feat: manage role

This commit is contained in:
Adrien Waksberg 2023-11-16 16:05:55 +01:00
parent 30f4484bd6
commit 98769717c4
7 changed files with 173 additions and 3 deletions

View file

@ -9,6 +9,7 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)
- feat: add variable to set master
- feat: manage user
- feat: manage role
- feat: add variable to set major version
- feat: add ilm policy
- test: add support debian 12

View file

@ -21,13 +21,26 @@ Install and configure Elasticsearch
* `elasticsearch_api_password` - set the password for api
* `elasticsearch_config` - hash with the configuration (see [elasticsearch documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/settings.html))
```
```yaml
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
```
* `elasticsearch_ssl_key`: - string contain ssl private key if `xpack.security.transport.ssl.key` is defined in elasticsearch_config
* `elasticsearch_ssl_certificate`: - string contain ssl certificate if `xpack.security.transport.certificate.key` is defined in elasticsearch_config
* `elasticsearch_roles` - hash with the roles to managed
```yaml
myrole:
cluster:
- all
indices:
- names: ["logstash*"]
privileges:
- create
- write
```
* `elasticsearch_users` - hash with the users to managed
```yaml
@ -41,7 +54,7 @@ Install and configure Elasticsearch
* `elasticsearch_index_templates` - hash with the index templates configuration
```
```yaml
logstash:
index_patterns:
- 'logstash-*'
@ -58,7 +71,7 @@ Install and configure Elasticsearch
* `elasticsearch_ilm_policies` - hash with the ilm policies configuration
```
```yaml
autoclean:
delete:
min_age: 30d

View file

@ -12,3 +12,5 @@ elasticsearch_default_config:
elasticsearch_full_config: "{{ elasticsearch_default_config | combine(elasticsearch_config) }}"
elasticsearch_index_templates: {}
elasticsearch_ilm_policies: {}
elasticsearch_roles: {}
elasticsearch_users: {}

View file

@ -0,0 +1,126 @@
#!/usr/bin/python
from ansible.module_utils.basic import *
from ansible.module_utils.elasticsearch_api import *
class ElasticsearchRole:
def __init__(self, api_url, api_user, api_password, name, cluster, indices):
self.api = ElasticsearchApi(
api_url,
api_user,
api_password
)
self.api_url = api_url
self.name = name
self.cluster = cluster
self.indices = indices
self.exist = False
self.data = {}
def get_data(self):
status_code, data = self.api.get('_security/role/{}'.format(self.name))
if status_code == 200:
self.exist = True
self.data = data[self.name]
def array_has_changed(self, list1, list2):
for item in list1:
if item not in list2:
return True
for item in list2:
if item not in list1:
return True
return False
def cluster_has_changed(self):
return self.array_has_changed(self.cluster, self.data['cluster'])
def same_indice(self, indice1, indice2):
if self.array_has_changed(indice1['names'], indice2['names']):
return False
if self.array_has_changed(indice1['privileges'], indice2['privileges']):
return False
return True
def indices_have_changed(self):
for indice1 in self.indices:
exist = False
for indice2 in self.data['indices']:
if self.same_indice(indice1, indice2):
exist = True
break
if not exist:
return True
for indice1 in self.data['indices']:
exist = False
for indice2 in self.indices:
if self.same_indice(indice1, indice2):
exist = True
break
if not exist:
return True
return False
def has_changed(self):
if self.cluster_has_changed():
return True
if self.indices_have_changed():
return True
return False
def create(self):
self.api.put(
'_security/role/{}'.format(self.name),
{
'cluster': self.cluster,
'indices': self.indices
}
)
def delete(self):
self.api.delete('_security/role/{}'.format(self.name))
def main():
fields = {
'name': { 'type': 'str', 'required': True },
'indices': { 'type': 'list', 'default': [] },
'cluster': { 'type': 'list', 'default': [] },
'api_url': { 'type': 'str', 'default': 'http://127.0.0.1:9200' },
'api_user': { 'type': 'str', 'default': None },
'api_password': { 'type': 'str', 'default': None, 'no_log': True },
'state': { 'type': 'str', 'default': 'present', 'choice': ['present', 'absent'] },
}
module = AnsibleModule(argument_spec=fields)
changed = False
role = ElasticsearchRole(
module.params['api_url'],
module.params['api_user'],
module.params['api_password'],
module.params['name'],
module.params['cluster'],
module.params['indices'],
)
role.get_data()
if module.params['state'] == 'present':
if not role.exist or role.has_changed():
role.create()
changed = True
elif user.exist:
role.delete()
changed = True
module.exit_json(changed=changed)
if __name__ == '__main__':
main()

View file

@ -60,6 +60,15 @@
F3OGK/Tmx3MW5O+lq5O+2oRmUSfcIUgnrjgUeevj6Rgt1qx33WEoKBM2rVBIBqOn
ZKrzDBkVG/H+H0hwiV219PLE
-----END PRIVATE KEY-----
elasticsearch_roles:
myrole:
cluster:
- all
indices:
- names: ["logstash*"]
privileges:
- create
- write
elasticsearch_users:
toto:
password: supers3cret

View file

@ -45,6 +45,11 @@ def test_elasticsearch_template(host):
result = host.check_output('curl -v -u elastic:mysecret http://127.0.0.1:9200/_template/test')
assert '"number_of_replicas":"1"' in result
def test_elasticsearch_role(host):
result = host.check_output('curl -v -u elastic:mysecret http://127.0.0.1:9200/_security/role/myrole')
assert '"names":["logstash*"]' in result
assert '"privileges":["create","write"]' in result
def test_elasticsearch_user(host):
result = host.check_output('curl -v -u elastic:mysecret http://127.0.0.1:9200/_security/user/toto')
assert '"username":"toto"' in result

View file

@ -6,6 +6,20 @@
run_once: true
tags: elasticsearch
- name: Manage roles
elasticsearch_role:
name: "{{ item.key }}"
cluster: "{{ item.value.cluster | default(omit) }}"
indices: "{{ item.value.indices | default(omit) }}"
api_user: "{{ elasticsearch_api_user }}"
api_password: "{{ elasticsearch_password }}"
state: "{{ item.value.state | default('present') }}"
loop: "{{ elasticsearch_roles | dict2items }}"
loop_control:
label: "{{ item.key }}"
run_once: true
tags: elasticsearch
- name: Manage users
elasticsearch_user:
name: "{{ item.key }}"