feat: manage role

2023-11-16 16:05:55 +01:00 · 2023-11-16 16:05:55 +01:00 · 98769717c4
commit 98769717c4
parent 30f4484bd6
7 changed files with 173 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -9,6 +9,7 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)

 - feat: add variable to set master
 - feat: manage user
+- feat: manage role
 - feat: add variable to set major version
 - feat: add ilm policy
 - test: add support debian 12
--- a/README.md
+++ b/README.md
@ -21,13 +21,26 @@ Install and configure Elasticsearch
 * `elasticsearch_api_password` - set the password for api
 * `elasticsearch_config` - hash with the configuration (see [elasticsearch documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/settings.html))

-```
+```yaml
  path.data: /var/lib/elasticsearch
  path.logs: /var/log/elasticsearch
 ```

 * `elasticsearch_ssl_key`: - string contain ssl private key if `xpack.security.transport.ssl.key` is defined in elasticsearch_config
 * `elasticsearch_ssl_certificate`: - string contain ssl certificate if `xpack.security.transport.certificate.key` is defined in elasticsearch_config
+* `elasticsearch_roles` - hash with the roles to managed
+
+```yaml
+  myrole:
+    cluster:
+      - all
+    indices:
+      - names: ["logstash*"]
+        privileges:
+          - create
+          - write
+```
+
 * `elasticsearch_users` - hash with the users to managed

 ```yaml
@ -41,7 +54,7 @@ Install and configure Elasticsearch

 * `elasticsearch_index_templates` - hash with the index templates configuration

-```
+```yaml
  logstash:
    index_patterns:
      - 'logstash-*'
@ -58,7 +71,7 @@ Install and configure Elasticsearch

 * `elasticsearch_ilm_policies` - hash with the ilm policies configuration

-```
+```yaml
  autoclean:
    delete:
      min_age: 30d
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -12,3 +12,5 @@ elasticsearch_default_config:
 elasticsearch_full_config: "{{ elasticsearch_default_config | combine(elasticsearch_config) }}"
 elasticsearch_index_templates: {}
 elasticsearch_ilm_policies: {}
+elasticsearch_roles: {}
+elasticsearch_users: {}
--- a/library/elasticsearch_role.py
+++ b/library/elasticsearch_role.py
@ -0,0 +1,126 @@
+#!/usr/bin/python
+
+from ansible.module_utils.basic import *
+from ansible.module_utils.elasticsearch_api import *
+
+class ElasticsearchRole:
+    def __init__(self, api_url, api_user, api_password, name, cluster, indices):
+        self.api = ElasticsearchApi(
+            api_url,
+            api_user,
+            api_password
+        )
+        self.api_url  = api_url
+        self.name     = name
+        self.cluster  = cluster
+        self.indices  = indices
+        self.exist    = False
+        self.data     = {}
+
+    def get_data(self):
+        status_code, data = self.api.get('_security/role/{}'.format(self.name))
+        if status_code == 200:
+            self.exist = True
+            self.data  = data[self.name]
+
+    def array_has_changed(self, list1, list2):
+        for item in list1:
+            if item not in list2:
+                return True
+
+        for item in list2:
+            if item not in list1:
+                return True
+
+        return False
+
+    def cluster_has_changed(self):
+        return self.array_has_changed(self.cluster, self.data['cluster'])
+
+    def same_indice(self, indice1, indice2):
+        if self.array_has_changed(indice1['names'], indice2['names']):
+            return False
+
+        if self.array_has_changed(indice1['privileges'], indice2['privileges']):
+            return False
+        
+        return True
+
+    def indices_have_changed(self):
+        for indice1 in self.indices:
+            exist = False
+            for indice2 in self.data['indices']:
+                if self.same_indice(indice1, indice2):
+                    exist = True
+                    break
+            if not exist:
+                return True
+
+        for indice1 in self.data['indices']:
+            exist = False
+            for indice2 in self.indices:
+                if self.same_indice(indice1, indice2):
+                    exist = True
+                    break
+            if not exist:
+                return True
+
+        return False
+
+    def has_changed(self):
+        if self.cluster_has_changed():
+            return True
+
+        if self.indices_have_changed():
+            return True
+
+        return False
+
+    def create(self):
+        self.api.put(
+            '_security/role/{}'.format(self.name),
+            {
+                'cluster': self.cluster,
+                'indices': self.indices
+            }
+        )
+
+    def delete(self):
+        self.api.delete('_security/role/{}'.format(self.name))
+
+        
+def main():
+    fields = {
+        'name':         { 'type': 'str', 'required': True },
+        'indices':      { 'type': 'list', 'default': [] },
+        'cluster':      { 'type': 'list', 'default': [] },
+        'api_url':      { 'type': 'str', 'default': 'http://127.0.0.1:9200' },
+        'api_user':     { 'type': 'str', 'default': None },
+        'api_password': { 'type': 'str', 'default': None, 'no_log': True },
+        'state':        { 'type': 'str', 'default': 'present', 'choice': ['present', 'absent'] },
+    }
+    module = AnsibleModule(argument_spec=fields)
+    changed = False
+
+    role = ElasticsearchRole(
+        module.params['api_url'],
+        module.params['api_user'],
+        module.params['api_password'],
+        module.params['name'],
+        module.params['cluster'],
+        module.params['indices'],
+    )
+    role.get_data()
+
+    if module.params['state'] == 'present':
+        if not role.exist or role.has_changed():
+            role.create()
+            changed = True
+    elif user.exist:
+        role.delete()
+        changed = True
+
+    module.exit_json(changed=changed)
+
+if __name__ == '__main__':
+    main()
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -60,6 +60,15 @@
      F3OGK/Tmx3MW5O+lq5O+2oRmUSfcIUgnrjgUeevj6Rgt1qx33WEoKBM2rVBIBqOn
      ZKrzDBkVG/H+H0hwiV219PLE
      -----END PRIVATE KEY-----
+    elasticsearch_roles:
+      myrole:
+        cluster:
+          - all
+        indices:
+          - names: ["logstash*"]
+            privileges:
+              - create
+              - write
    elasticsearch_users:
      toto:
        password: supers3cret
--- a/molecule/default/tests/test_default.py
+++ b/molecule/default/tests/test_default.py
@ -45,6 +45,11 @@ def test_elasticsearch_template(host):
    result = host.check_output('curl -v -u elastic:mysecret http://127.0.0.1:9200/_template/test')
    assert '"number_of_replicas":"1"' in result

+def test_elasticsearch_role(host):
+    result = host.check_output('curl -v -u elastic:mysecret http://127.0.0.1:9200/_security/role/myrole')
+    assert '"names":["logstash*"]' in result
+    assert '"privileges":["create","write"]' in result
+
 def test_elasticsearch_user(host):
    result = host.check_output('curl -v -u elastic:mysecret http://127.0.0.1:9200/_security/user/toto')
    assert '"username":"toto"' in result
--- a/tasks/data.yml
+++ b/tasks/data.yml
@ -6,6 +6,20 @@
  run_once: true
  tags: elasticsearch

+- name: Manage roles
+  elasticsearch_role:
+    name: "{{ item.key }}"
+    cluster: "{{ item.value.cluster | default(omit) }}"
+    indices: "{{ item.value.indices | default(omit) }}"
+    api_user: "{{ elasticsearch_api_user }}"
+    api_password: "{{ elasticsearch_password }}"
+    state: "{{ item.value.state | default('present') }}"
+  loop: "{{ elasticsearch_roles | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  run_once: true
+  tags: elasticsearch
+
 - name: Manage users
  elasticsearch_user:
    name: "{{ item.key }}"