Merge pull request #478 from wazuh/feature-opendistro-runonce
Improve handling of run_once at opendistro-elasticsearch role
This commit is contained in:
Manuel J. Bernal
GitHub
commit
c462ac72bd
@ -35,7 +35,10 @@
|
||||
when: install.changed
|
||||
tags: install
|
||||
|
||||
- import_tasks: security_actions.yml
|
||||
- include_tasks: security_actions.yml
|
||||
tags:
|
||||
- security
|
||||
when: install.changed
|
||||
|
||||
- name: Configure OpenDistro Elasticsearch JVM memmory.
|
||||
template:
|
||||
|
||||
@ -1,5 +1,4 @@
|
||||
- block:
|
||||
- name: Remove demo certs
|
||||
- name: Remove demo certs
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
@ -10,7 +9,7 @@
|
||||
- "{{ opendistro_conf_path }}/esnode-key.pem"
|
||||
|
||||
|
||||
- name: Configure node name
|
||||
- name: Configure node name
|
||||
block:
|
||||
- name: Setting node name (Elasticsearch)
|
||||
set_fact:
|
||||
@ -30,20 +29,20 @@
|
||||
when:
|
||||
filebeat_node_name is defined
|
||||
|
||||
- name: Configure IP (Private address)
|
||||
- name: Configure IP (Private address)
|
||||
set_fact:
|
||||
target_address: "{{ hostvars[inventory_hostname]['private_ip'] }}"
|
||||
when:
|
||||
- hostvars[inventory_hostname]['private_ip'] is defined
|
||||
|
||||
- name: Configure IP (Public address)
|
||||
- name: Configure IP (Public address)
|
||||
set_fact:
|
||||
target_address: "{{ inventory_hostname }}"
|
||||
when:
|
||||
- hostvars[inventory_hostname]['private_ip'] is not defined
|
||||
|
||||
|
||||
- name: Copy the node & admin certificates to Elasticsearch cluster
|
||||
- name: Copy the node & admin certificates to Elasticsearch cluster
|
||||
copy:
|
||||
src: "{{ local_certs_path }}/certs/{{ item }}"
|
||||
dest: /etc/elasticsearch/
|
||||
@ -59,65 +58,65 @@
|
||||
- admin.key
|
||||
- admin.pem
|
||||
|
||||
- name: Copy the OpenDistro security configuration file to cluster
|
||||
- name: Copy the OpenDistro security configuration file to cluster
|
||||
blockinfile:
|
||||
block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ od_node_name }}_elasticsearch_config_snippet.yml') }}"
|
||||
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
|
||||
insertafter: EOF
|
||||
marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
|
||||
|
||||
- name: Prepare the OpenDistro security configuration file
|
||||
- name: Prepare the OpenDistro security configuration file
|
||||
replace:
|
||||
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
|
||||
regexp: 'searchguard'
|
||||
replace: 'opendistro_security'
|
||||
tags: local
|
||||
|
||||
- name: Restart elasticsearch with security configuration
|
||||
- name: Restart elasticsearch with security configuration
|
||||
systemd:
|
||||
name: elasticsearch
|
||||
state: restarted
|
||||
|
||||
- name: Copy the OpenDistro security internal users template
|
||||
- name: Copy the OpenDistro security internal users template
|
||||
template:
|
||||
src: "templates/internal_users.yml.j2"
|
||||
dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
|
||||
mode: 0644
|
||||
run_once: true
|
||||
|
||||
- name: Hashing the custom admin password
|
||||
- name: Hashing the custom admin password
|
||||
command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}"
|
||||
register: opendistro_admin_password_hashed
|
||||
run_once: true
|
||||
|
||||
- name: Filtering hash result in case java path is not defined
|
||||
- name: Filtering hash result in case java path is not defined
|
||||
set_fact:
|
||||
opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[1] }}"
|
||||
when:
|
||||
- opendistro_admin_password_hashed.stdout_lines[1] is defined
|
||||
run_once: true
|
||||
|
||||
- name: Setting admin hash result
|
||||
- name: Setting admin hash result
|
||||
set_fact:
|
||||
opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[0] }}"
|
||||
when:
|
||||
- opendistro_admin_password_hashed.stdout_lines[1] is not defined
|
||||
run_once: true
|
||||
|
||||
- name: Set the Admin user password
|
||||
- name: Set the Admin user password
|
||||
replace:
|
||||
path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
|
||||
regexp: '(?<=admin:\n hash: )(.*)(?=)'
|
||||
replace: "\"{{ opendistro_admin_password_hashed_filtered }}\""
|
||||
run_once: true
|
||||
|
||||
- name: Set the kibanaserver role/user pasword
|
||||
- name: Set the kibanaserver role/user pasword
|
||||
shell: >
|
||||
sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)','
|
||||
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
|
||||
run_once: true
|
||||
|
||||
- name: Initialize the OpenDistro security index in elasticsearch
|
||||
- name: Initialize the OpenDistro security index in elasticsearch
|
||||
command: >
|
||||
{{ opendistro_sec_plugin_tools_path }}/securityadmin.sh
|
||||
-cacert {{ opendistro_conf_path }}/root-ca.pem
|
||||
@ -128,7 +127,7 @@
|
||||
-h {{ target_address }}
|
||||
run_once: true
|
||||
|
||||
- name: Create custom user
|
||||
- name: Create custom user
|
||||
uri:
|
||||
url: "https://{{ target_address }}:{{ opendistro_http_port }}/_opendistro/_security/api/internalusers/{{ opendistro_custom_user }}"
|
||||
method: PUT
|
||||
@ -147,6 +146,4 @@
|
||||
when:
|
||||
- opendistro_custom_user is defined and opendistro_custom_user
|
||||
|
||||
tags:
|
||||
- security
|
||||
when: install.changed
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user