x/apt' @@ -54,6 +45,7 @@ elasticrepo: gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro' key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' +opendistro_admin_password: Test@123 # Cluster Settings single_node: true opendistro_cluster_name: wazuh @@ -67,18 +59,3 @@ opendistro_discovery_nodes: opendistro_node_data: true opendistro_node_ingest: true -# X-Pack Security -opendistro_xpack_security: false -opendistro_xpack_security_user: elastic -opendistro_xpack_security_password: elastic_pass - -node_certs_generator: false -node_certs_source: /usr/share/elasticsearch -node_certs_destination: /etc/elasticsearch/certs - -# CA generation -master_certs_path: /es_certs -generate_CA: true -ca_key_name: "" -ca_cert_name: "" -ca_password: "" diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index d396960b..b2170af1 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -56,14 +56,14 @@ - name: RedHat/CentOS/Fedora | Copy the opendistro security configuration file to cluster blockinfile: block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" - dest: "{{ conf_dir }}/elasticsearch.yml" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" backup: yes insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" when: install.changed - name: RedHat/CentOS/Fedora | Prepare the opendistro security configuration file - command: sed -i 's/searchguard/opendistro_security/g' {{ conf_dir }}/elasticsearch.yml + command: sed -i 's/searchguard/opendistro_security/g' {{ opendistro_conf_path }}/elasticsearch.yml when: install.changed - name: RedHat/CentOS/Fedora | Restart elasticsearch with security configuration @@ -75,32 +75,32 @@ - name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template template: src: "templates/internal_users.yml.j2" - dest: "{{ es_sec_plugin_conf_path }}/internal_users.yml" + dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" mode: 0644 run_once: true when: install.changed - name: RedHat/CentOS/Fedora | Set the Admin user password shell: > - sed -i 's,{{ admin_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' - {{ es_sec_plugin_conf_path }}/internal_users.yml + sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true when: install.changed - name: RedHat/CentOS/Fedora | Set the kibanaserver user pasword shell: > - sed -i 's,{{ kibanaserver_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' - {{ es_sec_plugin_conf_path }}/internal_users.yml + sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true when: install.changed - name: RedHat/CentOS/Fedora | Initialize the opendistro security index in elasticsearch shell: > - sh {{ es_sec_plugin_tools_path }}/securityadmin.sh - -cacert {{ conf_dir }}/root-ca.pem - -cert {{ conf_dir }}/admin.pem - -key {{ conf_dir }}/admin.key - -cd {{ es_sec_plugin_conf_path }}/ + sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ opendistro_conf_path }}/root-ca.pem + -cert {{ opendistro_conf_path }}/admin.pem + -key {{ opendistro_conf_path }}/admin.key + -cd {{ opendistro_sec_plugin_conf_path }}/ -nhnv -icl -h {{ hostvars[inventory_hostname]['ip'] }} run_once: true diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 728f4970..bdfb6be8 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -22,8 +22,8 @@ - name: Copy Configuration File template: - src: "templates/elasticsearch.ym.j2" - dest: "{{conf_dir}}/elasticsearch.yml" + src: "templates/elasticsearch.yml.j2" + dest: "{{opendistro_conf_path}}/elasticsearch.yml" group: elasticsearch mode: 0644 backup: yes diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 index 6b025674..58a8ece2 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 @@ -1,4 +1,4 @@ -cluster.name: "{{ elasticsearch_cluster_name }}" +cluster.name: "{{ opendistro_cluster_name }}" node.name: "{{ inventory_hostname }}" diff --git a/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 b/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 index c43ce401..de69125c 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 @@ -23,10 +23,10 @@ # Xms represents the initial size of total heap space # Xmx represents the maximum size of total heap space -{% if elasticsearch_jvm_xms is not none %} -{% if elasticsearch_jvm_xms < 32000 %} --Xms{{ elasticsearch_jvm_xms }}m --Xmx{{ elasticsearch_jvm_xms }}m +{% if opendistro_jvm_xms is not none %} +{% if opendistro_jvm_xms < 32000 %} +-Xms{{ opendistro_jvm_xms }}m +-Xmx{{ opendistro_jvm_xms }}m {% else %} -Xms32000m -Xmx32000m From e899b1c6020efd1d87291e1294ced56f9ca34cf4 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 6 May 2020 17:33:53 +0200 Subject: [PATCH 10/22] WIP: Testing first secured cluster deployment --- .../opendistro-elasticsearch/tasks/RedHat.yml | 75 ----------- .../opendistro-elasticsearch/tasks/main.yml | 125 +++++++++++++++--- 2 files changed, 107 insertions(+), 93 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index b2170af1..b3318193 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -30,78 +30,3 @@ packages: - wget - unzip - -- name: RedHat/CentOS/Fedora | Install OpenDistro - package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present - register: install - - -- name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster - copy: - src: "/tmp/opendistro-nodecerts/config/{{ item }}" - dest: /etc/elasticsearch/ - mode: 0644 - with_items: - - root-ca.pem - - root-ca.key - - "{{ inventory_hostname }}.key" - - "{{ inventory_hostname }}.pem" - - "{{ inventory_hostname }}_http.key" - - "{{ inventory_hostname }}_http.pem" - - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" - - admin.key - - admin.pem - when: install.changed - -- name: RedHat/CentOS/Fedora | Copy the opendistro security configuration file to cluster - blockinfile: - block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" - dest: "{{ opendistro_conf_path }}/elasticsearch.yml" - backup: yes - insertafter: EOF - marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - when: install.changed - -- name: RedHat/CentOS/Fedora | Prepare the opendistro security configuration file - command: sed -i 's/searchguard/opendistro_security/g' {{ opendistro_conf_path }}/elasticsearch.yml - when: install.changed - -- name: RedHat/CentOS/Fedora | Restart elasticsearch with security configuration - systemd: - name: elasticsearch - state: restarted - when: install.changed - -- name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template - template: - src: "templates/internal_users.yml.j2" - dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" - mode: 0644 - run_once: true - when: install.changed - -- name: RedHat/CentOS/Fedora | Set the Admin user password - shell: > - sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: RedHat/CentOS/Fedora | Set the kibanaserver user pasword - shell: > - sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: RedHat/CentOS/Fedora | Initialize the opendistro security index in elasticsearch - shell: > - sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh - -cacert {{ opendistro_conf_path }}/root-ca.pem - -cert {{ opendistro_conf_path }}/admin.pem - -key {{ opendistro_conf_path }}/admin.key - -cd {{ opendistro_sec_plugin_conf_path }}/ - -nhnv -icl - -h {{ hostvars[inventory_hostname]['ip'] }} - run_once: true - when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index bdfb6be8..bf7c6e06 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -4,6 +4,110 @@ - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' +- name: Install OpenDistro + package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present + register: install + +- name: Copy the node & admin certificates to Elasticsearch cluster + copy: + src: "/tmp/opendistro-nodecerts/config/{{ item }}" + dest: /etc/elasticsearch/ + mode: 0644 + with_items: + - root-ca.pem + - root-ca.key + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" + - "{{ inventory_hostname }}_http.key" + - "{{ inventory_hostname }}_http.pem" + - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" + - admin.key + - admin.pem + when: install.changed + +- name: Remove demo certs + file: + path: "{{ item }}" + state: absent + with_items: + - "{{opendistro_conf_path}}/kirk.pem" + - "{{opendistro_conf_path}}/kirk-key.pem" + - "{{opendistro_conf_path}}/esnode.pem" + - "{{opendistro_conf_path}}/esnode-key.pem" + when: install.changed + +- name: Remove elasticsearch configuration file + file: + path: "{{opendistro_conf_path}}/elasticsearch.yml" + state: absent + when: install.changed + +- name: Copy Configuration File + blockinfile: + block: "{{ lookup('template', 'elasticsearch.yml.j2') }}" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" + create: true + group: elasticsearch + mode: 0640 + marker: "## {mark} Opendistro general settings ##" + when: install.changed + +- name: Copy the opendistro security configuration file to cluster + blockinfile: + block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" + insertafter: EOF + marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" + when: install.changed + +- name: Prepare the opendistro security configuration file + replace: + path: "{{ opendistro_conf_path }}/elasticsearch.yml" + regexp: 'searchguard' + replace: 'opendistro_security' + tags: local + when: install.changed + +- name: Restart elasticsearch with security configuration + systemd: + name: elasticsearch + state: restarted + when: install.changed + +- name: Copy the opendistro security internal users template + template: + src: "templates/internal_users.yml.j2" + dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" + mode: 0644 + run_once: true + when: install.changed + +- name: Set the Admin user password + shell: > + sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: Set the kibanaserver user pasword + shell: > + sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: Initialize the opendistro security index in elasticsearch + shell: > + sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ opendistro_conf_path }}/root-ca.pem + -cert {{ opendistro_conf_path }}/admin.pem + -key {{ opendistro_conf_path }}/admin.key + -cd {{ opendistro_sec_plugin_conf_path }}/ + -nhnv -icl + -h {{ hostvars[inventory_hostname]['ip'] }} + run_once: true + when: install.changed + - name: Configure OpenDistro Elasticsearch JVM memmory. template: src: "templates/jvm.options.j2" @@ -13,22 +117,7 @@ mode: 0644 force: yes