[elasticsearch] Support password reset in EL v8.x

(cherry picked from commit 830ca14)
debops · Jan 5, 2024 · 5f7053b · 5f7053b
1 parent a963c00
commit 5f7053b
Show file tree

Hide file tree

Showing 6 changed files with 122 additions and 33 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -33,6 +33,14 @@ General
   to the :command:`syslog` service. Use the ``--verbose`` or ``-v`` flag to
   enable log output on the console.
 
+Changed
+~~~~~~~
+
+:ref:`debops.elasticsearch` role
+''''''''''''''''''''''''''''''''
+
+- The role now supports new Elasticsearch v8.x password management mechanism.
+
 
 `debops v3.1.0`_ - 2023-11-29
 -----------------------------

diff --git a/ansible/roles/elasticsearch/tasks/authentication.yml b/ansible/roles/elasticsearch/tasks/authentication.yml
@@ -50,35 +50,3 @@
   delegate_to: 'localhost'
   when: elasticsearch__register_builtin_users.stdout_lines | d()
   no_log: '{{ debops__no_log | d(True) }}'
-
-- name: Manage native roles in Elasticsearch
-  ansible.builtin.uri:
-    url: '{{ elasticsearch__api_base_url + "/_security/role/" + item.name }}'
-    method:      '{{ "DELETE" if (item.state | d("present") in ["absent"]) else "POST" }}'
-    body_format: '{{ omit if (item.state | d("present") in ["absent"]) else "json" }}'
-    body:        '{{ omit if (item.state | d("present") in ["absent"]) else (item.data | to_json) }}'
-    status_code: '{{ ["200", "404"] if (item.state | d("present") in ["absent"]) else "200" }}'  # noqa args[module]
-    user: "{{ elasticsearch__api_username }}"
-    password: "{{ elasticsearch__api_password }}"
-    force_basic_auth: True
-  loop: '{{ elasticsearch__combined_native_roles | debops.debops.parse_kv_items }}'
-  loop_control:
-    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
-  when: elasticsearch__api_base_url and item.state | d('present') not in ['init', 'ignore']
-  no_log: '{{ debops__no_log | d(True) }}'
-
-- name: Manage native users in Elasticsearch
-  ansible.builtin.uri:
-    url: '{{ elasticsearch__api_base_url + "/_security/user/" + item.name }}'
-    method:      '{{ "DELETE" if (item.state | d("present") in ["absent"]) else "POST" }}'
-    body_format: '{{ omit if (item.state | d("present") in ["absent"]) else "json" }}'
-    body:        '{{ omit if (item.state | d("present") in ["absent"]) else (item.data | to_json) }}'
-    status_code: '{{ ["200", "404"] if (item.state | d("present") in ["absent"]) else "200" }}'  # noqa args[module]
-    user: "{{ elasticsearch__api_username }}"
-    password: "{{ elasticsearch__api_password }}"
-    force_basic_auth: True
-  loop: '{{ elasticsearch__combined_native_users | debops.debops.parse_kv_items }}'
-  loop_control:
-    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
-  when: elasticsearch__api_base_url and item.state | d('present') not in ['init', 'ignore']
-  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible/roles/elasticsearch/tasks/authentication_v8.yml b/ansible/roles/elasticsearch/tasks/authentication_v8.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check status of built-in users via Elasticsearch API
+  ansible.builtin.uri:
+    url: '{{ elasticsearch__api_base_url + "/_security/user/elastic" }}'
+    user: "{{ elasticsearch__api_username }}"
+    password: "{{ elasticsearch__api_password }}"
+    force_basic_auth: True
+    method: 'GET'
+    status_code: [ '200', '401' ]
+  register: elasticsearch__register_api_builtin_users
+  until: elasticsearch__register_api_builtin_users.status in [200, 401]
+  retries: 10
+  delay: 5
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Set passwords for built-in Elasticsearch user accounts
+  ansible.builtin.include_tasks: 'reset_password.yml'
+  loop:
+    - 'elastic'
+    - 'kibana_system'
+    - 'logstash_system'
+    - 'beats_system'
+    - 'apm_system'
+    - 'remote_monitoring_user'
+  when: ((not (ansible_local.elasticsearch.configured | d()) | bool) or
+         elasticsearch__register_api_builtin_users.status == 401)
diff --git a/ansible/roles/elasticsearch/tasks/main.yml b/ansible/roles/elasticsearch/tasks/main.yml
@@ -186,7 +186,19 @@
 - name: Ensure that Elasticsearch is restarted
   ansible.builtin.meta: 'flush_handlers'
 
