Merge pull request elastic#223 from gingerwizard/master

Support for Activating License

.gitignore

@@ -1,4 +1,5 @@
 .kitchen/
+license.json
 *.pyc
 .vendor
 .bundle

.kitchen.yml

@@ -22,6 +22,18 @@ platforms:
         - apt-get update && apt-get install -y software-properties-common &&  add-apt-repository -y ppa:ansible/ansible
         - apt-get update && apt-get -y -q install python-apt python-pycurl
       use_sudo: false
+      volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json
+  - name: ubuntu-16.04
+    driver_config:
+      image: dliappis/ubuntu-devopsci:16.04
+      privileged: true
+      provision_command:
+        - apt-get update && apt-get install -y software-properties-common &&  add-apt-repository -y ppa:ansible/ansible
+        - apt-get install -y -q net-tools
+        - apt-get update && apt-get -y -q install python-apt python-pycurl
+      use_sudo: false
+      volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json
+      run_command: "/sbin/init"
   - name: debian-8
     driver_config:
       image: dliappis/debian-devopsci:8
@@ -33,6 +45,7 @@ platforms:
         - sed -ri 's/^#?PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config
         - sed -ri 's/^#?PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config
         - sed -ri 's/^#?UsePAM .*/UsePAM no/' /etc/ssh/sshd_config
+      volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json
       use_sudo: false
       run_command: "/sbin/init"
   - name: centos-7
@@ -45,6 +58,7 @@ platforms:
         - rm /etc/yum.repos.d/epel*repo /etc/yum.repos.d/puppetlabs-pc1.repo
         - yum -y install initscripts
         - yum clean all
+      volume: <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json
       run_command: "/usr/sbin/init"
       privileged: true
       use_sudo: false

handlers/main.yml

@@ -6,10 +6,9 @@
   service: name={{instance_init_script | basename}} state=restarted enabled=yes
   when: es_restart_on_change and es_start_service and ((plugin_installed is defined and plugin_installed.changed) or (config_updated is defined and config_updated.changed) or (xpack_state.changed) or (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed))
 
-- name: load-native-realms
-  include: ./handlers/shield/elasticsearch-shield-native.yml
-  when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)
-
+# All security specific actions should go in here
+- name: activate-shield
+  include: ./handlers/shield/elasticsearch-shield.yml
 
 #Templates are a handler as they need to come after a restart e.g. suppose user removes shield on a running node and doesn't
 #specify es_api_basic_auth_username and es_api_basic_auth_password.  The templates will subsequently not be removed if we don't wait for the node to restart.

handlers/shield/elasticsearch-shield-native.yml

@@ -1,11 +1,5 @@
 ---
 
-- name: Ensure elasticsearch is started
-  service: name={{instance_init_script | basename}} state=started enabled=yes
-
-- name: Wait for elasticsearch to startup
-  wait_for: host={{es_api_host}} port={{es_api_port}} delay=10
-
 - set_fact: manage_native_users=false
 
 - set_fact: manage_native_users=true
@@ -68,6 +62,7 @@
     password: "{{es_api_basic_auth_password}}"
     force_basic_auth: yes
   when: manage_native_users and es_users.native.keys() > 0
+  no_log: True
   with_dict: "{{es_users.native}}"
 
 #List current roles

handlers/shield/elasticsearch-shield.yml

@@ -0,0 +1,14 @@
+---
+- name: Ensure elasticsearch is started
+  service: name={{instance_init_script | basename}} state=started enabled=yes
+
+- name: Wait for elasticsearch to startup
+  wait_for: host={{es_api_host}} port={{es_api_port}} delay=10
+
+- name: activate-license
+  include: ./handlers/shield/elasticsearch-xpack-activation.yml
+  when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != ''
+
+- name: load-native-realms
+  include: ./handlers/shield/elasticsearch-shield-native.yml
+  when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)