notify: restart elasticsearch - tags: configure - -# fix in new PR (ignore_errors) - -- import_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" - -- name: Copy Configuration File - template: - src: "templates/elasticsearch.yml.j2" - dest: "{{opendistro_conf_path}}/elasticsearch.yml" - group: elasticsearch - mode: 0644 - backup: yes - register: system_change - notify: restart elasticsearch + tags: opendistro - name: Ensure Elasticsearch started and enabled service: @@ -36,13 +125,13 @@ enabled: true state: started tags: - - configure + - opendistro - init - name: Make sure Elasticsearch is running before proceeding wait_for: host=localhost port=9200 delay=3 timeout=400 tags: - - configure + - opendistro - init - import_tasks: "RMRedHat.yml" From 5fd4988a888e207dc25320019ef0b37d57e5e0f3 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 7 May 2020 14:40:58 +0200 Subject: [PATCH 11/22] Fixed typo --- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 2 +- .../opendistro-elasticsearch/templates/internal_users.yml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index bf7c6e06..88ad8711 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -84,7 +84,7 @@ - name: Set the Admin user password shell: > - sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' + sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 index 7bb089f3..f39bbf50 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 @@ -9,7 +9,7 @@ _meta: # Define your internal users here admin: - hash: "{{ admin_password }}" + hash: "{{ opendistro_admin_password }}" reserved: true backend_roles: - "admin" From 77c30c3bf0e496138bb29024de8bf41765fc7adb Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 7 May 2020 14:50:01 +0200 Subject: [PATCH 12/22] Added Kibana admin password --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 3 ++- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 2 +- .../opendistro-elasticsearch/templates/internal_users.yml.j2 | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index bca544e6..b71b67de 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -45,7 +45,8 @@ elasticrepo: gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro' key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' -opendistro_admin_password: Test@123 +opendistro_admin_password: changeme +opendistro_kibana_password: changeme # Cluster Settings single_node: true opendistro_cluster_name: wazuh diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 88ad8711..7174a27f 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -91,7 +91,7 @@ - name: Set the kibanaserver user pasword shell: > - sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' + sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 index f39bbf50..471a5c28 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 @@ -16,6 +16,6 @@ admin: description: "admin user" kibanaserver: - hash: "{{ kibanaserver_password }}" + hash: "{{ opendistro_kibana_password }}" reserved: true description: "kibanaserver user" From 0c04b22b0f8b49a36e6af4be2d7c6cec3ac1e864 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 7 May 2020 19:12:43 +0200 Subject: [PATCH 13/22] Checking API status --- .../opendistro-elasticsearch/tasks/main.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 7174a27f..ea56183e 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -128,11 +128,20 @@ - opendistro - init -- name: Make sure Elasticsearch is running before proceeding - wait_for: host=localhost port=9200 delay=3 timeout=400 - tags: - - opendistro - - init +- name: Wait for Elasticsearch API + uri: + url: "https://{{ es_nodes.split(',')[0].split('\"')[0] }}:9200/_cluster/health/" + user: "admin" # Default OpenDistro user is always "admin" + password: "{{ opendistro_admin_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: ( _result.json is defined) and (_result.json.status == "green") + retries: 24 + delay: 5 + tags: debug - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" \ No newline at end of file From e83c6f8d86cf1d34701bd16ab6bbd2a99bf0bd88 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 7 May 2020 20:03:39 +0200 Subject: [PATCH 14/22] Refactor of production ready actions --- .../tasks/LocalActions.yml | 82 ++++++++-------- .../opendistro-elasticsearch/tasks/RedHat.yml | 58 ++++++------ .../tasks/SecurityActions.yml | 88 ++++++++++++++++++ .../opendistro-elasticsearch/tasks/main.yml | 93 ++----------------- 4 files changed, 168 insertions(+), 153 deletions(-) create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml index 432a4423..8ff56b64 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -1,47 +1,51 @@ --- +- block: -- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation - local_action: - module: file - path: /tmp/opendistro-nodecerts - state: directory - run_once: true + - name: Local action | Create local temporary directory for certificates generation + local_action: + module: file + path: /tmp/opendistro-nodecerts + state: directory + run_once: true + + - name: Local action | Download certificates generation tool + local_action: + module: get_url + url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip -- name: