feat: manage users

This commit is contained in:
Adrien Waksberg 2020-03-08 18:35:44 +01:00
parent 5dbdb524d7
commit bebe621f3e
7 changed files with 117 additions and 10 deletions

View file

@ -37,6 +37,8 @@ Install and configure Elasticsearch
format: YYYY-MM-dd format: YYYY-MM-dd
``` ```
* `elasticsearch_users` - hash to manage users
## How to use ## How to use
``` ```

View file

@ -1,8 +1,11 @@
--- ---
elasticsearch_heap_size: 1g elasticsearch_heap_size: 1g
elasticsearch_api_user: elastic
elasticsearch_api_password: null
elasticsearch_config: {} elasticsearch_config: {}
elasticsearch_default_config: elasticsearch_default_config:
path.data: /var/lib/elasticsearch path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch path.logs: /var/log/elasticsearch
elasticsearch_full_config: '{{ elasticsearch_default_config|combine(elasticsearch_config) }}' elasticsearch_full_config: '{{ elasticsearch_default_config|combine(elasticsearch_config) }}'
elasticsearch_index_templates: {} elasticsearch_index_templates: {}
elasticsearch_users: {}

View file

@ -0,0 +1,81 @@
#!/usr/bin/python
from ansible.module_utils.basic import *
from ansible.module_utils.elasticsearch_api import *
class ElasticsearchUser:
def __init__(self, api, name):
self.api = api
self.name = name
self.exist = False
self.data = {}
def get_data(self):
status_code, data = self.api.get('_security/user/{}'.format(self.name))
if status_code == 200:
self.exist = True
self.data = data[self.name]
def has_changed(self, roles):
if roles.sort() != self.data['roles'].sort():
return True
return False
def password_has_changed(self, password):
return not self.api.check_password(self.name, password)
def change_password(self, password):
self.api.put(
'_security/user/{}/_password'.format(self.name),
{ 'password': password }
)
def create(self, options):
self.api.put(
'_security/user/{}'.format(self.name),
options
)
def main():
fields = {
'name': { 'type': 'str', 'required': True },
'password': { 'type': 'str', 'required': True },
'roles': { 'type': 'list', 'default': [] },
'api_url': { 'type': 'str', 'default': 'http://127.0.0.1:9200' },
'api_user': { 'type': 'str', 'default': None },
'api_password': { 'type': 'str', 'default': None },
}
module = AnsibleModule(argument_spec=fields)
changed = False
options = {
'roles': module.params['roles'],
'password': module.params['password'],
}
api = ElasticsearchApi(
module.params['api_url'],
module.params['api_user'],
module.params['api_password']
)
user = ElasticsearchUser(
api,
module.params['name'],
)
user.get_data()
if module.params['name'] != 'elastic':
if not user.exist or user.has_changed(module.params['roles']):
user.create(options)
changed = True
if user.password_has_changed(module.params['password']):
user.change_password(module.params['password'])
changed = True
module.exit_json(changed=changed)
if __name__ == '__main__':
main()

View file

@ -7,8 +7,18 @@ class ElasticsearchApi:
self.url = url self.url = url
self.headers = {} self.headers = {}
if user and password: if user and password:
token = base64.b64encode('{}:{}',) token = base64.b64encode('{}:{}'.format(user, password))
self.headers = { 'Authorization': 'Basic ' + base64.b64encode({},) } self.headers = { 'Authorization': 'Basic {}'.format(token) }
def check_password(self, user, password):
token = base64.b64encode('{}:{}'.format(user, password))
headers = { 'Authorization': 'Basic {}'.format(token) }
r = requests.get(self.url, headers=headers)
if r.status_code != 401:
return True
return False
def get(self, path): def get(self, path):
r = requests.get( r = requests.get(

View file

@ -1,7 +1,10 @@
--- ---
- name: Converge - name: Converge
hosts: all hosts: all
roles:
- ansible-role-elasticsearch
vars: vars:
elasticsearch_api_password: secret
elasticsearch_heap_size: 512m elasticsearch_heap_size: 512m
elasticsearch_index_templates: elasticsearch_index_templates:
test: test:
@ -13,10 +16,3 @@
mappings: mappings:
metrics: metrics:
type: short type: short
roles:
- ansible-role-elasticsearch
#
# tasks:
# - name: "Include ansible-role-elasticsearch"
# include_role:
# name: "ansible-role-elasticsearch"

View file

@ -12,7 +12,7 @@
- name: copy config file - name: copy config file
copy: copy:
content: '{{ elasticsearch_full_config|to_yaml }}' content: '{{ elasticsearch_full_config|to_nice_yaml }}'
dest: /etc/elasticsearch/elasticsearch.yml dest: /etc/elasticsearch/elasticsearch.yml
owner: root owner: root
group: elasticsearch group: elasticsearch

View file

@ -1,10 +1,25 @@
--- ---
- name: manage users
elasticsearch_user:
name: '{{ item.key }}'
password: '{{ item.value.password }}'
api_user: '{{ elasticsearch_api_user }}'
api_password: '{{ elasticsearch_api_password }}'
loop: '{{ elasticsearch_users|dict2items }}'
when: |
'xpack.security.enabled' in elasticsearch_full_config and
elasticsearch_full_config['xpack.security.enabled'] == True
run_once: true
tags: elasticsearch
- name: copy index templates - name: copy index templates
elasticsearch_template: elasticsearch_template:
name: '{{ item.key }}' name: '{{ item.key }}'
index_patterns: '{{ item.value.index_patterns }}' index_patterns: '{{ item.value.index_patterns }}'
settings: '{{ item.value.settings|default({}) }}' settings: '{{ item.value.settings|default({}) }}'
mappings: '{{ item.value.mappings|default({}) }}' mappings: '{{ item.value.mappings|default({}) }}'
api_user: '{{ elasticsearch_api_user }}'
api_password: '{{ elasticsearch_api_password }}'
no_log: true no_log: true
loop: '{{ elasticsearch_index_templates|dict2items }}' loop: '{{ elasticsearch_index_templates|dict2items }}'
run_once: true run_once: true