From d7efa2048a9180c771c32fb086750f3f905c129d Mon Sep 17 00:00:00 2001 From: Aeva Black <806320+AevaOnline@users.noreply.github.com> Date: Thu, 27 Jun 2019 13:53:23 -0700 Subject: [PATCH 01/35] Add SSL/TLS support This commit introduces SSL/TLS support for the elastic search transport layer. It assumes certificates are generated externally, and only handles uploading and configuring the server accordingly. --- defaults/main.yml | 8 ++++++++ tasks/elasticsearch-ssl.yml | 23 +++++++++++++++++++++++ tasks/main.yml | 3 +++ templates/elasticsearch.yml.j2 | 19 +++++++++++++++++++ 4 files changed, 53 insertions(+) create mode 100644 tasks/elasticsearch-ssl.yml diff --git a/defaults/main.yml b/defaults/main.yml index 02ae64da..7bedaecb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -40,3 +40,11 @@ es_debian_startup_timeout: 10 # JVM custom parameters es_jvm_custom_parameters: '' + +# SSL/TLS parameters +es_enable_http_ssl: false +es_enable_transport_ssl: false +es_ssl_key: "" +es_ssl_certificate: "" +es_ssl_certificate_authority: "" +es_ssl_certificate_path: "/etc/elasticsearch/certs" diff --git a/tasks/elasticsearch-ssl.yml b/tasks/elasticsearch-ssl.yml new file mode 100644 index 00000000..7447c3c6 --- /dev/null +++ b/tasks/elasticsearch-ssl.yml @@ -0,0 +1,23 @@ +--- +- name: ensure certificate directory exists + file: + dest: "{{ es_ssl_certificate_path }}" + state: directory + +- name: Upload HTTP SSL/TLS certificates + copy: + src: "{{ item }}" + dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}" + with_items: + - "{{ es_ssl_key }}" + - "{{ es_ssl_certificate }}" + when: es_enable_http_ssl|bool or es_enable_transport_ssl|bool + +- local_action: stat path="{{ role_path }}/files/{{ es_ssl_certificate_authority }}" + register: es_cafile + +- name: Upload SSL Certificate Authority + copy: + src: "{{ es_ssl_certificate_authority }}" + dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" + when: es_cafile.stat.exists|bool and es_cafile.stat.isreg|bool diff --git a/tasks/main.yml b/tasks/main.yml index c41ab6ea..a6ec005c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -51,6 +51,9 @@ tags: - xpack +- name: include ssl.yml + include: elasticsearch-ssl.yml + - name: flush handlers meta: flush_handlers diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 47346edc..d0ba57b2 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -55,3 +55,22 @@ xpack.notification.email: password: {{ es_mail_config['pass'] }} {% endif %} {% endif %} + +{% if es_enable_http_ssl | bool %} +xpack.security.http.ssl.enabled: true +xpack.security.http.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}" +xpack.security.http.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}" +#xpack.security.http.ssl.client_authentication: optional +{% if es_ssl_certificate_authority %} +xpack.security.http.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" +{% endif %} +{% else %} +# xpack.security.http.ssl.enabled: false +{% endif %} + +{% if es_enable_transport_ssl | bool %} +xpack.security.transport.ssl.enabled: true +#xpack.security.transport.ssl.verification_mode: certificate +{% else %} +# xpack.security.transport.ssl.enabled: false +{% endif %} From 45ef5a467c741fa6180e9cecb079870bee7ae1e6 Mon Sep 17 00:00:00 2001 From: Nathan Young Date: Fri, 11 Oct 2019 16:09:05 +0100 Subject: [PATCH 02/35] Add SSL keystore and truststore --- defaults/main.yml | 3 +++ tasks/elasticsearch-parameters.yml | 7 +++++++ tasks/elasticsearch-ssl.yml | 18 +++++++++++++----- tasks/main.yml | 3 ++- templates/elasticsearch.yml.j2 | 18 ++++++++++++++++-- 5 files changed, 41 insertions(+), 8 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 08ab9627..2b4fe3a2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -45,7 +45,10 @@ es_jvm_custom_parameters: '' # SSL/TLS parameters es_enable_http_ssl: false es_enable_transport_ssl: false +es_ssl_keystore: "" +es_ssl_truststore: "" es_ssl_key: "" es_ssl_certificate: "" es_ssl_certificate_authority: "" es_ssl_certificate_path: "/etc/elasticsearch/certs" +es_ssl_verification_mode: "certificate" diff --git a/tasks/elasticsearch-parameters.yml b/tasks/elasticsearch-parameters.yml index 36c3fe13..b25e4f34 100644 --- a/tasks/elasticsearch-parameters.yml +++ b/tasks/elasticsearch-parameters.yml @@ -17,6 +17,13 @@ - es_api_basic_auth_username is not defined - es_api_basic_auth_password is not defined +- name: fail when ssl enabled without defining a key and certificate + fail: msg="Enabling SSL/TLS (es_enable_http_ssl or es_enable_transport_ssl) requires es_ssl_keystore and es_ssl_truststore or es_ssl_key and es_ssl_certificate to be provided" + when: + - es_enable_http_ssl or es_enable_transport_ssl + - (es_ssl_key == "" or es_ssl_certificate == "") + - (es_ssl_keystore == "" or es_ssl_truststore == "") + - name: set fact file_reserved_users set_fact: file_reserved_users={{ es_users.file.keys() | list | intersect (reserved_xpack_users) }} when: es_users is defined and es_users.file is defined and (es_users.file.keys() | list | length > 0) and (es_users.file.keys() | list | intersect (reserved_xpack_users) | length > 0) diff --git a/tasks/elasticsearch-ssl.yml b/tasks/elasticsearch-ssl.yml index 7447c3c6..0ded5dc5 100644 --- a/tasks/elasticsearch-ssl.yml +++ b/tasks/elasticsearch-ssl.yml @@ -4,20 +4,28 @@ dest: "{{ es_ssl_certificate_path }}" state: directory -- name: Upload HTTP SSL/TLS certificates +- name: Upload SSL/TLS keystore and truststore copy: src: "{{ item }}" dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}" with_items: - "{{ es_ssl_key }}" - "{{ es_ssl_certificate }}" - when: es_enable_http_ssl|bool or es_enable_transport_ssl|bool + when: es_ssl_keystore and es_ssl_truststore + register: copy_keystores -- local_action: stat path="{{ role_path }}/files/{{ es_ssl_certificate_authority }}" - register: es_cafile +- name: Upload SSL/TLS key and certificate + copy: + src: "{{ item }}" + dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}" + with_items: + - "{{ es_ssl_key }}" + - "{{ es_ssl_certificate }}" + when: es_ssl_key and es_ssl_certificate + register: copy_certificates - name: Upload SSL Certificate Authority copy: src: "{{ es_ssl_certificate_authority }}" dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" - when: es_cafile.stat.exists|bool and es_cafile.stat.isreg|bool + when: es_ssl_certificate_authority diff --git a/tasks/main.yml b/tasks/main.yml index f9d89758..e50ef34f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -53,8 +53,9 @@ tags: - xpack -- name: include ssl.yml +- name: include elasticsearch-ssl.yml include: elasticsearch-ssl.yml + when: es_enable_http_ssl or es_enable_transport_ssl - name: flush handlers meta: flush_handlers diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index f2171292..12e89fb2 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -58,19 +58,33 @@ xpack.notification.email: {% if es_enable_http_ssl | bool %} xpack.security.http.ssl.enabled: true +{% if es_ssl_keystore and es_ssl_truststore %} +xpack.security.http.ssl.keystore.path: : "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}" +xpack.security.http.ssl.truststore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}" +{% elif es_ssl_key and es_ssl_certificate%} xpack.security.http.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}" xpack.security.http.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}" -#xpack.security.http.ssl.client_authentication: optional {% if es_ssl_certificate_authority %} xpack.security.http.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" {% endif %} +{% endif %} {% else %} # xpack.security.http.ssl.enabled: false {% endif %} {% if es_enable_transport_ssl | bool %} xpack.security.transport.ssl.enabled: true -#xpack.security.transport.ssl.verification_mode: certificate +xpack.security.transport.ssl.verification_mode: {{ es_ssl_verification_mode }} +{% if es_ssl_keystore and es_ssl_truststore %} +xpack.security.transport.ssl.keystore.path: : "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}" +xpack.security.transport.ssl.truststore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}" +{% elif es_ssl_key and es_ssl_certificate%} +xpack.security.transport.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}" +xpack.security.transport.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}" +{% if es_ssl_certificate_authority %} +xpack.security.transport.