Skip to content

Commit

Permalink
[kibana] Use new Elasticsearch password scheme
Browse files Browse the repository at this point in the history
  • Loading branch information
drybjed committed Jan 12, 2024
1 parent 8b734f3 commit 4e4a48b
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 6 deletions.
11 changes: 11 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,17 @@ Changed
will reset the Elasticsearch built-in users passwords
automatically. This might result in data loss.

:ref:`debops.kibana` role
'''''''''''''''''''''''''

- The path to the password file stored in :file:`ansible/secret/` subdirectory
is now configurable using a variable.

- The role uses new per-cluster Elasticsearch passwords by default. This is
done using a separate :envvar:`kibana__elasticsearch_cluster_name` variable,
which needs to be synchronized with the Elasticsearch configuration via
Ansible inventory (Kibana can be installed separately from Elasticsearch).


`debops v3.1.0`_ - 2023-11-29
-----------------------------
Expand Down
23 changes: 21 additions & 2 deletions ansible/roles/kibana/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,14 @@ kibana__elasticsearch_url: 'http://localhost:9200'
# This variable is used on Kibana >= 7.0.0.
kibana__elasticsearch_hosts: [ 'http://localhost:9200' ]

# ]]]
# .. envvar:: kibana__elasticsearch_cluster_name [[[
#
# Name of the Elasticsearch cluster, used to lookup passwords in the
# :ref:`debops.secret` subdirectory. This variable should be synchronized with
# the :envvar:`elasticsearch__cluster_name` variable using Ansible inventory.
kibana__elasticsearch_cluster_name: '{{ kibana__domain | replace(".", "-") }}'

# ]]]
# .. envvar:: kibana__elasticsearch_username [[[
#
Expand All @@ -167,15 +175,26 @@ kibana__elasticsearch_username: '{{ ""
if (kibana__version is version("7.0.0", "<"))
else "kibana_system") }}'

# ]]]
# .. envvar:: kibana__elasticsearch_secret_path [[[
#
# Path to the Elasticsearch passwords stored in the :ref:`debops.secret`
# directory. It should be synchronized with :envvar:`elasticsearch__secret_path`
# variable for best results.
kibana__elasticsearch_secret_path: '{{ "elasticsearch/credentials/"
+ kibana__elasticsearch_cluster_name
+ "/built-in" }}'

# ]]]
# .. envvar:: kibana__elasticsearch_password [[[
#
# The password used by Kibana for internal maintenance on password-protected
# Elasticsearch clusters.
kibana__elasticsearch_password: '{{ ""
if (kibana__elasticsearch_hosts[0].startswith("http://"))
else (lookup("password", secret + "/elasticsearch/credentials/"
+ "built-in/" + kibana__elasticsearch_username
else (lookup("password", secret + "/"
+ kibana__elasticsearch_secret_path + "/"
+ kibana__elasticsearch_username
+ "/password")) }}'

# ]]]
Expand Down
20 changes: 16 additions & 4 deletions docs/ansible/roles/kibana/getting-started.rst
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,22 @@ the Elasticsearch cluster.
If the first host used for connections to the Elasticsearch cluster uses
a ``https://`` connection, Kibana will try to use the ``kibana_system``
Elasticsearch user account and password stored in the
:file:`secret/elasticsearch/credentials/` directory (managed by the
:ref:`debops.secret` role) to authorize itself with the cluster and set up its
own configuration. After that, you can use other users (notably ``elastic``
superuser account) to access the web interface.
:file:`secret/elasticsearch/credentials/<cluster_name>/built-in/kibana_system/password`
file (managed by the :ref:`debops.secret` role) to authorize itself with the
cluster and set up its own configuration. After that, you can use other users
(notably ``elastic`` superuser account) to access the web interface.

.. note:: Make sure that the Elasticsearch cluster name specified via the
:envvar:`elasticsearch__cluster_name` variable is synchronized with
the :envvar:`kibana__elasticsearch_cluster_name` variable in the
inventory. Otherwise, the :ref:`debops.kibana` role might not find
the correct password file and will not connect with the Elasticsearch
cluster.

The reason for doing it this way is that Kibana can be installed
separately from Elasticsearch (on separate hosts), and there's no way
for the :ref:`debops.kibana` role to find out the correct cluster
name on its own, if it's not the default.

You can install additional plugins that provide encrypted connections,
authentication, authorization and access control:
Expand Down

0 comments on commit 4e4a48b

Please sign in to comment.