From 7f90e093a1fc4ab5985988432a78e1e8b9c05b59 Mon Sep 17 00:00:00 2001 From: Martin Bukatovic Date: Wed, 4 Oct 2017 19:27:01 +0200 Subject: [PATCH] Revert "Merge pull request #35 from mbukatov/issue_34" This reverts commit 598fc9b11dc393e7b559cc2594e7a64c883897e5, reversing changes made to 5b0b06b2a1c4bfbac7b782a75a376c9dbe2e88a1. --- .gitignore | 1 - roles/tendrl-server/README.md | 30 +---------- roles/tendrl-server/defaults/main.yml | 1 - roles/tendrl-server/tasks/etcd.yml | 53 ------------------- roles/tendrl-server/tasks/tendrl-api.yml | 6 +-- .../tasks/tendrl-monitoring-integration.yml | 14 ----- .../tendrl-server/tasks/tendrl-node-agent.yml | 14 ----- roles/tendrl-storage-node/README.md | 9 ---- roles/tendrl-storage-node/defaults/main.yml | 1 - .../tasks/tendrl-node-agent.yml | 30 ----------- 10 files changed, 4 insertions(+), 155 deletions(-) diff --git a/.gitignore b/.gitignore index 74bdadd..1b457d5 100644 --- a/.gitignore +++ b/.gitignore @@ -8,7 +8,6 @@ site.yml # vagrant files .vagrant # ansible password lookup files -etcd_root_passwd grafana_admin_passwd # rpm build artefacts (created via Makefile) *.tar.gz diff --git a/roles/tendrl-server/README.md b/roles/tendrl-server/README.md index 9e35e84..ac3a584 100644 --- a/roles/tendrl-server/README.md +++ b/roles/tendrl-server/README.md @@ -10,17 +10,8 @@ with both api and web interface), and that new random default password is stored on *Tendrl Server* machine in `/root/password` file (based on [TEN-257](https://tendrl.atlassian.net/browse/TEN-257)). -Also note that this role enables [etcd -authentication](https://coreos.com/etcd/docs/latest/op-guide/authentication.html) -by default (see description of `etcd_authentication` variable below), creating -etcd root user account with new default random password via [ansible password -lookup -plugin](https://docs.ansible.com/ansible/latest/playbooks_lookups.html#the-password-lookup). -This means that the password of etcd root user will be stored in current working -directory (from where you run ansible), in `etcd_root_passwd` file. Don't -delete this password file, as this role can't regenerate etcd root password. - -Moreover it also generates new random password for grafana admin user account +Also note that this role +also generates new random password for grafana admin user account via [ansible password lookup plugin](https://docs.ansible.com/ansible/latest/playbooks_lookups.html#the-password-lookup), which is then stored in `grafana_admin_passwd` file in current working @@ -53,23 +44,6 @@ Role Variables config file (as shipped in rpm package) will be used. *If you are not sure* if you need to reconfigure this, *leave this variable undefined*. - * When `etcd_authentication` variable is undefined or set to `False` (which - is the default value), ansible would just skip all etcd authentication - tasks (icluding both etcd auth setup and tendrl configuration), - which means that if the etcd auth has been already enabled, it will still - be enabled and when etcd auth is disabled, it will continue to be disabled. - In other words, **this role can't disable nor reconfigura etcd - authentication, it can only skip etcd auth setup and config tasks**. - - Since authentication is disabled in etcd by default, the only way to - configure Tendrl to run without etcd authentication is to set - `etcd_authentication` to `False` for the 1st time you run ansible to deploy - Tendrl, and keep it this way every other run of tendrl-ansible. - - When the value is `True`, this role will enable [etcd - authentication](https://coreos.com/etcd/docs/latest/op-guide/authentication.html) - and configure tendrl components accordingly. - * When one or both of variables `tendrl_notifier_email_id` and `tendrl_notifier_email_smtp_server` is undefined (which is the default state for both variables), email configuration of diff --git a/roles/tendrl-server/defaults/main.yml b/roles/tendrl-server/defaults/main.yml index 0e800bb..f1ff8ff 100644 --- a/roles/tendrl-server/defaults/main.yml +++ b/roles/tendrl-server/defaults/main.yml @@ -1,4 +1,3 @@ --- # defaults file for tendrl-server -etcd_authentication: False tendrl_notifier_email_smtp_port: 25 diff --git a/roles/tendrl-server/tasks/etcd.yml b/roles/tendrl-server/tasks/etcd.yml index a5999b3..51b74bf 100644 --- a/roles/tendrl-server/tasks/etcd.yml +++ b/roles/tendrl-server/tasks/etcd.yml @@ -32,57 +32,4 @@ name=etcd state=started -# -# https://coreos.com/etcd/docs/latest/op-guide/authentication.html -# - -- name: Detection of current etcd authentication mode (etcdctl run) - command: etcdctl --endpoints http://{{ etcd_ip_address }}:2379 user list - changed_when: False - failed_when: False - register: detect_etcd_auth - -- name: Detection of current etcd authentication mode (checking stderr) - set_fact: - is_etcd_auth_already_enabled: "{{ 'Insufficient credentials' in detect_etcd_auth.stderr }}" - -- name: Detected status of etcd authentication (based on previous tasks) - debug: - var: is_etcd_auth_already_enabled - -- name: Detection if etcd_root_passwd (ansible password lookup file) exists - local_action: stat path=etcd_root_passwd - register: stat_etcd_root_passwd - run_once: True - -- name: Detected status of local etcd_root_passwd file (based on previous task) - debug: - var: stat_etcd_root_passwd['stat']['exists'] - -- name: Prevent breaking etcd auth configuration when necessary - fail: - msg: - - "etcd auth is already enabled, but etcd_root_passwd file is missing" - - "to prevent misconfiguration of the cluster, ansible run stopped" - - "you need to save etcd root admin password into local etcd_root_passwd file to be able to run this playbook again" - - "another option is to skip etcd auth configuration by setting etcd_authentication ansible variable to False" - when: is_etcd_auth_already_enabled == True and stat_etcd_root_passwd['stat']['exists'] == False and etcd_authentication == True - -- name: Make it clear that we will not disable etcd auth when etcd_authentication == False - debug: - msg: "Since etcd_authentication == False, tasks dealing with etcd auth are just skipped." - when: is_etcd_auth_already_enabled == True and etcd_authentication == False - -- name: Add etcd root user account - command: etcdctl --endpoints http://{{ etcd_ip_address }}:2379 user add root:{{ lookup('password', 'etcd_root_passwd chars=ascii_letters length=30') }} - when: etcd_authentication == True and is_etcd_auth_already_enabled == False - -- name: Enable etcd authentication - command: etcdctl --endpoints http://{{ etcd_ip_address }}:2379 auth enable - when: etcd_authentication == True and is_etcd_auth_already_enabled == False - -- name: Remove etcd guest group - command: etcdctl --endpoints http://{{ etcd_ip_address }}:2379 --username root:{{ lookup('password', 'etcd_root_passwd chars=ascii_letters length=30') }} role remove guest - when: etcd_authentication == True and is_etcd_auth_already_enabled == False - - meta: flush_handlers diff --git a/roles/tendrl-server/tasks/tendrl-api.yml b/roles/tendrl-server/tasks/tendrl-api.yml index 0427df6..ae69f1b 100644 --- a/roles/tendrl-server/tasks/tendrl-api.yml +++ b/roles/tendrl-server/tasks/tendrl-api.yml @@ -17,19 +17,17 @@ replace: dest: /etc/tendrl/etcd.yml regexp: "^ +:user_name:.*" - replace: " :user_name: 'root'" + replace: " :user_name: ''" notify: - restart tendrl-api - when: etcd_authentication == True - name: Configure tendrl-api etcd.yml password replace: dest: /etc/tendrl/etcd.yml regexp: "^ +:password:.*" - replace: " :password: '{{ lookup('password', 'etcd_root_passwd') }}'" + replace: " :password: ''" notify: - restart tendrl-api - when: etcd_authentication == True # based on description from: # https://github.com/Tendrl/api/blob/master/docs/users.adoc#create-admin-user diff --git a/roles/tendrl-server/tasks/tendrl-monitoring-integration.yml b/roles/tendrl-server/tasks/tendrl-monitoring-integration.yml index 86cc017..1a7328c 100644 --- a/roles/tendrl-server/tasks/tendrl-monitoring-integration.yml +++ b/roles/tendrl-server/tasks/tendrl-monitoring-integration.yml @@ -87,20 +87,6 @@ notify: - restart tendrl-monitoring-integration -- name: Configure etcd username and password in monitoring-integration.conf.yaml - lineinfile: - dest: /etc/tendrl/monitoring-integration/monitoring-integration.conf.yaml - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - regexp: '^#? *etcd_username:.