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" +{% endif %} +{% endif %} {% else %} # xpack.security.transport.ssl.enabled: false {% endif %} From 51eb05b6deff15d0c8231b2f7d387ac78868a3c5 Mon Sep 17 00:00:00 2001 From: Nathan Young Date: Fri, 11 Oct 2019 16:16:53 +0100 Subject: [PATCH 03/35] Move SSL config into security conditional --- templates/elasticsearch.yml.j2 | 36 +++++++++++++++++----------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 12e89fb2..e1c226ce 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -37,24 +37,6 @@ action.auto_create_index: {{ es_action_auto_create_index }} {% if es_enable_xpack and es_api_basic_auth_username is defined and es_api_basic_auth_password is defined %} xpack.security.enabled: true -{% endif %} - -{% if es_mail_config is defined %} -xpack.notification.email: - account: - {{ es_mail_config['account'] }}: - profile: {{ es_mail_config['profile'] }} - email_defaults: - from: {{ es_mail_config['from'] }} - smtp: - auth: {{ es_mail_config['require_auth'] }} - host: {{ es_mail_config['host'] }} - port: {{ es_mail_config['port'] }} - {% if es_mail_config['require_auth'] == true -%} - user: {{ es_mail_config['user'] }} - password: {{ es_mail_config['pass'] }} - {%- endif %} -{% endif %} {% if es_enable_http_ssl | bool %} xpack.security.http.ssl.enabled: true @@ -88,3 +70,21 @@ xpack.security.transport.ssl.certificate_authorities: "{{ es_ssl_certificate_pat {% else %} # xpack.security.transport.ssl.enabled: false {% endif %} +{% endif %} + +{% if es_mail_config is defined %} +xpack.notification.email: + account: + {{ es_mail_config['account'] }}: + profile: {{ es_mail_config['profile'] }} + email_defaults: + from: {{ es_mail_config['from'] }} + smtp: + auth: {{ es_mail_config['require_auth'] }} + host: {{ es_mail_config['host'] }} + port: {{ es_mail_config['port'] }} + {% if es_mail_config['require_auth'] == true -%} + user: {{ es_mail_config['user'] }} + password: {{ es_mail_config['pass'] }} + {%- endif %} +{% endif %} From b792db7bc725770e3e5bdd0faee31812e31df53c Mon Sep 17 00:00:00 2001 From: Nathan Young Date: Fri, 11 Oct 2019 16:29:54 +0100 Subject: [PATCH 04/35] Fix config colons --- templates/elasticsearch.yml.j2 | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index e1c226ce..ccf6b113 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -38,37 +38,37 @@ action.auto_create_index: {{ es_action_auto_create_index }} {% if es_enable_xpack and es_api_basic_auth_username is defined and es_api_basic_auth_password is defined %} xpack.security.enabled: true -{% if es_enable_http_ssl | bool %} -xpack.security.http.ssl.enabled: true +{% if es_enable_transport_ssl | bool %} +xpack.security.transport.ssl.enabled: true +xpack.security.transport.ssl.verification_mode: "{{ es_ssl_verification_mode }}" {% if es_ssl_keystore and es_ssl_truststore %} -xpack.security.http.ssl.keystore.path: : "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}" -xpack.security.http.ssl.truststore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}" +xpack.security.transport.ssl.keystore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}" +xpack.security.transport.ssl.truststore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}" {% elif es_ssl_key and es_ssl_certificate%} -xpack.security.http.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}" -xpack.security.http.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}" +xpack.security.transport.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}" +xpack.security.transport.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}" {% if es_ssl_certificate_authority %} -xpack.security.http.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" +xpack.security.transport.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" {% endif %} {% endif %} {% else %} -# xpack.security.http.ssl.enabled: false +# xpack.security.transport.ssl.enabled: false {% endif %} -{% if es_enable_transport_ssl | bool %} -xpack.security.transport.ssl.enabled: true -xpack.security.transport.ssl.verification_mode: {{ es_ssl_verification_mode }} +{% if es_enable_http_ssl | bool %} +xpack.security.http.ssl.enabled: true {% if es_ssl_keystore and es_ssl_truststore %} -xpack.security.transport.ssl.keystore.path: : "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}" -xpack.security.transport.ssl.truststore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}" +xpack.security.http.ssl.keystore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}" +xpack.security.http.ssl.truststore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}" {% elif es_ssl_key and es_ssl_certificate%} -xpack.security.transport.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}" -xpack.security.transport.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}" +xpack.security.http.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}" +xpack.security.http.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}" {% if es_ssl_certificate_authority %} -xpack.security.transport.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" +xpack.security.http.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" {% endif %} {% endif %} {% else %} -# xpack.security.transport.ssl.enabled: false +# xpack.security.http.ssl.enabled: false {% endif %} {% endif %} From e516472af01f8b17d594818a0ded0fe6634304fa Mon Sep 17 00:00:00 2001 From: Nathan Young Date: Fri, 11 Oct 2019 16:33:09 +0100 Subject: [PATCH 05/35] Fix copy variables --- tasks/elasticsearch-ssl.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tasks/elasticsearch-ssl.yml b/tasks/elasticsearch-ssl.yml index 0ded5dc5..228435f3 100644 --- a/tasks/elasticsearch-ssl.yml +++ b/tasks/elasticsearch-ssl.yml @@ -9,9 +9,11 @@ src: "{{ item }}" dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}" with_items: - - "{{ es_ssl_key }}" - - "{{ es_ssl_certificate }}" + - "{{ es_ssl_keystore }}" + - "{{ es_ssl_truststore }}" when: es_ssl_keystore and es_ssl_truststore + #Restart if these change + notify: restart elasticsearch register: copy_keystores - name: Upload SSL/TLS key and certificate @@ -22,6 +24,8 @@ - "{{ es_ssl_key }}" - "{{ es_ssl_certificate }}" when: es_ssl_key and es_ssl_certificate + #Restart if these change + notify: restart elasticsearch register: copy_certificates - name: Upload SSL Certificate Authority From 2fb648fee6960864c85bbe6160301e673469862a Mon Sep 17 00:00:00 2001 From: Nathan Young Date: Fri, 11 Oct 2019 17:02:15 +0100 Subject: [PATCH 06/35] Fix deprecated security api endpoint --- defaults/main.yml | 2 ++ .../security/elasticsearch-security-native.yml | 16 ++++++++-------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2b4fe3a2..479d818c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -42,6 +42,8 @@ es_debian_startup_timeout: 10 # JVM custom parameters es_jvm_custom_parameters: '' +es_security_api: "_{{ 'xpack/security' if es_version is version_compare('7.0.0', '<=') else 'security' }}" + # SSL/TLS parameters es_enable_http_ssl: false es_enable_transport_ssl: false diff --git a/tasks/xpack/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml index 6235952e..e83cf800 100644 --- a/tasks/xpack/security/elasticsearch-security-native.yml +++ b/tasks/xpack/security/elasticsearch-security-native.yml @@ -21,7 +21,7 @@ #List current users - name: List Native Users uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user + url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/user method: GET user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" @@ -51,7 +51,7 @@ - name: Update API User Password uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{es_api_basic_auth_username}}/_password + url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/user/{{es_api_basic_auth_username}}/_password method: POST body_format: json body: "{ \"password\":\"{{native_users[es_api_basic_auth_username].password}}\" }" @@ -73,7 +73,7 @@ #Delete all non required users NOT inc. reserved - name: Delete Native Users uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}} + url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/user/{{item}} method: DELETE status_code: 200 user: "{{es_api_basic_auth_username}}" @@ -94,7 +94,7 @@ #Update password on all reserved users - name: Update Reserved User Passwords uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}/_password + url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/user/{{item}}/_password method: POST body_format: json body: "{ \"password\":\"{{native_users[item].password}}\" }" @@ -113,7 +113,7 @@ #Overwrite all other users NOT inc. those reserved - name: Update Non-Reserved Native User Details uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}} + url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/user/{{item}} method: POST body_format: json body: "{{ native_users[item] | to_json }}" @@ -130,7 +130,7 @@ #List current roles not. inc those reserved - name: List Native Roles uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role + url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/role method: GET body_format: json user: "{{es_api_basic_auth_username}}" @@ -165,7 +165,7 @@ #Delete all non required roles NOT inc. reserved - name: Delete Native Roles uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}} + url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/role/{{item}} method: DELETE status_code: 200 user: "{{es_api_basic_auth_username}}" @@ -181,7 +181,7 @@ #Update other roles - NOT inc. reserved roles - name: Update Native Roles uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}} + url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/role/{{item}} method: POST body_format: json body: "{{ es_roles.native[item] | to_json}}" From a1a190feb7275f6f4932ea3309f44b77462d27d0 Mon Sep 17 00:00:00 2001 From: Nathan Young Date: Fri, 11 Oct 2019 17:02:26 +0100 Subject: [PATCH 07/35] Fix typo --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index e50ef34f..c0dc9664 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -80,7 +80,7 @@ - (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined) # If playbook runs too fast, Native commands could fail as the Native Realm is not yet up -- name: Wait 15 seconds for the Native Relm to come up +- name: Wait 15 seconds for the Native Realm to come up command: sleep 15 when: manage_native_realm From 5da76a85c710167f35d98112ff7d7966170d9de2 Mon Sep 17 00:00:00 2001 From: Nathan Young Date: Fri, 11 Oct 2019 17:16:35 +0100 Subject: [PATCH 08/35] Add api scheme based on http_ssl variable --- defaults/main.yml | 2 ++ tasks/compatibility-variables.yml | 7 ++++++- tasks/elasticsearch-template.yml | 2 +- .../security/elasticsearch-security-native.yml | 16 ++++++++-------- .../security/elasticsearch-xpack-activation.yml | 2 +- 5 files changed, 18 insertions(+), 11 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 479d818c..6ed36156 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -35,8 +35,10 @@ es_allow_downgrades: false es_xpack_features: [] #These are used for internal operations performed by ansible. #They do not affect the current configuration +es_api_scheme: "http" es_api_host: "localhost" es_api_port: 9200 +es_api_uri: "{{es_api_scheme}}://{{es_api_host}}:{{es_api_port}}" es_debian_startup_timeout: 10 # JVM custom parameters diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index 0ed0c219..df393b61 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -29,7 +29,7 @@ es_install_xpack: true es_xpack_users_command: "x-pack/users" es_xpack_conf_subdir: "/x-pack" - when: + when: - not es_open_xpack - es_enable_xpack @@ -43,3 +43,8 @@ when: - es_open_xpack - not es_enable_xpack + +- name: Set the URL scheme based if http ssl/tls is enabled + set_fact: + es_api_scheme: "https" + when: es_enable_http_ssl diff --git a/tasks/elasticsearch-template.yml b/tasks/elasticsearch-template.yml index 8af780d7..cfd99475 100644 --- a/tasks/elasticsearch-template.yml +++ b/tasks/elasticsearch-template.yml @@ -15,7 +15,7 @@ - name: Install templates uri: - url: "http://{{es_api_host}}:{{es_api_port}}/_template/{{item | filename}}" + url: "{{ es_api_uri }}/_template/{{item | filename}}" method: PUT status_code: 200 user: "{{es_api_basic_auth_username | default(omit)}}" diff --git a/tasks/xpack/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml index e83cf800..77f3a001 100644 --- a/tasks/xpack/security/elasticsearch-security-native.yml +++ b/tasks/xpack/security/elasticsearch-security-native.yml @@ -21,7 +21,7 @@ #List current users - name: List Native Users uri: - url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/user + url: "{{ es_api_uri }}/{{ es_security_api }}/user" method: GET user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" @@ -51,7 +51,7 @@ - name: Update API User Password uri: - url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/user/{{es_api_basic_auth_username}}/_password + url: "{{ es_api_uri }}/{{ es_security_api }}/user/{{es_api_basic_auth_username}}/_password" method: POST body_format: json body: "{ \"password\":\"{{native_users[es_api_basic_auth_username].password}}\" }" @@ -73,7 +73,7 @@ #Delete all non required users NOT inc. reserved - name: Delete Native Users uri: - url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/user/{{item}} + url: "{{ es_api_uri }}/{{ es_security_api }}/user/{{item}}" method: DELETE status_code: 200 user: "{{es_api_basic_auth_username}}" @@ -94,7 +94,7 @@ #Update password on all reserved users - name: Update Reserved User Passwords uri: - url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/user/{{item}}/_password + url: "{{ es_api_uri }}/{{ es_security_api }}/user/{{item}}/_password" method: POST body_format: json body: "{ \"password\":\"{{native_users[item].password}}\" }" @@ -113,7 +113,7 @@ #Overwrite all other users NOT inc. those reserved - name: Update Non-Reserved Native User Details uri: - url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/user/{{item}} + url: "{{ es_api_uri }}/{{ es_security_api }}/user/{{item}}" method: POST body_format: json body: "{{ native_users[item] | to_json }}" @@ -130,7 +130,7 @@ #List current roles not. inc those reserved - name: List Native Roles uri: - url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/role + url: "{{ es_api_uri }}/{{ es_security_api }}/role" method: GET body_format: json user: "{{es_api_basic_auth_username}}" @@ -165,7 +165,7 @@ #Delete all non required roles NOT inc. reserved - name: Delete Native Roles uri: - url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/role/{{item}} + url: "{{ es_api_uri }}/{{ es_security_api }}/role/{{item}}" method: DELETE status_code: 200 user: "{{es_api_basic_auth_username}}" @@ -181,7 +181,7 @@ #Update other roles - NOT inc. reserved roles - name: Update Native Roles uri: - url: http://{{es_api_host}}:{{es_api_port}}/{{ es_security_api }}/role/{{item}} + url: "{{ es_api_uri }}/{{ es_security_api }}/role/{{item}}" method: POST body_format: json body: "{{ es_roles.native[item] | to_json}}" diff --git a/tasks/xpack/security/elasticsearch-xpack-activation.yml b/tasks/xpack/security/elasticsearch-xpack-activation.yml index 7da085e5..ea1ac156 100644 --- a/tasks/xpack/security/elasticsearch-xpack-activation.yml +++ b/tasks/xpack/security/elasticsearch-xpack-activation.yml @@ -2,7 +2,7 @@ - name: Activate ES license (with security authentication) uri: method: PUT - url: "http://{{es_api_host}}:{{es_api_port}}/_xpack/license?acknowledge=true" + url: "{{ es_api_uri }}/_xpack/license?acknowledge=true" user: "{{es_api_basic_auth_username | default(omit)}}" password: "{{es_api_basic_auth_password | default(omit)}}" body_format: json From 9580a08f4d88ca565d50deb3092d4de6ca39d483 Mon Sep 17 00:00:00 2001 From: Nathan Young Date: Fri, 11 Oct 2019 23:01:05 +0100 Subject: [PATCH 09/35] Fix bare variable boolean --- tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index c0dc9664..00735176 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -82,7 +82,7 @@ # If playbook runs too fast, Native commands could fail as the Native Realm is not yet up - name: Wait 15 seconds for the Native Realm to come up command: sleep 15 - when: manage_native_realm + when: manage_native_realm | bool - name: activate-license include: ./xpack/security/elasticsearch-xpack-activation.yml @@ -91,7 +91,7 @@ #perform security actions here now elasticsearch is started - name: include xpack/security/elasticsearch-security-native.yml include: ./xpack/security/elasticsearch-security-native.yml - when: manage_native_realm + when: manage_native_realm | bool #Templates done after restart - handled by flushing the handlers. e.g. suppose user removes security on a running node and doesn't specify es_api_basic_auth_username and es_api_basic_auth_password. The templates will subsequently not be removed if we don't wait for the node to restart. #We also do after the native realm to ensure any changes are applied here first and its denf up. From d0064c6a8838f47676ebfe3751eb16580746cf3f Mon Sep 17 00:00:00 2001 From: Nathan Young Date: Sat, 12 Oct 2019 00:03:47 +0100 Subject: [PATCH 10/35] Add option for invalid certificates --- defaults/main.yml | 3 ++- tasks/compatibility-variables.yml | 4 ++-- tasks/elasticsearch-ssl.yml | 4 +++- tasks/elasticsearch-template.yml | 1 + tasks/main.yml | 2 ++ tasks/xpack/security/elasticsearch-security-native.yml | 8 ++++++++ tasks/xpack/security/elasticsearch-xpack-activation.yml | 1 + templates/elasticsearch.yml.j2 | 4 ++-- 8 files changed, 21 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8f878983..16b851e9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -44,7 +44,7 @@ es_debian_startup_timeout: 10 # JVM custom parameters es_jvm_custom_parameters: '' -es_security_api: "_{{ 'xpack/security' if es_version is version_compare('7.0.0', '<=') else 'security' }}" +es_security_api: "{{ '_security' if es_version is version_compare('7.0.0', '>=') else '_xpack/security' }}" # SSL/TLS parameters es_enable_http_ssl: false @@ -56,3 +56,4 @@ es_ssl_certificate: "" es_ssl_certificate_authority: "" es_ssl_certificate_path: "/etc/elasticsearch/certs" es_ssl_verification_mode: "certificate" +es_validate_certs: "yes" diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index 15b9ee09..f624d145 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -24,7 +24,7 @@ when: - not es_enable_xpack -- name: Set the URL scheme based if http ssl/tls is enabled +- name: Set the URL scheme to https if SSL/TLS is enabled set_fact: es_api_scheme: "https" - when: es_enable_http_ssl + when: es_enable_http_ssl | bool diff --git a/tasks/elasticsearch-ssl.yml b/tasks/elasticsearch-ssl.yml index 228435f3..7aba66b0 100644 --- a/tasks/elasticsearch-ssl.yml +++ b/tasks/elasticsearch-ssl.yml @@ -32,4 +32,6 @@ copy: src: "{{ es_ssl_certificate_authority }}" dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" - when: es_ssl_certificate_authority + #Restart if this changes + notify: restart elasticsearch + when: es_ssl_certificate_authority | bool diff --git a/tasks/elasticsearch-template.yml b/tasks/elasticsearch-template.yml index 531fa154..a04097f6 100644 --- a/tasks/elasticsearch-template.yml +++ b/tasks/elasticsearch-template.yml @@ -24,6 +24,7 @@ force_basic_auth: yes body_format: json body: "{{ lookup('file', item) }}" + validate_certs: "{{ es_validate_certs }}" when: load_templates.changed and es_start_service with_fileglob: - "{{ es_templates_fileglob | default('') }}" diff --git a/tasks/main.yml b/tasks/main.yml index 00735176..35e7165f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -56,6 +56,8 @@ - name: include elasticsearch-ssl.yml include: elasticsearch-ssl.yml when: es_enable_http_ssl or es_enable_transport_ssl + tags: + - xpack - name: flush handlers meta: flush_handlers diff --git a/tasks/xpack/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml index 77f3a001..ba542662 100644 --- a/tasks/xpack/security/elasticsearch-security-native.yml +++ b/tasks/xpack/security/elasticsearch-security-native.yml @@ -27,6 +27,7 @@ password: "{{es_api_basic_auth_password}}" force_basic_auth: yes status_code: 200 + validate_certs: "{{ es_validate_certs }}" register: user_list_response when: manage_native_users check_mode: no @@ -59,6 +60,7 @@ user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" force_basic_auth: yes + validate_certs: "{{ es_validate_certs }}" when: change_api_password - name: set fact es_api_basic_auth_password @@ -79,6 +81,7 @@ user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" force_basic_auth: yes + validate_certs: "{{ es_validate_certs }}" when: manage_native_users with_items: "{{ users_to_remove | default([]) }}" @@ -102,6 +105,7 @@ user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" force_basic_auth: yes + validate_certs: "{{ es_validate_certs }}" when: native_users[item].password is defined no_log: True with_items: "{{ users_to_ignore | default([]) }}" @@ -121,6 +125,7 @@ user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" force_basic_auth: yes + validate_certs: "{{ es_validate_certs }}" when: manage_native_users no_log: True with_items: "{{ users_to_modify | default([]) }}" @@ -137,6 +142,7 @@ password: "{{es_api_basic_auth_password}}" force_basic_auth: yes status_code: 200 + validate_certs: "{{ es_validate_certs }}" register: role_list_response when: manage_native_roles check_mode: no @@ -171,6 +177,7 @@ user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" force_basic_auth: yes + validate_certs: "{{ es_validate_certs }}" when: manage_native_roles with_items: "{{roles_to_remove | default([]) }}" @@ -189,5 +196,6 @@ user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" force_basic_auth: yes + validate_certs: "{{ es_validate_certs }}" when: manage_native_roles with_items: "{{ roles_to_modify | default([]) }}" diff --git a/tasks/xpack/security/elasticsearch-xpack-activation.yml b/tasks/xpack/security/elasticsearch-xpack-activation.yml index ea1ac156..55e3063a 100644 --- a/tasks/xpack/security/elasticsearch-xpack-activation.yml +++ b/tasks/xpack/security/elasticsearch-xpack-activation.yml @@ -9,6 +9,7 @@ body: "{{ es_xpack_license }}" return_content: yes force_basic_auth: yes + validate_certs: "{{ es_validate_certs }}" register: license_activated no_log: True failed_when: > diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index a313b7bd..f29cfc8a 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -40,7 +40,7 @@ xpack.security.transport.ssl.verification_mode: "{{ es_ssl_verification_mode }}" {% if es_ssl_keystore and es_ssl_truststore %} xpack.security.transport.ssl.keystore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}" xpack.security.transport.ssl.truststore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}" -{% elif es_ssl_key and es_ssl_certificate%} +{% elif es_ssl_key and es_ssl_certificate %} xpack.security.transport.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}" xpack.security.transport.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}" {% if es_ssl_certificate_authority %} @@ -56,7 +56,7 @@ xpack.security.http.ssl.enabled: true {% if es_ssl_keystore and es_ssl_truststore %} xpack.security.http.ssl.keystore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}" xpack.security.http.ssl.truststore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}" -{% elif es_ssl_key and es_ssl_certificate%} +{% elif es_ssl_key and es_ssl_certificate %} xpack.security.http.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}" xpack.security.http.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}" {% if es_ssl_certificate_authority %} From e2ffdce3800ecd2d64aeebb3abff30cfdafa8bdf Mon Sep 17 00:00:00 2001 From: Nathan Young Date: Sat, 12 Oct 2019 00:57:49 +0100 Subject: [PATCH 11/35] Add ability to use key and truststore passwords --- defaults/main.yml | 3 +++ tasks/elasticsearch-ssl.yml | 48 +++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 16b851e9..5f2cddb2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -50,8 +50,11 @@ es_security_api: "{{ '_security' if es_version is version_compare('7.0.0', '>=') es_enable_http_ssl: false es_enable_transport_ssl: false es_ssl_keystore: "" +es_ssl_keystore_password: "" es_ssl_truststore: "" +es_ssl_truststore_password: "" es_ssl_key: "" +es_ssl_key_password: "" es_ssl_certificate: "" es_ssl_certificate_authority: "" es_ssl_certificate_path: "/etc/elasticsearch/certs" diff --git a/tasks/elasticsearch-ssl.yml b/tasks/elasticsearch-ssl.yml index 7aba66b0..a78a1ab1 100644 --- a/tasks/elasticsearch-ssl.yml +++ b/tasks/elasticsearch-ssl.yml @@ -35,3 +35,51 @@ #Restart if this changes notify: restart elasticsearch when: es_ssl_certificate_authority | bool + +- name: Set transport keystore password + shell: echo "{{es_ssl_keystore_password}}" | {{es_home}}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.keystore.secure_password' + no_log: True + when: es_ssl_keystore_password and copy_keystores.changed + with_items: + - http + - transport + +- name: Set transport truststore password + shell: echo "{{es_ssl_truststore_password}}" | {{es_home}}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.truststore.secure_password' + no_log: True + when: es_ssl_truststore_password and copy_keystores.changed + with_items: + - http + - transport + +- name: Set transport key password + shell: echo "{{es_ssl_key_password}}" | {{es_home}}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.secure_key_passphrase' + no_log: True + when: es_ssl_key_password and copy_certificates.changed + with_items: + - http + - transport + +- name: Remove transport keystore password + shell: "{{es_home}}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'" + no_log: True + when: es_ssl_keystore_password == "" and copy_keystores.changed + with_items: + - http + - transport + +- name: Remove transport truststore password + shell: "{{es_home}}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'" + no_log: True + when: es_ssl_truststore_password == "" and copy_keystores.changed + with_items: + - http + - transport + +- name: Remove transport key password + shell: "{{es_home}}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.secure_key_passphrase'" + no_log: True + when: es_ssl_key_password == "" and copy_certificates.changed + with_items: + - http + - transport From 7196557c09051279d6961ad31a6b7fcc80103ae9 Mon Sep 17 00:00:00 2001 From: pemontto Date: Sun, 13 Oct 2019 16:18:55 +0100 Subject: [PATCH 12/35] Update tests --- defaults/main.yml | 2 +- tasks/elasticsearch-ssl.yml | 12 ++++++------ tasks/main.yml | 2 +- test/integration/helpers/serverspec/shared_spec.rb | 2 +- test/integration/helpers/serverspec/spec_helper.rb | 6 +++++- .../helpers/serverspec/xpack_upgrade_spec.rb | 9 +++++++-- 6 files changed, 21 insertions(+), 12 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5f2cddb2..19d97327 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,7 +38,7 @@ es_xpack_features: [] es_api_scheme: "http" es_api_host: "localhost" es_api_port: 9200 -es_api_uri: "{{es_api_scheme}}://{{es_api_host}}:{{es_api_port}}" +es_api_uri: "{{ es_api_scheme }}://{{ es_api_host }}:{{ es_api_port }}" es_debian_startup_timeout: 10 # JVM custom parameters diff --git a/tasks/elasticsearch-ssl.yml b/tasks/elasticsearch-ssl.yml index a78a1ab1..f35e3814 100644 --- a/tasks/elasticsearch-ssl.yml +++ b/tasks/elasticsearch-ssl.yml @@ -37,7 +37,7 @@ when: es_ssl_certificate_authority | bool - name: Set transport keystore password - shell: echo "{{es_ssl_keystore_password}}" | {{es_home}}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.keystore.secure_password' + shell: echo "{{ es_ssl_keystore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.keystore.secure_password' no_log: True when: es_ssl_keystore_password and copy_keystores.changed with_items: @@ -45,7 +45,7 @@ - transport - name: Set transport truststore password - shell: echo "{{es_ssl_truststore_password}}" | {{es_home}}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.truststore.secure_password' + shell: echo "{{ es_ssl_truststore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.truststore.secure_password' no_log: True when: es_ssl_truststore_password and copy_keystores.changed with_items: @@ -53,7 +53,7 @@ - transport - name: Set transport key password - shell: echo "{{es_ssl_key_password}}" | {{es_home}}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.secure_key_passphrase' + shell: echo "{{ es_ssl_key_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.secure_key_passphrase' no_log: True when: es_ssl_key_password and copy_certificates.changed with_items: @@ -61,7 +61,7 @@ - transport - name: Remove transport keystore password - shell: "{{es_home}}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'" + shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'" no_log: True when: es_ssl_keystore_password == "" and copy_keystores.changed with_items: @@ -69,7 +69,7 @@ - transport - name: Remove transport truststore password - shell: "{{es_home}}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'" + shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'" no_log: True when: es_ssl_truststore_password == "" and copy_keystores.changed with_items: @@ -77,7 +77,7 @@ - transport - name: Remove transport key password - shell: "{{es_home}}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.secure_key_passphrase'" + shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.secure_key_passphrase'" no_log: True when: es_ssl_key_password == "" and copy_certificates.changed with_items: diff --git a/tasks/main.yml b/tasks/main.yml index 35e7165f..5ef6a03b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -68,7 +68,7 @@ when: es_start_service - name: Wait for elasticsearch to startup - wait_for: host={{es_api_host}} port={{es_api_port}} delay=5 connect_timeout=1 + wait_for: host={{ es_api_host }} port={{ es_api_port }} delay=5 connect_timeout=1 when: es_restarted is defined and es_restarted.changed and es_start_service - name: set fact manage_native_realm to false diff --git a/test/integration/helpers/serverspec/shared_spec.rb b/test/integration/helpers/serverspec/shared_spec.rb index 93d30254..0522fe49 100644 --- a/test/integration/helpers/serverspec/shared_spec.rb +++ b/test/integration/helpers/serverspec/shared_spec.rb @@ -17,7 +17,7 @@ family = families[vars['ansible_os_family']] -es_api_url = "http://localhost:#{vars['es_api_port']}" +es_api_url = "#{vars['es_api_scheme']}://localhost:#{vars['es_api_port']}" username = vars['es_api_basic_auth_username'] password = vars['es_api_basic_auth_password'] diff --git a/test/integration/helpers/serverspec/spec_helper.rb b/test/integration/helpers/serverspec/spec_helper.rb index 20ca46b3..7417197f 100644 --- a/test/integration/helpers/serverspec/spec_helper.rb +++ b/test/integration/helpers/serverspec/spec_helper.rb @@ -19,7 +19,11 @@ def curl_json(uri, username=nil, password=nil) if username && password req.basic_auth username, password end - res = Net::HTTP.start(uri.hostname, uri.port) {|http| + res = Net::HTTP.start( + uri.hostname, + uri.port, + :verify_mode => OpenSSL::SSL::VERIFY_NONE + ) {|http| http.request(req) } return JSON.parse(res.body) diff --git a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb index 62c95282..00fb0fc5 100644 --- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb +++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb @@ -2,6 +2,11 @@ require 'json' vars = JSON.parse(File.read('/tmp/vars.json')) +es_api_url = "#{vars['es_api_scheme']}://localhost:#{vars['es_api_port']}" +username = vars['es_api_basic_auth_username'] +password = vars['es_api_basic_auth_password'] +es_security_api = "#{vars['es_security_api']}" + shared_examples 'xpack_upgrade::init' do |vars| #Test users file, users_roles and roles.yml describe file("/etc/elasticsearch/users_roles") do @@ -18,7 +23,7 @@ describe 'security roles' do it 'should list the security roles' do - roles = curl_json('http://localhost:9200/_xpack/security/role', username='es_admin', password='changeMeAgain') + roles = curl_json("#{es_api_url}/#{es_security_api}/role", username='es_admin', password='changeMeAgain') expect(roles.key?('superuser')) end end @@ -54,7 +59,7 @@ end describe 'security users' do - result = curl_json('http://localhost:9200/_xpack/security/user', username='elastic', password='elasticChanged') + result = curl_json("#{es_api_url}/#{es_security_api}/user", username='elastic', password='elasticChanged') it 'should have the elastic user' do expect(result['elastic']['username']).to eq('elastic') expect(result['elastic']['roles']).to eq(['superuser']) From 27e3cff9a2e1a7152cedd47a2b57981b7ba88cd1 Mon Sep 17 00:00:00 2001 From: pemontto Date: Tue, 15 Oct 2019 15:37:39 +0100 Subject: [PATCH 13/35] Add option to keep existing users --- defaults/main.yml | 2 ++ tasks/xpack/security/elasticsearch-security-file.yml | 6 +++--- tasks/xpack/security/elasticsearch-security-native.yml | 4 ++-- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 19d97327..dc674cc4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -60,3 +60,5 @@ es_ssl_certificate_authority: "" es_ssl_certificate_path: "/etc/elasticsearch/certs" es_ssl_verification_mode: "certificate" es_validate_certs: "yes" +delete_unmanaged_file: true +delete_unmanaged_native: true diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index f81117a5..82aca12e 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -11,7 +11,7 @@ register: old_users_file check_mode: no -- name: Copy the old users file from the old depreacted location +- name: Copy the old users file from the old deprecated location copy: remote_src: yes force: no # only copy it if the new path doesn't exist yet @@ -33,7 +33,7 @@ - name: set fact users_to_remove set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys() | list) }} - when: manage_file_users + when: manage_file_users and delete_unmanaged_file #Remove users - name: Remove Users @@ -49,7 +49,7 @@ - name: set fact users_to_add set_fact: users_to_add={{ es_users.file.keys() | list | difference (current_file_users.stdout_lines) }} - when: manage_file_users + when: manage_file_users and delete_unmanaged_file #Add users - name: Add Users diff --git a/tasks/xpack/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml index ba542662..563688b8 100644 --- a/tasks/xpack/security/elasticsearch-security-native.yml +++ b/tasks/xpack/security/elasticsearch-security-native.yml @@ -82,7 +82,7 @@ password: "{{es_api_basic_auth_password}}" force_basic_auth: yes validate_certs: "{{ es_validate_certs }}" - when: manage_native_users + when: manage_native_users and delete_unmanaged_native with_items: "{{ users_to_remove | default([]) }}" - name: set fact users_to_ignore @@ -178,7 +178,7 @@ password: "{{es_api_basic_auth_password}}" force_basic_auth: yes validate_certs: "{{ es_validate_certs }}" - when: manage_native_roles + when: manage_native_roles and delete_unmanaged_native with_items: "{{roles_to_remove | default([]) }}" - name: set fact roles_to_modify From 2b0343e135a382a140acce892e56e074ec5db938 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 16 Oct 2019 16:36:17 +0100 Subject: [PATCH 14/35] URL encode items in path --- tasks/xpack/security/elasticsearch-security-native.