-- name: Manage Elasticsearch authentication
+- name: Manage Elasticsearch authentication (old)
   ansible.builtin.import_tasks: 'authentication.yml'
   run_once: True
+  when: elasticsearch__version is version("8.0", "<") and
+        elasticsearch__xpack_enabled | bool and elasticsearch__pki_enabled | bool
+
+- name: Manage Elasticsearch authentication (new)
+  ansible.builtin.import_tasks: 'authentication_v8.yml'
+  run_once: True
+  when: elasticsearch__version is version("8.0", ">=") and
+        elasticsearch__xpack_enabled | bool and elasticsearch__pki_enabled | bool
+
+- name: Manage Elasticsearch roles and users
+  ansible.builtin.import_tasks: 'roles_users.yml'
+  run_once: True
   when: elasticsearch__xpack_enabled | bool and elasticsearch__pki_enabled | bool
diff --git a/ansible/roles/elasticsearch/tasks/reset_password.yml b/ansible/roles/elasticsearch/tasks/reset_password.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Initialize password for user account '{{ item }}'
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    bin/elasticsearch-reset-password --username {{ item }} --batch --silent
+  args:
+    executable: 'bash'
+    chdir: '/usr/share/elasticsearch'
+  register: elasticsearch__register_builtin_password
+  changed_when: elasticsearch__register_builtin_password.stdout != ''
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create required directories on Ansible Controller
+  ansible.builtin.file:
+    path: '{{ secret + "/elasticsearch/credentials/built-in/" + item }}'
+    state: 'directory'
+    mode: '0755'
+  become: False
+  delegate_to: 'localhost'
+  when: elasticsearch__register_builtin_password.stdout_lines | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Save generated password of account '{{ item }}'
+  ansible.builtin.copy:
+    content: '{{ elasticsearch__register_builtin_password.stdout }}'
+    dest: '{{ secret + "/elasticsearch/credentials/built-in/" + item + "/password" }}'
+    mode: '0644'
+  become: False
+  delegate_to: 'localhost'
+  when: elasticsearch__register_builtin_password.stdout | d()
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible/roles/elasticsearch/tasks/roles_users.yml b/ansible/roles/elasticsearch/tasks/roles_users.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage native roles in Elasticsearch
+  ansible.builtin.uri:
+    url: '{{ elasticsearch__api_base_url + "/_security/role/" + item.name }}'
+    method:      '{{ "DELETE" if (item.state | d("present") in ["absent"]) else "POST" }}'
+    body_format: '{{ omit if (item.state | d("present") in ["absent"]) else "json" }}'
+    body:        '{{ omit if (item.state | d("present") in ["absent"]) else (item.data | to_json) }}'
+    status_code: '{{ ["200", "404"] if (item.state | d("present") in ["absent"]) else "200" }}'  # noqa args[module]
+    user: "{{ elasticsearch__api_username }}"
+    password: "{{ elasticsearch__api_password }}"
+    force_basic_auth: True
+  loop: '{{ elasticsearch__combined_native_roles | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: elasticsearch__api_base_url and item.state | d('present') not in ['init', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Manage native users in Elasticsearch
+  ansible.builtin.uri:
+    url: '{{ elasticsearch__api_base_url + "/_security/user/" + item.name }}'
+    method:      '{{ "DELETE" if (item.state | d("present") in ["absent"]) else "POST" }}'
+    body_format: '{{ omit if (item.state | d("present") in ["absent"]) else "json" }}'
+    body:        '{{ omit if (item.state | d("present") in ["absent"]) else (item.data | to_json) }}'
+    status_code: '{{ ["200", "404"] if (item.state | d("present") in ["absent"]) else "200" }}'  # noqa args[module]
+    user: "{{ elasticsearch__api_username }}"
+    password: "{{ elasticsearch__api_password }}"
+    force_basic_auth: True
+  loop: '{{ elasticsearch__combined_native_users | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: elasticsearch__api_base_url and item.state | d('present') not in ['init', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'