*' - line: "etcd_username: root" - - regexp: '^#? *etcd_password:.*' - line: "etcd_password: {{ lookup('password', 'etcd_root_passwd') }}" - notify: - - restart tendrl-monitoring-integration - when: etcd_authentication == True - - name: Configure grafana admin password in monitoring-integration.conf.yaml lineinfile: dest: /etc/tendrl/monitoring-integration/monitoring-integration.conf.yaml diff --git a/roles/tendrl-server/tasks/tendrl-node-agent.yml b/roles/tendrl-server/tasks/tendrl-node-agent.yml index f0db56f..1c21d25 100644 --- a/roles/tendrl-server/tasks/tendrl-node-agent.yml +++ b/roles/tendrl-server/tasks/tendrl-node-agent.yml @@ -18,20 +18,6 @@ notify: - restart tendrl-node-agent -- name: Configure etcd username and password in node-agent.conf.yaml - lineinfile: - dest: /etc/tendrl/node-agent/node-agent.conf.yaml - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - regexp: '^#? *etcd_username:.*' - line: "etcd_username: root" - - regexp: '^#? *etcd_password:.*' - line: "etcd_password: {{ lookup('password', 'etcd_root_passwd') }}" - notify: - - restart tendrl-node-agent - when: etcd_authentication == True - - name: Configure graphite_port in node-agent.conf.yaml (only when needed) lineinfile: dest: /etc/tendrl/node-agent/node-agent.conf.yaml diff --git a/roles/tendrl-storage-node/README.md b/roles/tendrl-storage-node/README.md index d926de9..13e1e96 100644 --- a/roles/tendrl-storage-node/README.md +++ b/roles/tendrl-storage-node/README.md @@ -21,15 +21,6 @@ Role Variables instance. Specifying this variable is mandatory as there is no default value. - * When `etcd_authentication` variable is undefined or set to `False` (which - is the default value), ansible tasks which - configures etcd credentials will be just skipped. - In other words, **this role can't disable or reconfigure etcd - authentication, it can only skip auth config tasks**. - - When the value of `etcd_authentication` is `True`, this role will specify - etcd username and password in tendrl config files. - Note that values specified in variables of this role need to match variables of *Tendrl Server* role. diff --git a/roles/tendrl-storage-node/defaults/main.yml b/roles/tendrl-storage-node/defaults/main.yml index 1c76d32..537dca0 100644 --- a/roles/tendrl-storage-node/defaults/main.yml +++ b/roles/tendrl-storage-node/defaults/main.yml @@ -1,3 +1,2 @@ --- # defaults file for tendrl-node -etcd_authentication: False diff --git a/roles/tendrl-storage-node/tasks/tendrl-node-agent.yml b/roles/tendrl-storage-node/tasks/tendrl-node-agent.yml index 032f810..04ccc25 100644 --- a/roles/tendrl-storage-node/tasks/tendrl-node-agent.yml +++ b/roles/tendrl-storage-node/tasks/tendrl-node-agent.yml @@ -18,36 +18,6 @@ notify: - restart tendrl-node-agent -- name: Detection if etcd_root_passwd (ansible password lookup file) exists - local_action: stat path=etcd_root_passwd - register: stat_etcd_root_passwd - run_once: True - when: etcd_authentication == True - -- name: Make sure that etcd_root_passwd (ansible password lookup file) exists - fail: - msg: - - "to configure etcd credentials in tendrl config files, etcd_root_passwd (ansible password lookup) file is required" - - "since etcd_root_passwd is missing, we can't continue" - - "under normal conditions, etcd_root_passwd is created by ansible when tendrl-server role is executed" - when: etcd_authentication == True and stat_etcd_root_passwd['stat']['exists'] == False - run_once: True - delegate_to: localhost - -- name: Configure etcd username and password in node-agent.conf.yaml - lineinfile: - dest: /etc/tendrl/node-agent/node-agent.conf.yaml - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - regexp: '^#? *etcd_username:.*' - line: "etcd_username: root" - - regexp: '^#? *etcd_password:.*' - line: "etcd_password: {{ lookup('password', 'etcd_root_passwd') }}" - notify: - - restart tendrl-node-agent - when: etcd_authentication == True - - name: Enable tendrl-node-agent service service: name=tendrl-node-agent