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/xpack/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml index 563688b8..ec407f72 100644 --- a/tasks/xpack/security/elasticsearch-security-native.yml +++ b/tasks/xpack/security/elasticsearch-security-native.yml @@ -97,7 +97,7 @@ #Update password on all reserved users - name: Update Reserved User Passwords uri: - url: "{{ es_api_uri }}/{{ es_security_api }}/user/{{item}}/_password" + url: "{{ es_api_uri }}/{{ es_security_api }}/user/{{ item | urlencode }}/_password" method: POST body_format: json body: "{ \"password\":\"{{native_users[item].password}}\" }" @@ -117,7 +117,7 @@ #Overwrite all other users NOT inc. those reserved - name: Update Non-Reserved Native User Details uri: - url: "{{ es_api_uri }}/{{ es_security_api }}/user/{{item}}" + url: "{{ es_api_uri }}/{{ es_security_api }}/user/{{ item | urlencode }}" method: POST body_format: json body: "{{ native_users[item] | to_json }}" @@ -171,7 +171,7 @@ #Delete all non required roles NOT inc. reserved - name: Delete Native Roles uri: - url: "{{ es_api_uri }}/{{ es_security_api }}/role/{{item}}" + url: "{{ es_api_uri }}/{{ es_security_api }}/role/{{ item | urlencode }}" method: DELETE status_code: 200 user: "{{es_api_basic_auth_username}}" @@ -188,7 +188,7 @@ #Update other roles - NOT inc. reserved roles - name: Update Native Roles uri: - url: "{{ es_api_uri }}/{{ es_security_api }}/role/{{item}}" + url: "{{ es_api_uri }}/{{ es_security_api }}/role/{{ item | urlencode }}" method: POST body_format: json body: "{{ es_roles.native[item] | to_json}}" From e01af7977ff89dd50e2a023c599a909305acf627 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 16 Oct 2019 16:36:43 +0100 Subject: [PATCH 15/35] Better support for different truststores --- tasks/elasticsearch-ssl.yml | 62 ++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 25 deletions(-) diff --git a/tasks/elasticsearch-ssl.yml b/tasks/elasticsearch-ssl.yml index f35e3814..9f830243 100644 --- a/tasks/elasticsearch-ssl.yml +++ b/tasks/elasticsearch-ssl.yml @@ -1,20 +1,32 @@ --- + +- name: set fact es_same_keystore + set_fact: es_same_keystore=false + +- name: set fact es_same_keystore if stores match + set_fact: es_same_keystore=false + when: es_ssl_keystore == es_ssl_truststore + - name: ensure certificate directory exists file: dest: "{{ es_ssl_certificate_path }}" state: directory -- name: Upload SSL/TLS keystore and truststore +- name: Upload SSL/TLS keystore copy: - src: "{{ item }}" - dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}" - with_items: - - "{{ es_ssl_keystore }}" - - "{{ es_ssl_truststore }}" + src: "{{ es_ssl_keystore }}" + dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}" + when: es_ssl_keystore and es_ssl_truststore + notify: restart elasticsearch + register: copy_keystore + +- name: Upload SSL/TLS truststore + copy: + src: "{{ es_ssl_truststore }}" + dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}" when: es_ssl_keystore and es_ssl_truststore - #Restart if these change notify: restart elasticsearch - register: copy_keystores + register: copy_truststore - name: Upload SSL/TLS key and certificate copy: @@ -36,50 +48,50 @@ notify: restart elasticsearch when: es_ssl_certificate_authority | bool -- name: Set transport keystore password +- name: Set keystore password shell: echo "{{ es_ssl_keystore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.keystore.secure_password' no_log: True - when: es_ssl_keystore_password and copy_keystores.changed + when: es_ssl_keystore_password and copy_keystore.changed or (es_same_keystore and copy_truststore.changed) with_items: - http - transport -- name: Set transport truststore password +- name: Set truststore password shell: echo "{{ es_ssl_truststore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.truststore.secure_password' no_log: True - when: es_ssl_truststore_password and copy_keystores.changed + when: es_ssl_truststore_password and copy_truststore.changed or (es_same_keystore and copy_keystore.changed) with_items: - http - transport -- name: Set transport key password - shell: echo "{{ es_ssl_key_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.secure_key_passphrase' - no_log: True - when: es_ssl_key_password and copy_certificates.changed +- name: Remove keystore password + shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'" + when: es_ssl_keystore_password == "" and copy_keystore.changed or (es_same_keystore and copy_truststore.changed) + ignore_errors: yes with_items: - http - transport -- name: Remove transport keystore password - shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'" - no_log: True - when: es_ssl_keystore_password == "" and copy_keystores.changed +- name: Remove truststore password + shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'" + when: es_ssl_truststore_password == "" and copy_truststore.changed or (es_same_keystore and copy_keystore.changed) + ignore_errors: yes with_items: - http - transport -- name: Remove transport truststore password - shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'" +- name: Set key password + shell: echo "{{ es_ssl_key_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.secure_key_passphrase' no_log: True - when: es_ssl_truststore_password == "" and copy_keystores.changed + when: es_ssl_key_password and copy_certificates.changed with_items: - http - transport -- name: Remove transport key password +- name: Remove key password shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.secure_key_passphrase'" - no_log: True when: es_ssl_key_password == "" and copy_certificates.changed + ignore_errors: yes with_items: - http - transport From 8d72d86ab8e7f3abde97a6d92a5c5ddaa00d0e59 Mon Sep 17 00:00:00 2001 From: pemontto Date: Wed, 16 Oct 2019 16:39:31 +0100 Subject: [PATCH 16/35] Fix es_same_keystore conditional --- tasks/elasticsearch-ssl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/elasticsearch-ssl.yml b/tasks/elasticsearch-ssl.yml index 9f830243..400c63b0 100644 --- a/tasks/elasticsearch-ssl.yml +++ b/tasks/elasticsearch-ssl.yml @@ -4,7 +4,7 @@ set_fact: es_same_keystore=false - name: set fact es_same_keystore if stores match - set_fact: es_same_keystore=false + set_fact: es_same_keystore=true when: es_ssl_keystore == es_ssl_truststore - name: ensure certificate directory exists From 57fa4e5176dfbba9f6d5c89f0d67177164fa9f28 Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 18 Oct 2019 16:54:46 +0100 Subject: [PATCH 17/35] Add option to enable xpack trial --- defaults/main.yml | 1 + tasks/main.yml | 4 ++++ .../elasticsearch-xpack-activation.yml | 4 ++-- .../elasticsearch-xpack-trial-activation.yml | 18 ++++++++++++++++++ 4 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 tasks/xpack/security/elasticsearch-xpack-trial-activation.yml diff --git a/defaults/main.yml b/defaults/main.yml index dc674cc4..f6f990f5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -33,6 +33,7 @@ es_max_threads: 8192 es_max_map_count: 262144 es_allow_downgrades: false es_xpack_features: [] +es_xpack_trial: false #These are used for internal operations performed by ansible. #They do not affect the current configuration es_api_scheme: "http" diff --git a/tasks/main.yml b/tasks/main.yml index 5ef6a03b..1e62770f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -90,6 +90,10 @@ include: ./xpack/security/elasticsearch-xpack-activation.yml when: es_start_service and es_enable_xpack and es_xpack_license is defined and es_xpack_license != '' +- name: activate-trial + include: ./xpack/security/elasticsearch-xpack-trial-activation.yml + when: es_start_service and es_enable_xpack and es_xpack_trial + #perform security actions here now elasticsearch is started - name: include xpack/security/elasticsearch-security-native.yml include: ./xpack/security/elasticsearch-security-native.yml diff --git a/tasks/xpack/security/elasticsearch-xpack-activation.yml b/tasks/xpack/security/elasticsearch-xpack-activation.yml index 55e3063a..b29f83bc 100644 --- a/tasks/xpack/security/elasticsearch-xpack-activation.yml +++ b/tasks/xpack/security/elasticsearch-xpack-activation.yml @@ -17,5 +17,5 @@ license_activated.json.license_status is not defined or license_activated.json.license_status != 'valid' -- debug: - msg: "License: {{ license_activated }}" +- name: License + debug: msg={{ license_activated }} diff --git a/tasks/xpack/security/elasticsearch-xpack-trial-activation.yml b/tasks/xpack/security/elasticsearch-xpack-trial-activation.yml new file mode 100644 index 00000000..b8306c47 --- /dev/null +++ b/tasks/xpack/security/elasticsearch-xpack-trial-activation.yml @@ -0,0 +1,18 @@ +--- +- name: Activate ES trial license (with security authentication) + uri: + method: POST + url: "{{ es_api_uri }}/_{{ 'xpack/' if es_version is version_compare('7.0.0', '<') else '' }}license/start_trial?acknowledge=true" + user: "{{es_api_basic_auth_username | default(omit)}}" + password: "{{es_api_basic_auth_password | default(omit)}}" + return_content: yes + force_basic_auth: yes + status_code: + - 200 + - 403 + validate_certs: "{{ es_validate_certs }}" + register: trial_license_activated + when: es_xpack_trial + +- name: Trial license + debug: msg={{ trial_license_activated }} \ No newline at end of file From 3707af148874b34301c3b120d188204c57933deb Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 18 Oct 2019 17:51:44 +0100 Subject: [PATCH 18/35] Fix conditional for password removal --- tasks/elasticsearch-ssl.