135 lines
4.7 KiB
YAML
135 lines
4.7 KiB
YAML
#- name: Remove demo certs
|
|
# ## 732 will not be needed
|
|
# file:
|
|
# path: "{{ item }}"
|
|
# state: absent
|
|
# with_items:
|
|
# - "{{ opendistro_conf_path }}/kirk.pem"
|
|
# - "{{ opendistro_conf_path }}/kirk-key.pem"
|
|
# - "{{ opendistro_conf_path }}/esnode.pem"
|
|
# - "{{ opendistro_conf_path }}/esnode-key.pem"
|
|
|
|
- name: Configure IP (Private address)
|
|
set_fact:
|
|
target_address: "{{ hostvars[inventory_hostname]['private_ip'] if not single_node else elasticsearch_network_host }}"
|
|
when:
|
|
- hostvars[inventory_hostname]['private_ip'] is defined
|
|
|
|
- name: Configure IP (Public address)
|
|
set_fact:
|
|
target_address: "{{ inventory_hostname if not single_node else elasticsearch_network_host }}"
|
|
when:
|
|
- hostvars[inventory_hostname]['private_ip'] is not defined
|
|
|
|
|
|
- name: Copy the node & admin certificates to Elasticsearch cluster
|
|
copy:
|
|
src: "{{ local_certs_path }}/certs/{{ item }}"
|
|
dest: "{{ opendistro_conf_path }}/certs/"
|
|
mode: 0644
|
|
become: yes
|
|
with_items:
|
|
- root-ca.pem
|
|
- root-ca.key
|
|
- "{{ elasticsearch_node_name }}-key.pem"
|
|
- "{{ elasticsearch_node_name }}.pem"
|
|
#- "{{ elasticsearch_node_name }}_http.key"
|
|
#- "{{ elasticsearch_node_name }}_http.pem"
|
|
#- "{{ elasticsearch_node_name }}_elasticsearch_config_snippet.yml"
|
|
- admin-key.pem
|
|
- admin.pem
|
|
|
|
#- name: Copy the OpenDistro security configuration file to cluster
|
|
# blockinfile:
|
|
# block: "{{ lookup('file', snippet_path ) }}"
|
|
# dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
|
|
# insertafter: EOF
|
|
# marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
|
|
# vars:
|
|
# snippet_path: '{{ local_certs_path }}/certs/{{ elasticsearch_node_name }}_elasticsearch_config_snippet.yml'
|
|
|
|
#- name: Prepare the OpenDistro security configuration file
|
|
# replace:
|
|
# path: "{{ opendistro_conf_path }}/elasticsearch.yml"
|
|
# regexp: 'searchguard'
|
|
# replace: 'opendistro_security'
|
|
# tags: local
|
|
|
|
- name: Restart elasticsearch with security configuration
|
|
systemd:
|
|
name: wazuh-indexer
|
|
state: restarted
|
|
|
|
- name: Copy the OpenDistro security internal users template
|
|
template:
|
|
src: "templates/internal_users.yml.j2"
|
|
dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
|
|
mode: 0644
|
|
run_once: true
|
|
|
|
- name: Hashing the custom admin password
|
|
command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" # noqa 301
|
|
register: opendistro_admin_password_hashed
|
|
no_log: '{{ opendistro_nolog_sensible | bool }}'
|
|
run_once: true
|
|
|
|
- name: Set the Admin user password
|
|
replace:
|
|
path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
|
|
regexp: '(?<=admin:\n hash: )(.*)(?=)'
|
|
replace: "{{ odfe_password_hash | quote }}"
|
|
vars:
|
|
odfe_password_hash: "{{ opendistro_admin_password_hashed.stdout_lines | last }}"
|
|
run_once: true
|
|
|
|
# this can also be achieved with password_hash, but it requires dependencies on the controller
|
|
- name: Hash the kibanaserver role/user pasword
|
|
command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }}" # noqa 301
|
|
register: opendistro_kibanaserver_password_hashed
|
|
no_log: '{{ opendistro_nolog_sensible | bool }}'
|
|
run_once: true
|
|
|
|
- name: Set the kibanaserver user password
|
|
replace:
|
|
path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
|
|
regexp: '(?<=kibanaserver:\n hash: )(.*)(?=)'
|
|
replace: "{{ odfe_password_hash | quote }}"
|
|
vars:
|
|
odfe_password_hash: "{{ opendistro_kibanaserver_password_hashed.stdout_lines | last }}"
|
|
run_once: true
|
|
|
|
- name: Initialize the OpenDistro security index in elasticsearch
|
|
command: >
|
|
sudo -u wazuh-indexer OPENSEARCH_PATH_CONF=/etc/wazuh-indexer
|
|
JAVA_HOME=/usr/share/wazuh-indexer/jdk
|
|
{{ opendistro_sec_plugin_tools_path }}/securityadmin.sh
|
|
-cd {{ opendistro_sec_plugin_tools_path }}/
|
|
-icl -p 9800 -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig
|
|
-cacert {{ opendistro_conf_path }}/certs/root-ca.pem
|
|
-cert {{ opendistro_conf_path }}/certs/admin.pem
|
|
-key {{ opendistro_conf_path }}/certs/admin-key.pem
|
|
-nhnv
|
|
-h {{ target_address }}
|
|
run_once: true # noqa 301
|
|
|
|
- name: Create custom user
|
|
uri:
|
|
url: "https://{{ target_address }}:{{ opendistro_http_port }}/_plugins/_security/api/internalusers/{{ opendistro_custom_user }}"
|
|
method: PUT
|
|
user: "admin" # Default OpenDistro user is always "admin"
|
|
password: "{{ opendistro_admin_password }}"
|
|
body: |
|
|
{
|
|
"password": "{{ opendistro_admin_password }}",
|
|
"backend_roles": ["{{ opendistro_custom_user_role }}"]
|
|
}
|
|
body_format: json
|
|
validate_certs: no
|
|
status_code: 200,201,401
|
|
return_content: yes
|
|
timeout: 4
|
|
when:
|
|
- opendistro_custom_user is defined and opendistro_custom_user
|
|
|
|
|