mirror of
https://github.com/aljazceru/ansible-elasticsearch.git
synced 2025-12-18 01:24:20 +01:00
Re-structure to make xpack idempotent
This commit is contained in:
Dale McDiarmid
@@ -6,10 +6,6 @@
|
||||
service: name={{instance_init_script | basename}} state=restarted enabled=yes
|
||||
when: es_restart_on_change and es_start_service and ((plugin_installed is defined and plugin_installed.changed) or (config_updated is defined and config_updated.changed) or (xpack_state.changed) or (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed))
|
||||
|
||||
# All security specific actions should go in here
|
||||
- name: activate-security
|
||||
include: ./handlers/security/elasticsearch-security.yml
|
||||
|
||||
#Templates are a handler as they need to come after a restart e.g. suppose user removes security on a running node and doesn't
|
||||
#specify es_api_basic_auth_username and es_api_basic_auth_password. The templates will subsequently not be removed if we don't wait for the node to restart.
|
||||
#Templates done after restart therefore - as a handler.
|
||||
|
||||
@@ -1,112 +0,0 @@
|
||||
---
|
||||
|
||||
- set_fact: manage_native_users=false
|
||||
|
||||
- set_fact: manage_native_users=true
|
||||
when: es_users is defined and es_users.native is defined
|
||||
|
||||
- set_fact: manage_native_roles=false
|
||||
|
||||
- set_fact: manage_native_roles=true
|
||||
when: es_roles is defined and es_roles.native is defined
|
||||
|
||||
# If playbook runs too fast, Native commands could fail as the Native Realm is not yet up
|
||||
- name: Wait 15 seconds for the Native Relm to come up
|
||||
pause: seconds=15
|
||||
|
||||
#If the node has just has security installed it maybe either stopped or started 1. if stopped, we need to start to load native realms 2. if started, we need to restart to load
|
||||
|
||||
#List current users
|
||||
- name: List Native Users
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user
|
||||
method: GET
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
status_code: 200
|
||||
register: user_list_response
|
||||
when: manage_native_users
|
||||
|
||||
#Current users not inc. those reserved
|
||||
- set_fact: current_users={{ user_list_response.json | filter_reserved }}
|
||||
when: manage_native_users
|
||||
|
||||
#Identify non declared users
|
||||
- set_fact: users_to_remove={{ current_users | difference ( es_users.native.keys() ) }}
|
||||
when: manage_native_users
|
||||
|
||||
#Delete all non required users
|
||||
- name: Delete Native Users
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}
|
||||
method: DELETE
|
||||
status_code: 200
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
when: manage_native_users and users_to_remove | length > 0
|
||||
with_items: "{{users_to_remove}}"
|
||||
|
||||
#Overwrite all other users
|
||||
- name: Update Native Users
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item.key}}
|
||||
method: POST
|
||||
body_format: json
|
||||
body: "{{item.value | to_json}}"
|
||||
status_code: 200
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
when: manage_native_users and es_users.native.keys() > 0
|
||||
no_log: True
|
||||
with_dict: "{{es_users.native}}"
|
||||
|
||||
#List current roles not. inc those reserved
|
||||
- name: List Native Roles
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role
|
||||
method: GET
|
||||
body_format: json
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
status_code: 200
|
||||
register: role_list_response
|
||||
when: manage_native_roles
|
||||
|
||||
- set_fact: current_roles={{ role_list_response.json | filter_reserved }}
|
||||
when: manage_native_roles
|
||||
- debug: msg="{{current_roles}}"
|
||||
|
||||
- set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys() ) }}
|
||||
when: manage_native_roles
|
||||
|
||||
|
||||
#Delete all non required roles
|
||||
- name: Delete Native Roles
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}}
|
||||
method: DELETE
|
||||
status_code: 200
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
when: manage_native_roles and roles_to_remove | length > 0
|
||||
with_items: "{{roles_to_remove}}"
|
||||
|
||||
|
||||
#Update other roles
|
||||
- name: Update Native Roles
|
||||
uri:
|
||||
url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item.key}}
|
||||
method: POST
|
||||
body_format: json
|
||||
body: "{{item.value | to_json}}"
|
||||
status_code: 200
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
force_basic_auth: yes
|
||||
when: manage_native_roles and es_roles.native.keys() > 0
|
||||
with_dict: "{{es_roles.native}}"
|
||||
@@ -1,14 +0,0 @@
|
||||
---
|
||||
- name: Ensure elasticsearch is started
|
||||
service: name={{instance_init_script | basename}} state=started enabled=yes
|
||||
|
||||
- name: Wait for elasticsearch to startup
|
||||
wait_for: host={{es_api_host}} port={{es_api_port}} delay=10
|
||||
|
||||
- name: activate-license
|
||||
include: ./handlers/security/elasticsearch-xpack-activation.yml
|
||||
when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != ''
|
||||
|
||||
- name: load-native-realms
|
||||
include: ./handlers/security/elasticsearch-security-native.yml
|
||||
when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)
|
||||
@@ -1,37 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Activate ES license (without security authentication)
|
||||
uri:
|
||||
method: PUT
|
||||
url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true"
|
||||
body_format: json
|
||||
body: "{{ es_xpack_license }}"
|
||||
return_content: yes
|
||||
register: license_activated
|
||||
no_log: True
|
||||
when: 'not "security" in es_xpack_features'
|
||||
failed_when: >
|
||||
license_activated.status != 200 or
|
||||
license_activated.json.license_status is not defined or
|
||||
license_activated.json.license_status != 'valid'
|
||||
|
||||
- name: Activate ES license (with security authentication)
|
||||
uri:
|
||||
method: PUT
|
||||
url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true"
|
||||
user: "{{es_api_basic_auth_username}}"
|
||||
password: "{{es_api_basic_auth_password}}"
|
||||
body_format: json
|
||||
force_basic_auth: yes
|
||||
body: "{{ es_xpack_license }}"
|
||||
return_content: yes
|
||||
register: license_activated
|
||||
no_log: True
|
||||
when: '"security" in es_xpack_features'
|
||||
failed_when: >
|
||||
license_activated.status != 200 or
|
||||
license_activated.json.license_status is not defined or
|
||||
license_activated.json.license_status != 'valid'
|
||||
|
||||
- debug:
|
||||
msg: "License: {{ license_activated.content }}"
|
||||
Reference in New Issue
Block a user