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/elasticsearch-ssl.yml b/tasks/elasticsearch-ssl.yml index 400c63b0..7f56a98b 100644 --- a/tasks/elasticsearch-ssl.yml +++ b/tasks/elasticsearch-ssl.yml @@ -51,7 +51,7 @@ - name: Set keystore password shell: echo "{{ es_ssl_keystore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.keystore.secure_password' no_log: True - when: es_ssl_keystore_password and copy_keystore.changed or (es_same_keystore and copy_truststore.changed) + when: es_ssl_keystore_password and (copy_keystore.changed or (es_same_keystore and copy_truststore.changed)) with_items: - http - transport @@ -59,14 +59,14 @@ - name: Set truststore password shell: echo "{{ es_ssl_truststore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.truststore.secure_password' no_log: True - when: es_ssl_truststore_password and copy_truststore.changed or (es_same_keystore and copy_keystore.changed) + when: es_ssl_truststore_password and (copy_truststore.changed or (es_same_keystore and copy_keystore.changed)) with_items: - http - transport - name: Remove keystore password shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'" - when: es_ssl_keystore_password == "" and copy_keystore.changed or (es_same_keystore and copy_truststore.changed) + when: es_ssl_keystore_password == "" and (copy_keystore.changed or (es_same_keystore and copy_truststore.changed)) ignore_errors: yes with_items: - http @@ -74,7 +74,7 @@ - name: Remove truststore password shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'" - when: es_ssl_truststore_password == "" and copy_truststore.changed or (es_same_keystore and copy_keystore.changed) + when: es_ssl_truststore_password == "" and (copy_truststore.changed or (es_same_keystore and copy_keystore.changed)) ignore_errors: yes with_items: - http From ab70e6f11d1ee57c10ddb8fd58c4a28f375fe87c Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 18 Oct 2019 17:56:55 +0100 Subject: [PATCH 19/35] Add tests for SSL and and trial versions --- .kitchen.yml | 8 + files/certs/keystore-password.p12 | Bin 0 -> 3451 bytes files/certs/shared-store-no-password.p12 | Bin 0 -> 3451 bytes files/certs/truststore-password.p12 | Bin 0 -> 3451 bytes .../helpers/serverspec/spec_helper.rb | 1 + .../helpers/serverspec/xpack_upgrade_spec.rb | 14 +- test/integration/issue-test-trial | 1 + test/integration/issue-test-trial.yml | 46 +++++ test/integration/xpack-upgrade-trial | 1 + test/integration/xpack-upgrade-trial.yml | 177 ++++++++++++++++++ test/integration/xpack-upgrade.yml | 18 +- 11 files changed, 257 insertions(+), 9 deletions(-) create mode 100644 files/certs/keystore-password.p12 create mode 100644 files/certs/shared-store-no-password.p12 create mode 100644 files/certs/truststore-password.p12 create mode 120000 test/integration/issue-test-trial create mode 100644 test/integration/issue-test-trial.yml create mode 120000 test/integration/xpack-upgrade-trial create mode 100644 test/integration/xpack-upgrade-trial.yml diff --git a/.kitchen.yml b/.kitchen.yml index 953523e6..66eb2f0f 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -132,3 +132,11 @@ suites: provisioner: playbook: test/integration/issue-test.yml idempotency_test: false + - name: xpack-upgrade-trial + provisioner: + playbook: test/integration/xpack-upgrade-trial.yml + idempotency_test: false + - name: issue-test-trial + provisioner: + playbook: test/integration/issue-test-trial.yml + idempotency_test: false \ No newline at end of file diff --git a/files/certs/keystore-password.p12 b/files/certs/keystore-password.p12 new file mode 100644 index 0000000000000000000000000000000000000000..6a58eaac87a8d63f92f9a7fc59343acd46712949 GIT binary patch literal 3451 zcmY+EcQhN08io^MM4MI>6)UI}>8yAL2Iw78da2ZPv@1Fa|cfNC;_x-*HnzHSpxTE>*xRdLl^mW09&pcP^yG0K$LHv*v9pNJ984wnQxu9>i*;BeDVy$h<-24IK@bBQ00nK! zCw@W@wDW7WV}!ZOuRd2?VHgify>WLR=Y1H?;fGffdip%H*FkamO>h2O;^@h{{$F`d zHr`zGOuKx$z++$JL<4N=apmR*5|&Huls5E3Je-efQZ}98rwKcj>;mrMsz4 z>c}(&N_KZzSD+)^`^zl*&N1QO%zg8L-+sYWPeDCSmI2m*oEcb8S(dqxt%Yf!U-v|QmFW@+r4sLz zA~}2oadjv}I+pJ`rv=+xD&7b{L>M*< zh0Gn(sI`FP{gvO>@5k5X(v6F5wmB*(r1sU7e0I1ziX*UU=zPgv4^q=Qau)#ncS0AR%V8=B5^i9sD4s|$Z^^R(HgT; z8m(p;s7QaNGSaYbi{d#47Yx5&GmYt}SU2b$yuJ~}jX)B8_`EOMsv>rnY!h`qU=vms zh%LcZSvZZ3<$14(t_FcpTT{oM4&@r#x4xsrnHPE2w7bt|z-`Ue5orNVDMVJ12*_LM zMp1w7&$f*>+U%t34X6DAq$$t$ey2b(#`bw`jIkuyz1aqA2FSZ^-k zBRvr(8|YEnds7|oLuf0Iv zZ8R;ma}*sG&XVJ0R-UV^%~G^i_?E;ek9KBtG8mwBfOffFjgcFi2f!|37bl}LWnnoA zN5>x^>9DN&Jw9u53znbL#4xg3D#R9{YyHf2;hoUx31!Ab#`-p&|M+|){OKDxDS!u0 zZm78z6TM7;=n^u`mR4BI$$qmSTSnFmk!?ve40+zZTu$>ON&S1xme%=ITov^mO!wu_ zQF2A+i&K$9t>~#Km0Pw;>xVa9#IgS7Z3n-GX!_6?q{mW3rmTdLhoa1GmE_VxI+*{m zh3V1cIGRAw1`>Kemj#EQyI-{QIYmSo3}R>b!+Dqkcay0V~)NZ$VySR|N1OlI!h&O8z_auU)=d1-lRNoh$W zp04!o5*=+3o-X?jN~Zz>{;bFUOMw4pS=xVDR`6&+bjw@uVD#Amlbu?m56Ffs{NI+1 z!qXYmoGVHk2m+p7(^#*uzW3giF+;+vGAj7!(d(KLQ}zjvM` zCA^%u5lijD?qu~v3@evOY+jdFnpRMhEB97tmP`04nhtRsEhv96{eB@ySd&oeI03a= z))5fyV9zVkO6h?Y7#`Kq>w<6wgul)nBfHZYXCocYAC!dn{?4t}Om1V390qI#C}*sF zgojLaP51^{@b#py8P#TD-3^N|9=_P~r0lx`!#aSyB37qg*>_0=Gw5+*#s`P8eQuby`l& z1{~ji(iKu6Ua5@G`+8wb8H)iQ3U@R3R9|U#C6&v~YczZx%V=Kzb-Bgk#JGQEnO>~V zQeqWwbfN*}_-+p&aWkbbH*|(1n-`iX3V_H zS-d<4)kpNGas59czyItq6Q4tMVtTDT0<8CyuBvwZFXzOyE`1?Pzc~|>^FG)OuSxn`lyNbJZk=y` zT=+(3Z;<&F687aC*~Gj z3QR+Pd8^EG{~Gn%@y51lxBTkw}mxNu`*2pXGATLY_92 zR4b2p8H=48BZcZ?ADzjD77<<$UoD-vdw(cDY2xd)35APYbDW~xcyG0#Xq!?>H>d1% z-rdQ_*f4zGXj4nlZLALf;{R6eshZk=SRLON2pdgRJuE#_CsU3HmYI@7-KF^$Z(WVI zJDBG8Z>W<|#X~YNEn(<1>u| z8+(B}`lML%M2>3dWkwunTiama@G!dG-?a~VS3%{-;9YAH>sU5;^|_xQ&$D$@zr?az zWb5I;8@Mvfl`)sz@;D`!?MwBe^=Tipe@9WC%;YHtiXKj~+E!etGrpkeG!SB=A1Xa- ze!?%vFLUhK8Sn_$vF|bn+Voz$8qASBp1GXBAKUL-Qx$jH(x$Y|YiTXFcaYJuu5>moyApMmDHbJV04-zN=B1{f*nTn0 z93s4IrXZ`1Wf-DdlQU07&+w_5eo|_xTpRGvzFdgoanv`VeV7l+l~l{wzGQ|dGl9g! z8Y04m{7^&oZla|3^|d=&x~b82kR)!ZDBpYRsu9Ob)!?hGZg0u74tkZUE2a5Lt|GmQ zmFXvh@Dc3N%nz;Z));|^RIi+QtZZoFfZK2nPZO6_f_+*DLUd|{(XNzeUz_D)mUkVZ zM`HJSDRe1&H`(K1+{p;`>Lhsu^WZK!s(QeX%R+T4%)%fNW5W#RXnfy|HSoL?e|2=u z?zqy)T0If4sr88C+}r-Nbpn%t7pgbkspxsSC-wD*$tYcwmp^AWq*f*037Spk6bL8a z4^n{+BUEj!e0=gBWcb9B+gdLc8;pU8m>Y4SzTe4K57R#n%#>RL6=KCOUgWU;Qjfr? zZ2n@1=?|6TN|^!v2P~7Qo->drr2qr;x(OZaPVh`D@sWw!5+~0H`nhZawmRXit@4mc zT*Q}eedf}M$>5$s{jF%{rd{|XQ)7XBU(>opYaF(IZh1hN82I8I3j zj#Kmx7DD1!Zv0oo;tRpCc>cj|f5r*Q@qbq^b|8p^gB&Aq5C&2X%KrcO&vRi2KQp_h z?Cg0?GU_+gftp4-gpe&H;jh3^FMuQ%VL@;RlZgCi!5?O?9H$!dawkqro>f z>h%bSe5csI-45$AOE_gKvb*>qROjXuS(F=T2N4upR*!y`RuaYooXtsYW9hPeOD7SO zn3~$^T=$k)z%yw1=gYqftM3dJ23e)TqOtm>Oml9|2$X`NQ$y2wUBt%G+1o|5W_j51 z3h`y6`cz{NNt5>^=DjmiN+qvc9Z&Z!OR^_TTHcrJDVMJeA zZDtJYtxSwBFZOg4U{@`v4O0CkisQ9=_~xqAS8w2&OcdTtNkt_LVK8d2vC)Z@NH{8p3a}KT90JMuDtvu$I_MKR7@#ikrMdF zgU#QSPQ_k2HwnXMfqDvCg7M0q&s}bOX1B!Wo9j+vdtX&%xxE9ckev_NCoN--rXwBjwz!?N?Y!=Dh@WkSPeK-G)di?9Ns${hu~W-Uzt>j|8;`1 z6Jq4mcZDbBWV&Ln4L%8R-$;O`G>Z|7ASG6OHe<8f7sZIuDVvAM%cyfEnI6(pJKZjt zfmec!lx2$cP|s!1ysiq00@l;dB=m^Ii{3wYDRIYNCNv!7-e=b5%VX_Fwh^!sy&NU- zsWUDl>BdaZ(SGw4P z4_m8a1baCDk{gUt+6BmqEIvKvbw>zH-xCZvl7qMZ(h88eZl1lOM-(~!m3~Efk$wA; z!-E-$vv8?{!Q{yAP$^v32M*;|-2vj3nW03(X(YsvL!zjmm73xl5N7TcbAE{(@E1&)^Qdy4y2Q~99xG$DDn(L)q}J(6>t7L6m_`}mL- zr>i?bU2P_-EtLWxCf3h@{70Qy6bV?p=B+uKGp8oBAkeiwgE-vVUM|jn77ciXZfD{% zIU?1q3K;LfQnqj{;wUb6t3SPGuu^JL0GF>a_a#>NNzKQb?&T5m!50lJWX7!o!ERoF zP+@*nkW9d@ADy3;%38@aK*`4{9HsrcNg-g41mdF})@$#SJ7k3|xlt5{B3i0RLge-C zxaS1BI!&gqG9e8JV+Pjbz4R4v0FwSuw{HB9S(K`~Pr!0P#Vy=LA*Xe;oFwUb-i}pF zU7o6K*)+at4h8=zItXSW_G&AkCogV2R{Jy|C;Se*|A=fHJS~+omOnV=u2$#Ud8lfN z6#us>+4xm?#kc{XfN;PqKor3L&kh6xBPIV+K&bLVcwIto1WTxDXsM!*+9(}WZIm_= z$6EF85-XI1V=efD@<2eqpLO>?3Glxx3;iF-Cr3)x zVVLNLVFW{DwTEYbO0vUsp;U6&OFb!0>USL zzr|Sf=5ztzt<>PDxTDoZlu>?^td0ApI);o<`?@{x)CX{^{j@S@MBQML>dzOC0Q5|y z=Nq4cuts6F0@Y_;%&d(QWw{uMv#GqS{%)V{X_a+KVA7))AxUkD1=-;(&TV(*VndEi zyzo0ckxniw0T@R{@J3FWm%cNgMbKfQPH8}W$L6QEog)q{N5*X~P> zxjZ3mOd_qc{+P?NiJ;{Q0GX$!lFc0SL`!Ta{OBeibYlmN}vHlfMvM4(JFU_^h^Yh=jDxku7u{PUD>~V4fZ#nAQ01^lC zoRUvF?q}S#^)=EFDlU)5FQYki7`XI=iDXfH(n6;NLf&wsX*Rdou@^PM=v67`Jd zuU69mb^p}4!!!o=5g436#R%h-=}R*|TKEo1zd{cjEk>EE5uw-ff^vU;6QCC`X!MnC zD1eWik9ariBo5~q=|aIW%KUzdJ@25|^}y8;3uA>`^KNO9VV4?