handlers/shield/elasticsearch-xpack-activation.yml

@@ -0,0 +1,37 @@
+---
+
+- name: Activate ES license (without shield authentication)
+  uri:
+    method: PUT
+    url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true"
+    body_format: json
+    body: "{{ es_xpack_license }}"
+    return_content: yes
+  register: license_activated
+  no_log: True
+  when: not '"shield" in es_xpack_features'
+  failed_when: >
+    license_activated.status != 200 or
+    license_activated.json.license_status is not defined or
+    license_activated.json.license_status != 'valid'
+
+- name: Activate ES license (with shield authentication)
+  uri:
+    method: PUT
+    url: "http://{{es_api_host}}:{{es_api_port}}/_license?acknowledge=true"
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    body_format: json
+    force_basic_auth: yes
+    body: "{{ es_xpack_license }}"
+    return_content: yes
+  register: license_activated
+  no_log: True
+  when: '"shield" in es_xpack_features'
+  failed_when: >
+    license_activated.status != 200 or
+    license_activated.json.license_status is not defined or
+    license_activated.json.license_status != 'valid'
+
+- debug:
+    msg: "License: {{ license_activated.content }}"

tasks/java.yml

@@ -12,4 +12,11 @@
 
 - name: Debian - Ensure Java is installed
   apt: name={{ java }} state={{java_state}} update_cache=yes force=yes
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == 'Debian'
+
+- command: java -version 2>&1 | grep OpenJDK
+  register: open_jdk
+
+- name: refresh the java ca-certificates
+  command: /var/lib/dpkg/info/ca-certificates-java.postinst configure
+  when: ansible_distribution == 'Ubuntu' and open_jdk.rc == 0

tasks/xpack/elasticsearch-xpack-install.yml

@@ -14,7 +14,7 @@
 #Remove Plugin if installed and its not been requested or the ES version has changed
 - name: Remove {{item}} plugin
   command: >
-    {{es_home}}/bin/plugin remove shield
+    {{es_home}}/bin/plugin remove {{item}}
   register: xpack_state
   failed_when: "'ERROR' in xpack_state.stdout"
   changed_when: xpack_state.rc == 0

tasks/xpack/elasticsearch-xpack.yml

@@ -5,7 +5,7 @@
 #enabling xpack installs the license. Not a xpack feature and does not need to be specified - TODO: we should append it to the list if xpack is enabled and remove this
 
 #Check if license is installed
-- name: Check License is installed
+- name: Check License plugin is installed
   shell: >
     {{es_home}}/bin/plugin list | tail -n +2 | grep license
   register: license_installed
@@ -50,6 +50,5 @@
 - include: shield/elasticsearch-shield.yml
 
 #Add any feature specific configuration here
-
 - name: Set Plugin Directory Permissions
   file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes

tasks/xpack/shield/elasticsearch-shield-file.yml

@@ -37,6 +37,7 @@
     {{es_home}}/bin/shield/esusers useradd {{item}} -p {{es_users.file[item].password}}
   with_items: "{{users_to_add | default([])}}"
   when: manage_file_users and users_to_add | length > 0
+  no_log: True
   environment:
     CONF_DIR: "{{ conf_dir }}"
     ES_HOME: "{{es_home}}"
@@ -49,6 +50,7 @@
   when: manage_file_users and es_users.file.keys() | length > 0
   #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip.
   changed_when: False
+  no_log: True
   environment:
     CONF_DIR: "{{ conf_dir }}"
     ES_HOME: "{{es_home}}"

tasks/xpack/shield/elasticsearch-shield.yml

@@ -11,7 +11,7 @@
 #-----------------------------NATIVE BASED REALM----------------------------------------
 # The native realm requires the node to be started so we do as a handler
 - command: /bin/true
-  notify: load-native-realms
+  notify: activate-shield
   when: (es_enable_xpack and '"shield" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
 
 #-----------------------------ROLE MAPPING ----------------------------------------

test/integration/helpers/serverspec/xpack_spec.rb

@@ -87,6 +87,15 @@
   describe command('curl -s localhost:9200/_nodes/plugins?pretty=true -u es_admin:changeMe | grep license') do
     its(:exit_status) { should eq 0 }
   end
+
+  #Test if x-pack is activated
+  describe 'x-pack activation' do
+    it 'should be activated and valid' do
+      command = command('curl -s localhost:9200/_license?pretty=true -u es_admin:changeMe')
+      expect(command.stdout).to match('"status" : "active"')
+      expect(command.exit_status).to eq(0)
+    end
+  end
 
   describe file('/usr/share/elasticsearch/plugins/shield') do
     it { should be_directory }

test/integration/xpack.yml

@@ -8,6 +8,7 @@
   vars:
     es_templates: true
     es_enable_xpack: true
+    es_xpack_license: "{{ lookup('file', '/tmp/license.json')  }}"
     es_plugins:
       - plugin: lmenezes/elasticsearch-kopf
         version: master