From 15f15170f3cc24ee7a7f3900d86bbb2d608c4473 Mon Sep 17 00:00:00 2001 From: neonmei Date: Thu, 12 Nov 2020 11:00:36 -0300 Subject: [PATCH 1/4] roles/opendistro-elasticsearch: remove nested jinja pattern and move it to a task-local variable for clarity --- .../opendistro-elasticsearch/tasks/security_actions.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 6f2b1803..0749d8a9 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -60,10 +60,12 @@ - name: Copy the OpenDistro security configuration file to cluster blockinfile: - block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ od_node_name }}_elasticsearch_config_snippet.yml') }}" + block: "{{ lookup('file', snippet_path ) }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" + vars: + snippet_path: '{{ local_certs_path }}/certs/{{ od_node_name }}_elasticsearch_config_snippet.yml' - name: Prepare the OpenDistro security configuration file replace: From c0d48e3ad45cc00b73b23bbad744907794d65b03 Mon Sep 17 00:00:00 2001 From: neonmei Date: Thu, 12 Nov 2020 11:04:32 -0300 Subject: [PATCH 2/4] roles/opendistro-elasticsearch: remove use of command module with sed and change it to replace module. Also add a nolog to the tasks guarded by opendistro_nolog_sensible to avoid outputting non-hashed passwords in deploy log --- .../tasks/security_actions.yml | 41 +++++++++---------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 0749d8a9..d0543e88 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -87,35 +87,34 @@ run_once: true - name: Hashing the custom admin password - command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" + command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" # noqa 301 register: opendistro_admin_password_hashed - run_once: true - -- name: Filtering hash result in case java path is not defined - set_fact: - opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[1] }}" - when: - - opendistro_admin_password_hashed.stdout_lines[1] is defined - run_once: true - -- name: Setting admin hash result - set_fact: - opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[0] }}" - when: - - opendistro_admin_password_hashed.stdout_lines[1] is not defined + no_log: '{{ opendistro_nolog_sensible | bool }}' run_once: true - name: Set the Admin user password replace: path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" regexp: '(?<=admin:\n hash: )(.*)(?=)' - replace: "\"{{ opendistro_admin_password_hashed_filtered }}\"" + replace: "{{ odfe_password_hash | quote }}" + vars: + odfe_password_hash: "{{ opendistro_admin_password_hashed.stdout_lines | last }}" run_once: true -- name: Set the kibanaserver role/user pasword - shell: > - sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml +# this can also be achieved with password_hash, but it requires dependencies on the controller +- name: Hash the kibanaserver role/user pasword + command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }}" # noqa 301 + register: opendistro_kibanaserver_password_hashed + no_log: '{{ opendistro_nolog_sensible | bool }}' + run_once: true + +- name: Set the kibanaserver user password + replace: + path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" + regexp: '(?<=kibanaserver:\n hash: )(.*)(?=)' + replace: "{{ odfe_password_hash | quote }}" + vars: + odfe_password_hash: "{{ opendistro_kibanaserver_password_hashed.stdout_lines | last }}" run_once: true - name: Initialize the OpenDistro security index in elasticsearch @@ -127,7 +126,7 @@ -cd {{ opendistro_sec_plugin_conf_path }}/ -nhnv -icl -h {{ target_address }} - run_once: true + run_once: true # noqa 301 - name: Create custom user uri: From 8fdfecc06f3122d000f915fc212ca1a59da10f81 Mon Sep 17 00:00:00 2001 From: neonmei Date: Thu, 12 Nov 2020 11:05:47 -0300 Subject: [PATCH 3/4] roles/opendistro-elasticsearch: add missing mode for file module --- .../opendistro/opendistro-elasticsearch/tasks/local_actions.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml index 04f20378..6e54fdf2 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml @@ -14,6 +14,7 @@ - name: Local action | Create local temporary directory for certificates generation file: path: "{{ local_certs_path }}" + mode: 0755 state: directory - name: Local action | Check that the generation tool exists @@ -41,6 +42,7 @@ template: src: "templates/tlsconfig.yml.j2" dest: "{{ local_certs_path }}/config/tlsconfig.yml" + mode: 0644 register: tlsconfig_template - name: Create a directory if it does not exist From 878c55a18041f7138f024d5daaf082d3199930a7 Mon Sep 17 00:00:00 2001 From: neonmei Date: Thu, 12 Nov 2020 11:07:07 -0300 Subject: [PATCH 4/4] roles/opendistro-elasticsearch: add new variable opendistro_nolog_sensible to role defaults --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 22709024..9925c3eb 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -70,3 +70,5 @@ opendistro_kibana_password: changeme # Deployment settings generate_certs: true perform_installation: true + +opendistro_nolog_sensible: true