From 8b734f3a36dde9f0ab68da02c70eb87ce01ff976 Mon Sep 17 00:00:00 2001 From: Maciej Delmanowski Date: Fri, 12 Jan 2024 00:59:49 +0100 Subject: [PATCH] [elasticsearch] Separate passwords in clusters --- CHANGELOG.rst | 9 +++++++++ ansible/roles/elasticsearch/defaults/main.yml | 13 +++++++++++-- .../roles/elasticsearch/tasks/authentication.yml | 4 ++-- .../roles/elasticsearch/tasks/reset_password.yml | 4 ++-- .../ansible/roles/elasticsearch/getting-started.rst | 6 +++--- 5 files changed, 27 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 274f140e4b..3dee4c9a4e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -41,6 +41,15 @@ Changed - The role now supports new Elasticsearch v8.x password management mechanism. +- The role can now manage passwords in separate Elasticsearch clusters defined + in one Ansible inventory. + + .. warning:: Due to this change, Elasticsearch passwords stored in the + :file:`ansible/secret/` subdirectory will be read from a different + location. If passwords are not moved to the new location, role + will reset the Elasticsearch built-in users passwords + automatically. This might result in data loss. + `debops v3.1.0`_ - 2023-11-29 ----------------------------- diff --git a/ansible/roles/elasticsearch/defaults/main.yml b/ansible/roles/elasticsearch/defaults/main.yml index 5fe196617f..07b49a1c78 100644 --- a/ansible/roles/elasticsearch/defaults/main.yml +++ b/ansible/roles/elasticsearch/defaults/main.yml @@ -251,13 +251,22 @@ elasticsearch__api_base_url: '{{ "https://" + ansible_fqdn + ":9200" }}' # ``elastic`` user account has superuser privileges. elasticsearch__api_username: 'elastic' + # ]]] +# .. envvar:: elasticsearch__secret_path [[[ +# +# Path to the directory in the :ref:`debops.secret` storage where passwords of +# Elastcisearch built-in users will be stored. +elasticsearch__secret_path: '{{ "elasticsearch/credentials/" + + elasticsearch__cluster_name + "/built-in" }}' + # ]]] # .. envvar:: elasticsearch__api_password [[[ # # The password used to access the Elasticsearch API, stored in the # :file:`secret/` directory, managed by the :ref:`debops.secret` Ansible role. -elasticsearch__api_password: '{{ lookup("password", secret + "/elasticsearch/credentials/" - + "built-in/" + elasticsearch__api_username + "/password") }}' +elasticsearch__api_password: '{{ lookup("password", secret + "/" + + elasticsearch__secret_path + "/" + + elasticsearch__api_username + "/password") }}' # ]]] # .. envvar:: elasticsearch__native_roles [[[ diff --git a/ansible/roles/elasticsearch/tasks/authentication.yml b/ansible/roles/elasticsearch/tasks/authentication.yml index b849cd96f5..1e1926933b 100644 --- a/ansible/roles/elasticsearch/tasks/authentication.yml +++ b/ansible/roles/elasticsearch/tasks/authentication.yml @@ -31,7 +31,7 @@ - name: Create required directories on Ansible Controller ansible.builtin.file: - path: '{{ secret + "/elasticsearch/credentials/built-in/" + item.split()[0] }}' + path: '{{ secret + "/" + elasticsearch__secret_path + "/" + item.split()[0] }}' state: 'directory' mode: '0755' loop: '{{ elasticsearch__register_builtin_users.stdout_lines }}' @@ -43,7 +43,7 @@ - name: Save generated user passwords on Ansible Controller ansible.builtin.copy: content: '{{ item.split()[1] }}' - dest: '{{ secret + "/elasticsearch/credentials/built-in/" + item.split()[0] + "/password" }}' + dest: '{{ secret + "/" + elasticsearch__secret_path + "/" + item.split()[0] + "/password" }}' mode: '0644' loop: '{{ elasticsearch__register_builtin_users.stdout_lines }}' become: False diff --git a/ansible/roles/elasticsearch/tasks/reset_password.yml b/ansible/roles/elasticsearch/tasks/reset_password.yml index f273f8ba55..9f43897c2a 100644 --- a/ansible/roles/elasticsearch/tasks/reset_password.yml +++ b/ansible/roles/elasticsearch/tasks/reset_password.yml @@ -16,7 +16,7 @@ - name: Create required directories on Ansible Controller ansible.builtin.file: - path: '{{ secret + "/elasticsearch/credentials/built-in/" + item }}' + path: '{{ secret + "/" + elasticsearch__secret_path + "/" + item }}' state: 'directory' mode: '0755' become: False @@ -27,7 +27,7 @@ - name: Save generated password of account '{{ item }}' ansible.builtin.copy: content: '{{ elasticsearch__register_builtin_password.stdout }}' - dest: '{{ secret + "/elasticsearch/credentials/built-in/" + item + "/password" }}' + dest: '{{ secret + "/" + elasticsearch__secret_path + "/" + item + "/password" }}' mode: '0644' become: False delegate_to: 'localhost' diff --git a/docs/ansible/roles/elasticsearch/getting-started.rst b/docs/ansible/roles/elasticsearch/getting-started.rst index 72ad42c984..4d08ed1a68 100644 --- a/docs/ansible/roles/elasticsearch/getting-started.rst +++ b/docs/ansible/roles/elasticsearch/getting-started.rst @@ -49,9 +49,9 @@ With secure cluster communication over TLS, the :ref:`debops.elasticsearch` role can use the Elasticsearch API to manage user accounts and role definitions in the cluster. A default set of `built-in users`__ will be created automatically; passwords of these users will be stored in the -:file:`secret/elasticsearch/credentials/built-in/` directory on the Ansible -Controller (managed by the :ref:`debops.secret` role). After that, with the -base URL of the Elasticsearch API set in the +:file:`secret/elasticsearch/credentials//built-in/` directory on +the Ansible Controller (managed by the :ref:`debops.secret` role). After that, +with the base URL of the Elasticsearch API set in the :envvar:`elasticsearch__api_base_url` variable, the role can manage Elasticsearch roles and user accounts using the ``elastic`` superuser account.