fix: change password for builtin users

2023-10-17 09:47:10 +02:00 · 2023-10-17 09:47:10 +02:00 · 0ab1bd2023
commit 0ab1bd2023
parent f1ba54d2ad
4 changed files with 61 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -25,6 +25,17 @@ Install and configure Elasticsearch
  path.logs: /var/log/elasticsearch
 ```

+* `elasticsearch_users` - hash with the users to managed
+
+```yaml
+  toto:
+    password: supers3cret
+    roles:
+      - viewer
+  kibana_system:
+    password: supertest2
+```
+
 * `elasticsearch_index_templates` - hash with the index templates configuration

 ```
--- a/library/elasticsearch_user.py
+++ b/library/elasticsearch_user.py
@ -17,6 +17,21 @@ class ElasticsearchUser:
        self.exist    = False
        self.data     = {}

+    def is_builtin(self):
+        users = [
+            'apm_system',
+            'beats_system',
+            'elastic',
+            'kibana',
+            'kibana_system',
+            'logstash_system',
+            'remote_monitoring_user'
+        ]
+        if self.name in users:
+            return True
+
+        return False
+
    def get_data(self):
        status_code, data = self.api.get('_security/user/{}'.format(self.name))
        if status_code == 200:
@ -64,6 +79,14 @@ class ElasticsearchUser:
            }
        )

+    def change_password(self):
+        self.api.post(
+            '_security/user/{}/_password'.format(self.name),
+            {
+                'password': self.password
+            }
+        )
+
    def delete(self):
        self.api.delete('_security/user/{}'.format(self.name))

@ -91,6 +114,11 @@ def main():
    )
    user.get_data()

+    if user.is_builtin():
+        if user.password_has_changed():
+            user.change_password()
+            changed = True
+    else:
        if module.params['state'] == 'present':
            if not user.exist or user.has_changed():
                user.create()
--- a/module_utils/elasticsearch_api.py
+++ b/module_utils/elasticsearch_api.py
@ -20,6 +20,20 @@ class ElasticsearchApi:
      
    return r.status_code, r.json()

+  def post(self, path, data):
+    r = requests.post(
+      '{}/{}'.format(self.url, path),
+      auth=self.basic,
+      json=data
+    )
+    
+    if r.status_code == 500:
+      raise Exception('Server return 500 error: {}'.format(r.text))
+    elif r.status_code == 401:
+      raise Exception('Authentification has failed')
+    elif r.status_code != 200:
+      raise Exception('Server return an unknown error: {}'.format(r.text))
+
  def put(self, path, data):
    r = requests.put(
      '{}/{}'.format(self.url, path),
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -11,6 +11,8 @@
        password: supers3cret
        roles:
          - viewer
+      kibana_system:
+        password: supertest2
    elasticsearch_index_templates:
      test:
        index_patterns: