-
Notifications
You must be signed in to change notification settings - Fork 852
Proposed Xpack Design for Ansible Role #124
Comments
Modifying above for shield configs. Proposing that configs be realm specific.
This largely avoids any custom formats to parse. Discussion as to where these files should live. /templates seems appropriate as some need to be copied but they also need modifying. |
I understand your hesitation about using external module, and I don't have actually a strong opinion on this. But what I like with modules, is the idempotence. For XPACK support, I think it's a good idea. The directory structure is clear. The bad point (in my opionion) is that we will obliged to put configuration in different files. This is good for system administration, but I don't think if it'll ease the playbook usage. Here is what I'm actually doing in our environment: ES users to createes_users:
- user: kibana4_server
roles:
- kibana4_server
- user: my_second_user
roles:
- my_role_1
- my_role_2 ES roles to createes_roles:
- name: my_kibana_user
cluster: ['monitor']
indices:
- { 'names': ['*'], 'privileges': ['view_index_metadata', 'read'] }
- { 'names': ['.kibana*'], 'privileges': ['all'] }
- name: my_role_1
cluster: ['all']
indices:
- { 'names': ['exemple_1_*'], 'privileges': ['all'] }
- name: my_role_2
cluster: ['all']
indices:
- { 'names': ['exemple_2_*'], 'privileges': ['all'] } These vars are in the REST format of shield role and user you talked about. Shield configurationI wrote directly into |
@barryib any implementation defn needs to be idempotent. I suspect we will use the ansible elasticsearch-plugin module for actual installation therefore. Any configuration will likely be done separately however - and again should be idempotent. I like the above format and the idea of centralising all users and roles in two single variables. Maybe we add for each role/user a realm variable to indicate how it should be processed? The alternative is the above format but es_users_native and es_users_file for example. Other thoughts:
|
@barryib what about - similar structure for roles as well.
|
Humm, I like that I think I didn't correctly understand your point with the directory structure:
I just figured out that you were talking about task files. I thought that you were talking about vars structure. My bad. LGTM |
Ok @barryib lets go with that. It makes it easy to manage other realms as we add them. Same for roles. Its worth noting that roles aren't actually associated with a realm - it will just effect the way they are added. We can treat the role_mapping.yml file as a variable as well this way. |
Yes @gingerwizard, absolutely. For role mapping we can use something like this: # ES roles mapping
es_roles_mapping:
admin:
- "CN=GDL-APP-ES-ADMIN,ou=ELASTICSEARCH,ou=APPLI,ou=GROUPS"
user:
- "CN=GDL-APP-ES-USER,ou=ELASTICSEARCH,ou=APPLI,ou=GROUPS"
kibana4:
- "CN=GDL-APP-ES-KIBANA-USER,ou=ELASTICSEARCH,ou=APPLI,ou=GROUPS" And I use |
I will make a pull request hopefully today with shield and xpack support. |
Awesome. +1000 Regards, Le 24 juil. 2016 16:16, "Dale McDiarmid" notifications@github.com a
|
Merged in #129 |
The following proposes a design for XPack support in the role. This should allow us to handle plugins in the future which have similar complexity to shield. Feedback requested.
The XPack role will be limited to ES 2.3+ due to Shield changes. This implemented the native realm and renamed the esusers realm to file. Configuration for the xpack will be defined under the "files" directory of the role, with a subdirectory per plugin e.g.
/files/xpack/shield
/files/xpack/watcher
/files/xpack/marvel-agent
/files/xpack/license.txt - contains license details. Loaded if presence.
If a global param
xpack_plugins
will be provided where the user can list the plugins to be installed. If not empty, we will install the license plugin (and load the license from license.txt). The relevant directories above will in turn be processed.Any relevant templates to adhere to a similar structure.
Shield
Initially proposing supporting the file and native based realms only. Other realms should be relatively easy to add.
For shield, I'm hesitant to user external modules such as this. These would introduce a dependency we then rely on and have to maintain.
The feature would where possible use core ansible modules, but will likely require some python with accompanying tests.
Under files/xpack/shield sub directory i propose a the following configuration files:
The feature would consume the following 3 files:
Other plugins
Initially the feature would just install the plugins requested. Custom actions per plugin TBD.
The text was updated successfully, but these errors were encountered: