fix: change password for builtin users

This commit is contained in:
Adrien Waksberg 2023-10-17 09:47:10 +02:00
parent f1ba54d2ad
commit 0ab1bd2023
4 changed files with 61 additions and 6 deletions

View file

@ -25,6 +25,17 @@ Install and configure Elasticsearch
path.logs: /var/log/elasticsearch path.logs: /var/log/elasticsearch
``` ```
* `elasticsearch_users` - hash with the users to managed
```yaml
toto:
password: supers3cret
roles:
- viewer
kibana_system:
password: supertest2
```
* `elasticsearch_index_templates` - hash with the index templates configuration * `elasticsearch_index_templates` - hash with the index templates configuration
``` ```

View file

@ -17,6 +17,21 @@ class ElasticsearchUser:
self.exist = False self.exist = False
self.data = {} self.data = {}
def is_builtin(self):
users = [
'apm_system',
'beats_system',
'elastic',
'kibana',
'kibana_system',
'logstash_system',
'remote_monitoring_user'
]
if self.name in users:
return True
return False
def get_data(self): def get_data(self):
status_code, data = self.api.get('_security/user/{}'.format(self.name)) status_code, data = self.api.get('_security/user/{}'.format(self.name))
if status_code == 200: if status_code == 200:
@ -64,6 +79,14 @@ class ElasticsearchUser:
} }
) )
def change_password(self):
self.api.post(
'_security/user/{}/_password'.format(self.name),
{
'password': self.password
}
)
def delete(self): def delete(self):
self.api.delete('_security/user/{}'.format(self.name)) self.api.delete('_security/user/{}'.format(self.name))
@ -91,14 +114,19 @@ def main():
) )
user.get_data() user.get_data()
if module.params['state'] == 'present': if user.is_builtin():
if not user.exist or user.has_changed(): if user.password_has_changed():
user.create() user.change_password()
changed = True changed = True
else: else:
if user.exist: if module.params['state'] == 'present':
user.delete() if not user.exist or user.has_changed():
changed = True user.create()
changed = True
else:
if user.exist:
user.delete()
changed = True
module.exit_json(changed=changed) module.exit_json(changed=changed)

View file

@ -20,6 +20,20 @@ class ElasticsearchApi:
return r.status_code, r.json() return r.status_code, r.json()
def post(self, path, data):
r = requests.post(
'{}/{}'.format(self.url, path),
auth=self.basic,
json=data
)
if r.status_code == 500:
raise Exception('Server return 500 error: {}'.format(r.text))
elif r.status_code == 401:
raise Exception('Authentification has failed')
elif r.status_code != 200:
raise Exception('Server return an unknown error: {}'.format(r.text))
def put(self, path, data): def put(self, path, data):
r = requests.put( r = requests.put(
'{}/{}'.format(self.url, path), '{}/{}'.format(self.url, path),

View file

@ -11,6 +11,8 @@
password: supers3cret password: supers3cret
roles: roles:
- viewer - viewer
kibana_system:
password: supertest2
elasticsearch_index_templates: elasticsearch_index_templates:
test: test:
index_patterns: index_patterns: