2023-09-29 13:54:34 +00:00
|
|
|
#!/usr/bin/python
|
|
|
|
|
|
|
|
from ansible.module_utils.basic import *
|
|
|
|
from ansible.module_utils.elasticsearch_api import *
|
|
|
|
|
|
|
|
class ElasticsearchUser:
|
|
|
|
def __init__(self, api_url, api_user, api_password, name, password, roles):
|
|
|
|
self.api = ElasticsearchApi(
|
|
|
|
api_url,
|
|
|
|
api_user,
|
|
|
|
api_password
|
|
|
|
)
|
|
|
|
self.api_url = api_url
|
|
|
|
self.name = name
|
|
|
|
self.password = password
|
|
|
|
self.roles = roles
|
|
|
|
self.exist = False
|
|
|
|
self.data = {}
|
|
|
|
|
2023-10-17 07:47:10 +00:00
|
|
|
def is_builtin(self):
|
|
|
|
users = [
|
|
|
|
'apm_system',
|
|
|
|
'beats_system',
|
|
|
|
'elastic',
|
|
|
|
'kibana',
|
|
|
|
'kibana_system',
|
|
|
|
'logstash_system',
|
|
|
|
'remote_monitoring_user'
|
|
|
|
]
|
|
|
|
if self.name in users:
|
|
|
|
return True
|
|
|
|
|
|
|
|
return False
|
|
|
|
|
2023-09-29 13:54:34 +00:00
|
|
|
def get_data(self):
|
|
|
|
status_code, data = self.api.get('_security/user/{}'.format(self.name))
|
|
|
|
if status_code == 200:
|
|
|
|
self.exist = True
|
|
|
|
self.data = data[self.name]
|
|
|
|
|
|
|
|
def roles_have_changed(self):
|
|
|
|
for role in self.roles:
|
|
|
|
if role not in self.data['roles']:
|
|
|
|
return True
|
|
|
|
|
|
|
|
for role in self.data['roles']:
|
|
|
|
if role not in self.roles:
|
|
|
|
return True
|
|
|
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
def password_has_changed(self):
|
|
|
|
api = ElasticsearchApi(
|
|
|
|
self.api_url,
|
|
|
|
self.name,
|
|
|
|
self.password
|
|
|
|
)
|
|
|
|
status_code, _ = api.get('_cluster/health')
|
|
|
|
if status_code == 401:
|
|
|
|
return True
|
|
|
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
def has_changed(self):
|
|
|
|
if self.roles_have_changed():
|
|
|
|
return True
|
|
|
|
|
|
|
|
if self.password_has_changed():
|
|
|
|
return True
|
|
|
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
def create(self):
|
|
|
|
self.api.put(
|
|
|
|
'_security/user/{}'.format(self.name),
|
|
|
|
{
|
|
|
|
'password': self.password,
|
|
|
|
'roles': self.roles
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2023-10-17 07:47:10 +00:00
|
|
|
def change_password(self):
|
|
|
|
self.api.post(
|
|
|
|
'_security/user/{}/_password'.format(self.name),
|
|
|
|
{
|
|
|
|
'password': self.password
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2023-09-29 13:54:34 +00:00
|
|
|
def delete(self):
|
|
|
|
self.api.delete('_security/user/{}'.format(self.name))
|
|
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
fields = {
|
|
|
|
'name': { 'type': 'str', 'required': True },
|
|
|
|
'password': { 'type': 'str', 'required': True, 'no_log': True },
|
|
|
|
'roles': { 'type': 'list', 'default': [] },
|
|
|
|
'api_url': { 'type': 'str', 'default': 'http://127.0.0.1:9200' },
|
|
|
|
'api_user': { 'type': 'str', 'default': None },
|
|
|
|
'api_password': { 'type': 'str', 'default': None, 'no_log': True },
|
|
|
|
'state': { 'type': 'str', 'default': 'present', 'choice': ['present', 'absent'] },
|
|
|
|
}
|
|
|
|
module = AnsibleModule(argument_spec=fields)
|
|
|
|
changed = False
|
|
|
|
|
|
|
|
user = ElasticsearchUser(
|
|
|
|
module.params['api_url'],
|
|
|
|
module.params['api_user'],
|
|
|
|
module.params['api_password'],
|
|
|
|
module.params['name'],
|
|
|
|
module.params['password'],
|
|
|
|
module.params['roles'],
|
|
|
|
)
|
|
|
|
user.get_data()
|
|
|
|
|
2023-10-17 07:47:10 +00:00
|
|
|
if user.is_builtin():
|
|
|
|
if user.password_has_changed():
|
|
|
|
user.change_password()
|
2023-09-29 13:54:34 +00:00
|
|
|
changed = True
|
|
|
|
else:
|
2023-10-17 07:47:10 +00:00
|
|
|
if module.params['state'] == 'present':
|
|
|
|
if not user.exist or user.has_changed():
|
|
|
|
user.create()
|
|
|
|
changed = True
|
|
|
|
else:
|
|
|
|
if user.exist:
|
|
|
|
user.delete()
|
|
|
|
changed = True
|
2023-09-29 13:54:34 +00:00
|
|
|
|
|
|
|
module.exit_json(changed=changed)
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
main()
|