afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #478 from wazuh/feature-opendistro-runonce

Browse Source 
Improve handling of run_once at opendistro-elasticsearch role
This commit is contained in:
Manuel J. Bernal 2020-11-09 18:13:49 +01:00 committed by GitHub
commit c462ac72bd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 133 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
roles/opendistro/opendistro-elasticsearch/tasks/main.yml
View File

@ -35,7 +35,10 @@
when: install.changed when: install.changed
tags: install tags: install
- import_tasks: security_actions.yml - include_tasks: security_actions.yml
tags:
- security
when: install.changed
- name: Configure OpenDistro Elasticsearch JVM memmory. - name: Configure OpenDistro Elasticsearch JVM memmory.
template: template:

37
roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml
View File

@ -1,5 +1,4 @@
- block: - name: Remove demo certs
- name: Remove demo certs
file: file:
path: "{{ item }}" path: "{{ item }}"
state: absent state: absent
@ -10,7 +9,7 @@
- "{{ opendistro_conf_path }}/esnode-key.pem" - "{{ opendistro_conf_path }}/esnode-key.pem"
- name: Configure node name - name: Configure node name
block: block:
- name: Setting node name (Elasticsearch) - name: Setting node name (Elasticsearch)
set_fact: set_fact:
@ -30,20 +29,20 @@
when: when:
filebeat_node_name is defined filebeat_node_name is defined
- name: Configure IP (Private address) - name: Configure IP (Private address)
set_fact: set_fact:
target_address: "{{ hostvars[inventory_hostname]['private_ip'] }}" target_address: "{{ hostvars[inventory_hostname]['private_ip'] }}"
when: when:
- hostvars[inventory_hostname]['private_ip'] is defined - hostvars[inventory_hostname]['private_ip'] is defined
- name: Configure IP (Public address) - name: Configure IP (Public address)
set_fact: set_fact:
target_address: "{{ inventory_hostname }}" target_address: "{{ inventory_hostname }}"
when: when:
- hostvars[inventory_hostname]['private_ip'] is not defined - hostvars[inventory_hostname]['private_ip'] is not defined
- name: Copy the node & admin certificates to Elasticsearch cluster - name: Copy the node & admin certificates to Elasticsearch cluster
copy: copy:
src: "{{ local_certs_path }}/certs/{{ item }}" src: "{{ local_certs_path }}/certs/{{ item }}"
dest: /etc/elasticsearch/ dest: /etc/elasticsearch/
@ -59,65 +58,65 @@
- admin.key - admin.key
- admin.pem - admin.pem
- name: Copy the OpenDistro security configuration file to cluster - name: Copy the OpenDistro security configuration file to cluster
blockinfile: blockinfile:
block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ od_node_name }}_elasticsearch_config_snippet.yml') }}" block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ od_node_name }}_elasticsearch_config_snippet.yml') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml" dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
insertafter: EOF insertafter: EOF
marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
- name: Prepare the OpenDistro security configuration file - name: Prepare the OpenDistro security configuration file
replace: replace:
path: "{{ opendistro_conf_path }}/elasticsearch.yml" path: "{{ opendistro_conf_path }}/elasticsearch.yml"
regexp: 'searchguard' regexp: 'searchguard'
replace: 'opendistro_security' replace: 'opendistro_security'
tags: local tags: local
- name: Restart elasticsearch with security configuration - name: Restart elasticsearch with security configuration
systemd: systemd:
name: elasticsearch name: elasticsearch
state: restarted state: restarted
- name: Copy the OpenDistro security internal users template - name: Copy the OpenDistro security internal users template
template: template:
src: "templates/internal_users.yml.j2" src: "templates/internal_users.yml.j2"
dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
mode: 0644 mode: 0644
run_once: true run_once: true
- name: Hashing the custom admin password - name: Hashing the custom admin password
command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}"
register: opendistro_admin_password_hashed register: opendistro_admin_password_hashed
run_once: true run_once: true
- name: Filtering hash result in case java path is not defined - name: Filtering hash result in case java path is not defined
set_fact: set_fact:
opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[1] }}" opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[1] }}"
when: when:
- opendistro_admin_password_hashed.stdout_lines[1] is defined - opendistro_admin_password_hashed.stdout_lines[1] is defined
run_once: true run_once: true
- name: Setting admin hash result - name: Setting admin hash result
set_fact: set_fact:
opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[0] }}" opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[0] }}"
when: when:
- opendistro_admin_password_hashed.stdout_lines[1] is not defined - opendistro_admin_password_hashed.stdout_lines[1] is not defined
run_once: true run_once: true
- name: Set the Admin user password - name: Set the Admin user password
replace: replace:
path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
regexp: '(?<=admin:\n hash: )(.*)(?=)' regexp: '(?<=admin:\n hash: )(.*)(?=)'
replace: "\"{{ opendistro_admin_password_hashed_filtered }}\"" replace: "\"{{ opendistro_admin_password_hashed_filtered }}\""
run_once: true run_once: true
- name: Set the kibanaserver role/user pasword - name: Set the kibanaserver role/user pasword
shell: > shell: >
sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml {{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true run_once: true
- name: Initialize the OpenDistro security index in elasticsearch - name: Initialize the OpenDistro security index in elasticsearch
command: > command: >
{{ opendistro_sec_plugin_tools_path }}/securityadmin.sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh
-cacert {{ opendistro_conf_path }}/root-ca.pem -cacert {{ opendistro_conf_path }}/root-ca.pem
@ -128,7 +127,7 @@
-h {{ target_address }} -h {{ target_address }}
run_once: true run_once: true
- name: Create custom user - name: Create custom user
uri: uri:
url: "https://{{ target_address }}:{{ opendistro_http_port }}/_opendistro/_security/api/internalusers/{{ opendistro_custom_user }}" url: "https://{{ target_address }}:{{ opendistro_http_port }}/_opendistro/_security/api/internalusers/{{ opendistro_custom_user }}"
method: PUT method: PUT
@ -147,6 +146,4 @@
when: when:
- opendistro_custom_user is defined and opendistro_custom_user - opendistro_custom_user is defined and opendistro_custom_user
tags:
- security
when: install.changed