Add ability to enable mongo auth and add users

[cognifloyd]

Adds auth to mongo when the mongodb_auth_enable flag is true.
Any additional users should be passed in via mongodb_users.
There are several other default variables as well (like mongodb_host,
mongodb_port which are used when logging in) that can be overridden
in the play or inventory that uses this role.
That is this PR completes this TODO from #75 for mongo security:

• Configure/Set username/password

This does not attempt to generate any passwords. It only adds users if
explicitly requested, but allows external tasks/roles to import the
mongodb_auth.yml tasks to add users as required after mongo is installed.
That is, this PR skips this TODO from #75:

If not explicitly set, passwords should be generated randomly and placed in st2.conf

This uses lineinfile to edit mongod.conf with regexs to catch as many
edge cases in yaml formatting (spaces, quotes) as possible.
Also, this uses a bit of python to validate that the yaml file was
modified in such a way that it is still valid yaml, and the entries
intrduced in the file are present as expected.

This uses the mongo shell to see if authorization is required before
adding the admin user. This should handle cases such as the localhost
exception in a new install or upgrades where auth is not enabled or
upgrades where auth is enabled.

This installs pip using system packages if pip is not present. pip
is needed to install pymongo which is used to manage mongo users through
the mongodb_user ansible module.

As explained in comments, we only update mongo user passwords on_create
because that is the only way to maintain idempotency.

This should be idempotent.

TODO:

• Run tests with and without mongodb auth enabled.

To configure host (in a separate PR) we need to modify net.bindIp in mongod.conf (see https://docs.mongodb.com/manual/reference/configuration-options/#net-options). I believe mongo only listens on 127.0.0.1 by default, but we might add some checks to be more explicit.
That is, this PR skips these TODOs from #75:

Ensure we can configure host
Services should run on 127.0.0.1 by default

[cognifloyd]

obsolete comment

[cognifloyd]

obsolete comment

[cognifloyd]

I added a todo list based on #75

[cognifloyd]

obsolete comment

[cognifloyd]

obsolete comment

[arm4b]

The overall direction and at a high-level looks good 👍

Left some comments where we need to think about the corner cases.

[arm4b]

Also let's not rush with the random passwords for st2mongo user. Not sure yet where we should generate it: is it user's responsibility and we show how in stackstorm.yml play itself or it's a role responsibility (and it's not clear which role exactly).

Let's clarify this PR and hopefully we can add more password generation functionality as another PR.

[cognifloyd]

_obsolete comment_

[cognifloyd]

obsolete comment

[cognifloyd]

obsolete comment

[cognifloyd]

obsolete comment

[cognifloyd]

obsolete comment

[cognifloyd]

obsolete comment

[cognifloyd]

DONE! No longer WIP. Travis is now testing two suites: one without auth enabled, and one with auth enabled. I think this is ready for another review, and hopefully, a merge @armab.

[cognifloyd]

Rebased and squashed various commits to make it easier to review each piece/commit of this PR.

[cognifloyd]

obsolete comment

[cognifloyd]

Dropped changes to st2 role. Now adding users is ONLY activated if mongodb_enable_auth is true (defaults to false which matches current behavior).

[cognifloyd]

When you review, I recommend this order (which puts files with the simplest changes first):

• Part of the first commit:
  • roles/mongodb/tasks/main.yml include when: mongodb_enable_auth: yes
  • roles/mongodb/vars/main.yml vars: mongodb_python used in validate
  • roles/mongodb/defaults/main.yml various generic variables that users might wish to change
  • roles/mongodb/tasks/mongodb_auth.yml logic to enable mongodb auth.
    • This must include:
      1. add an admin user to admin db;
      2. enable security.authentication;
      3. add regular users.
  • roles/mongodb/README.md document vars specific to the mongodb role

• The only file in the second commit (add secure test suite):
  • .kitchen.yml suite.provisioner.extra_vars gets merged with global level provisioner.extra_vars

[cognifloyd]

I will try to break this down into ity-bity PRs. Starting with a way to install pip #204.
I'll close this for now since there's no resources to review it.

Next steps:

• Add pip role #204 Add pip role
• Add pymongo, a dep of mongodb_user ansible module #205 Add pymongo
• Mongo Auth | Intall pymongo via pip (vs via sys pkgs) #216 Intall pymongo via pip over sys pkgs (pip installed with sys packages)
• Mongo Auth | Check mongo config to see if auth is enabled or configured #206 Check if auth is enabled and users are configured needs review
• #??? Add Mongo admin user (defaults, 2 tasks: Warn about default credentials and Add mongo admin)
• #??? Enable auth in mongod.conf (2 tasks: Enable security section in mongod.conf and Enable authentication in mongod.conf; 1 new var mongodb_python used in validating config)
• #??? Add additional mongo users (defaults and tasks)
• #??? Add task to mongdb main.yml to trigger enabling auth (disabled by default) and add the secure test suite