RedHat/CentOS/Fedora | Download certificates generation tool - local_action: - module: get_url - url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + - name: Local action | Extract the certificates generation tool + local_action: + module: unarchive + src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/ -- name: RedHat/CentOS/Fedora | Extract the certificates generation tool - local_action: - module: unarchive - src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/ + - name: Local action | Add the execution bit to the binary + local_action: + module: file + dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + mode: a+x + run_once: true -- name: RedHat/CentOS/Fedora | Add the execution bit to the binary - local_action: - module: file - dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh - mode: a+x - run_once: true + - name: Local action | Prepare the certificates generation template file + local_action: + module: template + src: "templates/tlsconfig.yml.j2" + dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + run_once: true -- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file - local_action: - module: template - src: "templates/tlsconfig.yml.j2" - dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml - run_once: true + - name: Local action | Check if root CA file exists + local_action: + module: stat + path: /tmp/opendistro-nodecerts/config/root-ca.key + register: root_ca_file -- name: RedHat/CentOS/Fedora | Check if root CA file exists - local_action: - module: stat - path: /tmp/opendistro-nodecerts/config/root-ca.key - register: root_ca_file + - name: Local action | Generate the node & admin certificates in local + local_action: + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o + run_once: true + when: root_ca_file.stat.exists == False -- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local - local_action: - module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o - run_once: true - when: root_ca_file.stat.exists == False \ No newline at end of file + tags: + - generate-certs \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index b3318193..68459544 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -1,32 +1,36 @@ --- +- block: -- name: RedHat/CentOS/Fedora | Add OpenDistro repo - yum_repository: - file: opendistro - name: opendistro_repo - description: Opendistro yum repository - baseurl: "{{ package_repos.yum.opendistro.baseurl }}" - gpgkey: "{{ package_repos.yum.opendistro.gpg }}" - gpgcheck: true - changed_when: false + - name: RedHat/CentOS/Fedora | Add OpenDistro repo + yum_repository: + file: opendistro + name: opendistro_repo + description: Opendistro yum repository + baseurl: "{{ package_repos.yum.opendistro.baseurl }}" + gpgkey: "{{ package_repos.yum.opendistro.gpg }}" + gpgcheck: true + changed_when: false -- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo - yum_repository: - file: opendistro - name: elasticsearch_oss_repo - description: Elasticsearch-oss yum repository - baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}" - gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}" - gpgcheck: true - changed_when: false + - name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo + yum_repository: + file: opendistro + name: elasticsearch_oss_repo + description: Elasticsearch-oss yum repository + baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}" + gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}" + gpgcheck: true + changed_when: false -- name: RedHat/CentOS/Fedora | Install OpenJDK 11 - yum: name=java-11-openjdk-devel state=present + - name: RedHat/CentOS/Fedora | Install OpenJDK 11 + yum: name=java-11-openjdk-devel state=present -- name: RedHat/CentOS/Fedora | Install OpenDistro dependencies - yum: - name: "{{ packages }}" - vars: - packages: - - wget - - unzip + - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies + yum: + name: "{{ packages }}" + vars: + packages: + - wget + - unzip + + tags: + - install \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml new file mode 100644 index 00000000..c6323fde --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -0,0 +1,88 @@ +- block: + + - name: Remove demo certs + file: + path: "{{ item }}" + state: absent + with_items: + - "{{opendistro_conf_path}}/kirk.pem" + - "{{opendistro_conf_path}}/kirk-key.pem" + - "{{opendistro_conf_path}}/esnode.pem" + - "{{opendistro_conf_path}}/esnode-key.pem" + when: install.changed + + - name: Copy the node & admin certificates to Elasticsearch cluster + copy: + src: "/tmp/opendistro-nodecerts/config/{{ item }}" + dest: /etc/elasticsearch/ + mode: 0644 + with_items: + - root-ca.pem + - root-ca.key + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" + - "{{ inventory_hostname }}_http.key" + - "{{ inventory_hostname }}_http.pem" + - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" + - admin.key + - admin.pem + when: install.changed + + - name: Copy the opendistro security configuration file to cluster + blockinfile: + block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" + insertafter: EOF + marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" + when: install.changed + + - name: Prepare the opendistro security configuration file + replace: + path: "{{ opendistro_conf_path }}/elasticsearch.yml" + regexp: 'searchguard' + replace: 'opendistro_security' + tags: local + when: install.changed + + - name: Restart elasticsearch with security configuration + systemd: + name: elasticsearch + state: restarted + when: install.changed + + - name: Copy the opendistro security internal users template + template: + src: "templates/internal_users.yml.j2" + dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" + mode: 0644 + run_once: true + when: install.changed + + - name: Set the Admin user password + shell: > + sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + + - name: Set the kibanaserver user pasword + shell: > + sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + + - name: Initialize the opendistro security index in elasticsearch + shell: > + sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ opendistro_conf_path }}/root-ca.pem + -cert {{ opendistro_conf_path }}/admin.pem + -key {{ opendistro_conf_path }}/admin.key + -cd {{ opendistro_sec_plugin_conf_path }}/ + -nhnv -icl + -h {{ hostvars[inventory_hostname]['ip'] }} + run_once: true + when: install.changed + + tags: + - production_ready diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index ea56183e..94f4ab91 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -1,4 +1,5 @@ --- + - import_tasks: LocalActions.yml - import_tasks: RedHat.yml @@ -7,40 +8,14 @@ - name: Install OpenDistro package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present register: install - -- name: Copy the node & admin certificates to Elasticsearch cluster - copy: - src: "/tmp/opendistro-nodecerts/config/{{ item }}" - dest: /etc/elasticsearch/ - mode: 0644 - with_items: - - root-ca.pem - - root-ca.key - - "{{ inventory_hostname }}.key" - - "{{ inventory_hostname }}.pem" - - "{{ inventory_hostname }}_http.key" - - "{{ inventory_hostname }}_http.pem" - - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" - - admin.key - - admin.pem - when: install.changed - -- name: Remove demo certs - file: - path: "{{ item }}" - state: absent - with_items: - - "{{opendistro_conf_path}}/kirk.pem" - - "{{opendistro_conf_path}}/kirk-key.pem" - - "{{opendistro_conf_path}}/esnode.pem" - - "{{opendistro_conf_path}}/esnode-key.pem" - when: install.changed + tags: install - name: Remove elasticsearch configuration file file: path: "{{opendistro_conf_path}}/elasticsearch.yml" state: absent when: install.changed + tags: install - name: Copy Configuration File blockinfile: @@ -51,62 +26,9 @@ mode: 0640 marker: "## {mark} Opendistro general settings ##" when: install.changed + tags: install -- name: Copy the opendistro security configuration file to cluster - blockinfile: - block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" - dest: "{{ opendistro_conf_path }}/elasticsearch.yml" - insertafter: EOF - marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - when: install.changed - -- name: Prepare the opendistro security configuration file - replace: - path: "{{ opendistro_conf_path }}/elasticsearch.yml" - regexp: 'searchguard' - replace: 'opendistro_security' - tags: local - when: install.changed - -- name: Restart elasticsearch with security configuration - systemd: - name: elasticsearch - state: restarted - when: install.changed - -- name: Copy the opendistro security internal users template - template: - src: "templates/internal_users.yml.j2" - dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" - mode: 0644 - run_once: true - when: install.changed - -- name: Set the Admin user password - shell: > - sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: Set the kibanaserver user pasword - shell: > - sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: Initialize the opendistro security index in elasticsearch - shell: > - sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh - -cacert {{ opendistro_conf_path }}/root-ca.pem - -cert {{ opendistro_conf_path }}/admin.pem - -key {{ opendistro_conf_path }}/admin.key - -cd {{ opendistro_sec_plugin_conf_path }}/ - -nhnv -icl - -h {{ hostvars[inventory_hostname]['ip'] }} - run_once: true - when: install.changed +- import_tasks: SecurityActions.yml - name: Configure OpenDistro Elasticsearch JVM memmory. template: @@ -117,16 +39,13 @@ mode: 0644 force: yes notify: restart elasticsearch - tags: opendistro + tags: install - name: Ensure Elasticsearch started and enabled service: name: elasticsearch enabled: true state: started - tags: - - opendistro - - init - name: Wait for Elasticsearch API uri: From 3c6e08c7cf0ecf5890555cf6bde5fc07a0c24bfd Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 14:43:30 +0200 Subject: [PATCH 15/22] Modified task, from shell to command module --- .../opendistro-elasticsearch/tasks/SecurityActions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index c6323fde..765285aa 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -73,8 +73,8 @@ when: install.changed - name: Initialize the opendistro security index in elasticsearch - shell: > - sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh + command: > + {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh -cacert {{ opendistro_conf_path }}/root-ca.pem -cert {{ opendistro_conf_path }}/admin.pem -key {{ opendistro_conf_path }}/admin.key From d7be137e6e2f3791d0a18d968348c690897f995b Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 15:54:23 +0200 Subject: [PATCH 16/22] Ansible linting compliant variables --- .../opendistro-elasticsearch/tasks/SecurityActions.yml | 8 ++++---- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index 765285aa..390df69c 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -5,10 +5,10 @@ path: "{{ item }}" state: absent with_items: - - "{{opendistro_conf_path}}/kirk.pem" - - "{{opendistro_conf_path}}/kirk-key.pem" - - "{{opendistro_conf_path}}/esnode.pem" - - "{{opendistro_conf_path}}/esnode-key.pem" + - "{{ opendistro_conf_path }}/kirk.pem" + - "{{ opendistro_conf_path }}/kirk-key.pem" + - "{{ opendistro_conf_path }}/esnode.pem" + - "{{ opendistro_conf_path }}/esnode-key.pem" when: install.changed - name: Copy the node & admin certificates to Elasticsearch cluster diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 94f4ab91..6547b03a 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -12,7 +12,7 @@ - name: Remove elasticsearch configuration file file: - path: "{{opendistro_conf_path}}/elasticsearch.yml" + path: "{{ opendistro_conf_path }}/elasticsearch.yml" state: absent when: install.changed tags: install From 8fd684927581a0bb7c969a3728fa7b7ce0d9f0ad Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 15:55:13 +0200 Subject: [PATCH 17/22] Tasks in YAML format --- roles/opendistro/opendistro-elasticsearch/handlers/main.yml | 3 ++- roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml | 3 ++- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml index a4c1162a..c2836edc 100644 --- a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml @@ -1,3 +1,4 @@ --- - name: restart elasticsearch - service: name=elasticsearch state=restarted + service: name=elasticsearch + state: restarted diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 68459544..3511c7c4 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -22,7 +22,8 @@ changed_when: false - name: RedHat/CentOS/Fedora | Install OpenJDK 11 - yum: name=java-11-openjdk-devel state=present + yum: name=java-11-openjdk-devel + state: present - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies yum: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 6547b03a..fbc9dea6 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -6,7 +6,8 @@ when: ansible_os_family == 'RedHat' - name: Install OpenDistro - package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present + package: name=opendistroforelasticsearch-{{ opendistro_version }} + state: present register: install tags: install From 9152d07ac1b7780f96bff074b91d5822f0f0125e Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 15:56:00 +0200 Subject: [PATCH 18/22] When statement at block level --- .../opendistro-elasticsearch/tasks/SecurityActions.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index 390df69c..8572d864 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -9,7 +9,6 @@ - "{{ opendistro_conf_path }}/kirk-key.pem" - "{{ opendistro_conf_path }}/esnode.pem" - "{{ opendistro_conf_path }}/esnode-key.pem" - when: install.changed - name: Copy the node & admin certificates to Elasticsearch cluster copy: @@ -26,7 +25,6 @@ - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" - admin.key - admin.pem - when: install.changed - name: Copy the opendistro security configuration file to cluster blockinfile: @@ -34,7 +32,6 @@ dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - when: install.changed - name: Prepare the opendistro security configuration file replace: @@ -42,13 +39,11 @@ regexp: 'searchguard' replace: 'opendistro_security' tags: local - when: install.changed - name: Restart elasticsearch with security configuration systemd: name: elasticsearch state: restarted - when: install.changed - name: Copy the opendistro security internal users template template: @@ -56,21 +51,18 @@ dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" mode: 0644 run_once: true - when: install.changed - name: Set the Admin user password shell: > sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - when: install.changed - name: Set the kibanaserver user pasword shell: > sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - when: install.changed - name: Initialize the opendistro security index in elasticsearch command: > @@ -82,7 +74,7 @@ -nhnv -icl -h {{ hostvars[inventory_hostname]['ip'] }} run_once: true - when: install.changed tags: - production_ready + when: install.changed \ No newline at end of file From a2fe75775e3cab2ef2d4bd246f8379245f066a3e Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 18:43:01 +0200 Subject: [PATCH 19/22] Added new variables --- .../defaults/main.yml | 13 ++++-------- .../tasks/LocalActions.yml | 20 +++++++++---------- .../tasks/SecurityActions.yml | 4 ++-- 3 files changed, 16 insertions(+), 21 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index b71b67de..9103b4ad 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -39,6 +39,9 @@ opendistro_jvm_xms: null opendistro_http_port: 9200 +# Url of Search Guard certificates generator tool +certs_gen_tool_url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip + elasticrepo: apt: 'https://artifacts.elastic.co/packages/7.x/apt' yum: 'https://artifacts.elastic.co/packages/7.x/yum' @@ -50,13 +53,5 @@ opendistro_kibana_password: changeme # Cluster Settings single_node: true opendistro_cluster_name: wazuh -opendistro_node_name: node-1 -opendistro_bootstrap_node: false -opendistro_node_master: false -opendistro_cluster_nodes: - - 127.0.0.1 -opendistro_discovery_nodes: - - 127.0.0.1 -opendistro_node_data: true -opendistro_node_ingest: true +local_certs_path: /tmp/opendistro-nodecerts \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml index 8ff56b64..50d4016c 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -4,27 +4,27 @@ - name: Local action | Create local temporary directory for certificates generation local_action: module: file - path: /tmp/opendistro-nodecerts + path: {{ local_certs_path }} state: directory run_once: true - name: Local action | Download certificates generation tool local_action: module: get_url - url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + url: "{{ certs_gen_tool_url }}" + dest: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip" + run_once: "{{ local_certs_path }}/search-guard-tlstool.zip" - name: Local action | Extract the certificates generation tool local_action: module: unarchive - src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/ + src: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip" + dest: "{{ local_certs_path }}/" - name: Local action | Add the execution bit to the binary local_action: module: file - dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + dest: "{{ local_certs_path }}/tools/sgtlstool.sh" mode: a+x run_once: true @@ -32,18 +32,18 @@ local_action: module: template src: "templates/tlsconfig.yml.j2" - dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + dest: "{{ local_certs_path }}/config/tlsconfig.yml" run_once: true - name: Local action | Check if root CA file exists local_action: module: stat - path: /tmp/opendistro-nodecerts/config/root-ca.key + path: "{{ local_certs_path }}/config/root-ca.key" register: root_ca_file - name: Local action | Generate the node & admin certificates in local local_action: - module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o + module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/config/ -f -o run_once: true when: root_ca_file.stat.exists == False diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index 8572d864..3c8293f5 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -12,7 +12,7 @@ - name: Copy the node & admin certificates to Elasticsearch cluster copy: - src: "/tmp/opendistro-nodecerts/config/{{ item }}" + src: "{{ local_certs_path }}/config/{{ item }}" dest: /etc/elasticsearch/ mode: 0644 with_items: @@ -28,7 +28,7 @@ - name: Copy the opendistro security configuration file to cluster blockinfile: - block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + block: "{{ lookup('file', '{{ local_certs_path }}/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" From cf14f400ba417965a8fdf98f71faaa1c9072f88c Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 20:44:30 +0200 Subject: [PATCH 20/22] Linting and improving variables --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 3 ++- roles/opendistro/opendistro-elasticsearch/handlers/main.yml | 5 +++-- .../opendistro-elasticsearch/tasks/LocalActions.yml | 6 +++--- roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml | 5 +++-- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 5 +++-- 5 files changed, 14 insertions(+), 10 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 9103b4ad..0c8f8f1f 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -39,8 +39,9 @@ opendistro_jvm_xms: null opendistro_http_port: 9200 +certs_gen_tool_version: 1.7 # Url of Search Guard certificates generator tool -certs_gen_tool_url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip +certs_gen_tool_url: "https://releases.floragunn.com/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" elasticrepo: apt: 'https://artifacts.elastic.co/packages/7.x/apt' diff --git a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml index c2836edc..95f5868b 100644 --- a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml @@ -1,4 +1,5 @@ --- - name: restart elasticsearch - service: name=elasticsearch - state: restarted + service: + name: elasticsearch + state: restarted diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml index 50d4016c..60379616 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -4,7 +4,7 @@ - name: Local action | Create local temporary directory for certificates generation local_action: module: file - path: {{ local_certs_path }} + path: "{{ local_certs_path }}" state: directory run_once: true @@ -12,8 +12,8 @@ local_action: module: get_url url: "{{ certs_gen_tool_url }}" - dest: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip" - run_once: "{{ local_certs_path }}/search-guard-tlstool.zip" + dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" + run_once: