ansible-role-elasticsearch/library/elasticsearch_user.py

134 lines
3.6 KiB
Python

#!/usr/bin/python
from ansible.module_utils.basic import *
from ansible.module_utils.elasticsearch_api import *
class ElasticsearchUser:
def __init__(self, api_url, api_user, api_password, name, password, roles):
self.api = ElasticsearchApi(
api_url,
api_user,
api_password
)
self.api_url = api_url
self.name = name
self.password = password
self.roles = roles
self.exist = False
self.data = {}
def is_builtin(self):
users = [
'apm_system',
'beats_system',
'elastic',
'kibana',
'kibana_system',
'logstash_system',
'remote_monitoring_user'
]
if self.name in users:
return True
return False
def get_data(self):
status_code, data = self.api.get('_security/user/{}'.format(self.name))
if status_code == 200:
self.exist = True
self.data = data[self.name]
def roles_have_changed(self):
for role in self.roles:
if role not in self.data['roles']:
return True
for role in self.data['roles']:
if role not in self.roles:
return True
return False
def password_has_changed(self):
api = ElasticsearchApi(
self.api_url,
self.name,
self.password
)
status_code, _ = api.get('_cluster/health')
if status_code == 401:
return True
return False
def has_changed(self):
if self.roles_have_changed():
return True
if self.password_has_changed():
return True
return False
def create(self):
self.api.put(
'_security/user/{}'.format(self.name),
{
'password': self.password,
'roles': self.roles
}
)
def change_password(self):
self.api.post(
'_security/user/{}/_password'.format(self.name),
{
'password': self.password
}
)
def delete(self):
self.api.delete('_security/user/{}'.format(self.name))
def main():
fields = {
'name': { 'type': 'str', 'required': True },
'password': { 'type': 'str', 'required': True, 'no_log': True },
'roles': { 'type': 'list', 'default': [] },
'api_url': { 'type': 'str', 'default': 'http://127.0.0.1:9200' },
'api_user': { 'type': 'str', 'default': None },
'api_password': { 'type': 'str', 'default': None, 'no_log': True },
'state': { 'type': 'str', 'default': 'present', 'choice': ['present', 'absent'] },
}
module = AnsibleModule(argument_spec=fields)
changed = False
user = ElasticsearchUser(
module.params['api_url'],
module.params['api_user'],
module.params['api_password'],
module.params['name'],
module.params['password'],
module.params['roles'],
)
user.get_data()
if user.is_builtin():
if user.password_has_changed():
user.change_password()
changed = True
else:
if module.params['state'] == 'present':
if not user.exist or user.has_changed():
user.create()
changed = True
else:
if user.exist:
user.delete()
changed = True
module.exit_json(changed=changed)
if __name__ == '__main__':
main()