true - name: Local action | Extract the certificates generation tool local_action: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 3511c7c4..1a2eed56 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -22,8 +22,9 @@ changed_when: false - name: RedHat/CentOS/Fedora | Install OpenJDK 11 - yum: name=java-11-openjdk-devel - state: present + yum: + name: java-11-openjdk-devel + state: present - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies yum: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index fbc9dea6..d8f51f81 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -6,8 +6,9 @@ when: ansible_os_family == 'RedHat' - name: Install OpenDistro - package: name=opendistroforelasticsearch-{{ opendistro_version }} - state: present + package: + name: opendistroforelasticsearch-{{ opendistro_version }} + state: present register: install tags: install From 9742c4984cb929d99733ffe8cee77ebae90933b5 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 11 May 2020 13:56:03 +0200 Subject: [PATCH 21/22] Changed task description --- .../opendistro-elasticsearch/tasks/SecurityActions.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index 3c8293f5..056af1e4 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -26,14 +26,14 @@ - admin.key - admin.pem - - name: Copy the opendistro security configuration file to cluster + - name: Copy the OpenDistrosecurity configuration file to cluster blockinfile: block: "{{ lookup('file', '{{ local_certs_path }}/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - - name: Prepare the opendistro security configuration file + - name: Prepare the OpenDistrosecurity configuration file replace: path: "{{ opendistro_conf_path }}/elasticsearch.yml" regexp: 'searchguard' @@ -45,7 +45,7 @@ name: elasticsearch state: restarted - - name: Copy the opendistro security internal users template + - name: Copy the OpenDistrosecurity internal users template template: src: "templates/internal_users.yml.j2" dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" @@ -58,13 +58,13 @@ {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - - name: Set the kibanaserver user pasword + - name: Set the kibanaserver role/user pasword shell: > sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - - name: Initialize the opendistro security index in elasticsearch + - name: Initialize the OpenDistrosecurity index in elasticsearch command: > {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh -cacert {{ opendistro_conf_path }}/root-ca.pem From eb9925a901a70f70da61aec99b0309fac4348658 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 11 May 2020 15:18:11 +0200 Subject: [PATCH 22/22] Fixed variables and renamed files --- .../tasks/{LocalActions.yml => local_actions.yml} | 0 roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 4 ++-- .../tasks/{SecurityActions.yml => security_actions.yml} | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) rename roles/opendistro/opendistro-elasticsearch/tasks/{LocalActions.yml => local_actions.yml} (100%) rename roles/opendistro/opendistro-elasticsearch/tasks/{SecurityActions.yml => security_actions.yml} (89%) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml similarity index 100% rename from roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml rename to roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index d8f51f81..c8941208 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -1,6 +1,6 @@ --- -- import_tasks: LocalActions.yml +- import_tasks: local_actions.yml - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' @@ -30,7 +30,7 @@ when: install.changed tags: install -- import_tasks: SecurityActions.yml +- import_tasks: security_actions.yml - name: Configure OpenDistro Elasticsearch JVM memmory. template: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml similarity index 89% rename from roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml rename to roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 056af1e4..1fee6fef 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -26,14 +26,14 @@ - admin.key - admin.pem - - name: Copy the OpenDistrosecurity configuration file to cluster + - name: Copy the OpenDistro security configuration file to cluster blockinfile: block: "{{ lookup('file', '{{ local_certs_path }}/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - - name: Prepare the OpenDistrosecurity configuration file + - name: Prepare the OpenDistro security configuration file replace: path: "{{ opendistro_conf_path }}/elasticsearch.yml" regexp: 'searchguard' @@ -45,7 +45,7 @@ name: elasticsearch state: restarted - - name: Copy the OpenDistrosecurity internal users template + - name: Copy the OpenDistro security internal users template template: src: "templates/internal_users.yml.j2" dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" @@ -64,7 +64,7 @@ {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - - name: Initialize the OpenDistrosecurity index in elasticsearch + - name: Initialize the OpenDistro security index in elasticsearch command: > {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh -cacert {{ opendistro_conf_path }}/root-ca.pem