@N)R3BS+5VuGHTz-Mn-*8w;s~R?kF#9+ zic8W-pLdlNI%X*@5cmj{cCdv$@s-Z|Ermfu`5nogBFRwGDooKB#|vQTb}sdj9iF`O zvFqg24oeMDf2#vFIZYxx4ph zZs8+h_>{QUaNMPPro;-x1Z9->sV}8{=oP%A{%>A^`?ESM6}#Wv`-CU%^5~Yu2&T=2 zeY6Ofj)QAK)HB9E({6d7O`QGsxXr3!cs2xgx$NXQ(z#oDO`*4=o5W0Pi0)@Hw)HU% zLA}El8xqb)XeGH`69S~XT`?EEe^@t9`jFzMCBp673a8y=P2I>3iTliubX|h}^$#=n zk$hCr1@_6SfKi3lsQ~4$(I)=DY0!Sv$6$ATZ3`)) zCtw-c)`22kx(lqjwVCN1M^%aEQlzjYW44Xv*@ppauVZhpCUKWq_uJA?p^r*<{)ThFQUqoEsH?H`F&a?Rb*u*(4 zXD7}$?CAxb8Sfs`wbHzi|##X#1yXNXc&-chPb8x$400&9;ie3PKmG*gz?}KW|9!IQUCr6q OpWi^W6(BH>K>8P*ZdvgF literal 0 HcmV?d00001 diff --git a/files/certs/truststore-password.p12 b/files/certs/truststore-password.p12 new file mode 100644 index 0000000000000000000000000000000000000000..25d9aa4c6796acba288307fe2748178817819722 GIT binary patch literal 3451 zcmY+EXEYlQ+r|@;*wn5)N{tkWy?0A%)7oPHODM65+OewC47K-)RkNts2DK>~MXg#j zN@}*|)Av2^`#k6QaG&d(Yuq1yFf^4v5s(;$rh-Apgk!X0&ZvMSz(OF#u->LW2gkcP0AnzSi^duOl1xx%Bv>Kw1!~=)#XApI=C*M+Q-n z{h;hKqm-USE56Lx(s_Z2P?IRGQsw0imJV8q7GSfcl`>oDCs5iP5-M<77oOJokw;s( z{Px;AIX%yYGDVw)T;|X3Pf~V-FNcVpfQ~S*P`8QeTW8<3CH|uZAFYEqyDZbLzb>qwY@J*MrVj5I zTMQ>y2<1nG-oZK{I?-jBc)Dwj3)FXa)oxT>XCR7|T??w;{c_@a@&syLa=LN?PEdIx z(`+W9Jg;VBlH~X{@%u1hMWNEQbZnkS%|gs^9PH}pb!v6bT#BRtkX04EcJ8;hyS8sw zuXZ|oP{V|LmHrE7KxJB1S|PMzj(ns*7Mx_)IXL{dHyJ4r%Ok6&i%e`|1(uWrDnCjO zV6%jW-HF80=h?k%sF{f8z4r9(at%?(0+?mX7lWdv?c7vD5gNcj}G@d*aFUJpf6I#TC_vliK){l#qWApYT-Eq_^72qVjzGcz0@;sMb8YFG$Dk@$T z9DdR06vP?n(Ny_;^68(1-i1z!QXwmHp@HJet$E@&Z#3ckRs_d_{wW3j?(PMhK$P3! z7fqMNgPmAV*6Ztro4PgO@8*hMd0&6+${v41!AD<`w(}Dobo*lU&CcdkV3XPMA>oVC zN!X3j2N#F86k$A#a{1q0LIA5=%{QIlsr$H}J3q(3GuFm0fZ?C^>?vqPva-xp4!Lwi zZ=&!NE_BIN)2N(}j#Tdz8@XE{=I}>_RqtcLy_4(pf#91W^hNdQt3YplAvd&T5_zQ8 z@OC@1;eNcbPe)DD8WYS@h1Q!%ir-Tc=Zs(BlsfJRqP*yRZ5>5xwQnW+nvQ7DDJqTO z&QChPW#&NL=r-Xsmcxgavn5glK~-76>26B{dWEm=M)#eyuS6ZEJ(IZoME6kO-ACrS zXy!)a73hU*e3hzg5oA_ujVW08Lx!Zy3(F8gh1Fjva=wekk`$pd|8Uf>j>lIiFMTCS zUDW0V0`glVr+6dM6N{D#k9&r0;zYT_yBns|&`@WR?JesJ>nC?~%P@44yN^T$zZSh} zJ>J7aKg25^#AS25-MB7-Zf0J^Qagt&%W9*Pj3O>5Eg<)08yDodZy=KkNxi#7p~RBx zX4=%a+U%RqU8f)0Xwu6;qArr{A=_x0yXpfq<{u+4URL$Xadqq?Y&7@Wh>t+=?!PYi zGd+N(I?p@CqtUrT*QBtBQS9RxiGf>3X1f_Oijh?4f%PzaDUEvqMuEosw-Ww$xw_t) zhXeXS^QgH%a=f1P{i1FI5Bv;9M}yhwQYlK1J#scyYgDbINkbd1N$!1+{j2h8wU?&q zg6MCoQAj;yH8Wp({dzh(bS*sPIq#Y^@~%qAP~PFDT7yU)VL(cTP>}x<@Z)%1(|fX? zW>RbHQeknBbGS4~B&^UW^F~TaCvm&{Yl=I_IY)e-iqlv-HEs@qAAJ;97))bY{ZazC6 z61A8;TE=J&yS~j0#yhu*@Xa-J(s@lwd>%}pJ=k!0XLjgyVE?(PjLKtj`;ZDq2y;1~ zulKgQpoH;-$k+TW5uzl0+le|1&A0+T=xH)PGd+5}H6ujJ#hV(+O{w7^@O~_mk;mQe zT@5{11MW2AJbuHl^ap9lu1*DZX?9OO&l$+Vtb?lbl?t)Cl+W4K$5GxmzTr*gZ5pi)>3K;y>w~)sn)PagiZ5wu zQ{MRc52vXYE-|-RTJ^oz{Z<|mf7rEVJd(tbuSfsKRk2B;!b>)BuHF5@zE%aXP+G@a zmHCa7(wp>vtt8o#1<)mt+qwl`AM}JJu-MaH^TAN0ZG+A4TB>SPT>~s_Nm6GRu>sK$ zHGOXEov{Mooa1*!VFe4;k)l3cJ<6(^Px9DGl_n&+oL!+#J^`BmGjU|eHp?Mlcqeo0 zEy7QzPcZKM(rqK@S3u6nT76(UzEl0+vy9eIVmDE9q~7A7KPps!-20KXFrM5m<{yiO ze2I=bI(=+rnln2SNgc@*fUI-(lzts?L;KkG42fb+*3ZML_x1(B;JmQj&Ys(>Y*rZH5 z_Gfm965|x-k&oeWOgoD*Kici>N9+g4$`k}$kvuScvgy!|ECfzwS{J}_C-5=SVcRpO z{F|OtvspCHpjBt2JJDk`5f2FyO=pl~{%-?3FHD3pdP*NjmpxI=NE7Dy(xuSP4upe{*Viv7*`gL6|KrdoxR62BR(O^QD#cw;@@vlmI$S4Gt{BKCq{vX2#x`kc4xph!%5) z8b;G`Q6ZiNwBP6Y#3yHkti?ZvniC4!p-1CL=Cfltu)?W)ZnnEP)0wz<^EpmPrPT~h z7XK>t*r8ja@WW@Pxd(kuS{M|wNrhONX=h0t8_B^>=Y%;_CNE5dg15~H6w7pMfw5T+ z%N~GRE! zKp}lvH@9a;U$f>qzWj55$6~&L6*)qM>QKC!q8{eVZp8W`>+N)wsK4trYyxxEVNS=W zj}Wf!aA)0tw)L_Gsz$f-A zDrtep%o=A*nK>k{OybU=b*;F^Peil-I(`10qi?uzfff!bxb`R9(?`XdTCW~-n)P&7 zckgZu83psRlZ7xYHR^!F>HDzSi64aJ4ApVBJo2X^15#}Ew~!xoix2{p-N}6YM{WlS zj8h+T*}H+^CTW^{avz4Z_{5E>8W>_(x#ynwu+{^=*E!v4tc6IEumKLY7ELNw8f<9I z)cku|vTeq=^&MPpsM!pUvsCSH*_)RE79Ae$J1D!PKi9Zf`lasGH7&%G-omq^@(*4o zSj0w^m43gE@_MEJvGl=+#-_@wsd#}_;gzYVv<0fGEZPbZ+NDfi{>u|+qk|5R!p?nQ z#I2$(q_G7?PFg2Bac`Rp5)Hoie{s3sd2nbHyoXf-wm});76!vozEzcNtQtLb$`rQ# zfQVi-{j{Di6JO}}0Qz@WS2A$Bp7(#J_c(&XA)6nW?=MS%oE&S*&PuWGZ zzHdonPKzU4uIC-wrvUDGL8G&L&KI>_#pSYD<^%}1&QCNwyea&-`e$#wmd|g!H%v|{ zi{Fm*dsnIxT~=SroG3NEuv|`wOLbP@&{}cCEjaZfAOZKeT+@72jyIjBjBRBHC1A=h z9vB$}45cO}Vg&<046*l)dTnJV8K uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE ) {|http| http.request(req) diff --git a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb index 00fb0fc5..abd2ff49 100644 --- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb +++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb @@ -5,7 +5,11 @@ es_api_url = "#{vars['es_api_scheme']}://localhost:#{vars['es_api_port']}" username = vars['es_api_basic_auth_username'] password = vars['es_api_basic_auth_password'] -es_security_api = "#{vars['es_security_api']}" +if vars['es_major_version'] == '7.x' + es_security_api = "_security" +else + es_security_api = "_xpack/security" +end shared_examples 'xpack_upgrade::init' do |vars| #Test users file, users_roles and roles.yml @@ -52,9 +56,7 @@ #check accounts are correct i.e. we can auth and they have the correct roles describe 'kibana4_server access check' do it 'should be reported as version '+vars['es_version'] do - command = command('curl -s localhost:9200/ -u kibana4_server:changeMe | grep number') - expect(command.stdout).to match(vars['es_version']) - expect(command.exit_status).to eq(0) + expect(curl_json(es_api_url, username='kibana4_server', password='changeMe')['version']['number']).to eq(vars['es_version']) end end @@ -84,9 +86,7 @@ describe 'logstash_system access check' do it 'should be reported as version '+vars['es_version'] do - command = command('curl -s localhost:9200/ -u logstash_system:aNewLogstashPassword | grep number') - expect(command.stdout).to match(vars['es_version']) - expect(command.exit_status).to eq(0) + expect(curl_json(es_api_url, username='logstash_system', password='aNewLogstashPassword')['version']['number']).to eq(vars['es_version']) end end end diff --git a/test/integration/issue-test-trial b/test/integration/issue-test-trial new file mode 120000 index 00000000..0746a3ce --- /dev/null +++ b/test/integration/issue-test-trial @@ -0,0 +1 @@ +issue-test \ No newline at end of file diff --git a/test/integration/issue-test-trial.yml b/test/integration/issue-test-trial.yml new file mode 100644 index 00000000..efd726c0 --- /dev/null +++ b/test/integration/issue-test-trial.yml @@ -0,0 +1,46 @@ +#This file is for users to test issues and reproduce them using the test framework. +#Modify the playbook below and test with kitchen i.e. `kitchen test issue-test` +#To add custom tests modify the serverspec file ./helpers/serverspec/issue_test_spec.rb +#Idempot test is enabled for this test + +- name: Simple Example + hosts: localhost + post_tasks: + - include: elasticsearch/test/integration/debug.yml + roles: + - elasticsearch + vars: + es_xpack_license: "" + es_xpack_trial: true + es_config: + xpack.security.authc.realms.file.file1.order: 1 + xpack.security.authc.realms.native.native1.type: "native" + es_heap_size: "1g" + es_plugins: + - plugin: ingest-attachment + es_xpack_features: + - security + - alerting + es_api_basic_auth_username: elastic + es_api_basic_auth_password: changeme + es_users: + file: + test_user: + password: changeme + roles: + - kibana_system + native: + kibana: + password: changeme + roles: + - kibana_system + elastic: + password: aNewPassWord + es_roles: + native: + logstash: + cluster: + - manage_index_templates + logstash_system: + cluster: + - manage_index_templates diff --git a/test/integration/xpack-upgrade-trial b/test/integration/xpack-upgrade-trial new file mode 120000 index 00000000..3021ce03 --- /dev/null +++ b/test/integration/xpack-upgrade-trial @@ -0,0 +1 @@ +xpack-upgrade \ No newline at end of file diff --git a/test/integration/xpack-upgrade-trial.yml b/test/integration/xpack-upgrade-trial.yml new file mode 100644 index 00000000..a7196c13 --- /dev/null +++ b/test/integration/xpack-upgrade-trial.yml @@ -0,0 +1,177 @@ +--- +- name: Elasticsearch Xpack HTTP different keystore and truststore with password + hosts: localhost + post_tasks: + - include: elasticsearch/test/integration/debug.yml + roles: + - elasticsearch + vars: + es_config_6x: + xpack.security.authc.realms.file1.order: 0 + xpack.security.authc.realms.file1.type: file + xpack.security.authc.realms.native1.order: 1 + xpack.security.authc.realms.native1.type: native + es_config_7x: + xpack.security.authc.realms.file.file1.order: 0 + xpack.security.authc.realms.native.native1.order: 1 + es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" + es_heap_size: "1g" + es_templates: true + es_major_version: "7.x" + es_version: "{{ '7.0.0' if es_major_version == '7.x' else '6.7.1' }}" # This is set to an older version than the current default to force an upgrade + es_xpack_license: "" + es_xpack_trial: true + es_plugins: + - plugin: ingest-attachment + es_xpack_features: + - security + - alerting + es_api_basic_auth_username: elastic + es_api_basic_auth_password: changeme + es_enable_http_ssl: false + es_enable_transport_ssl: true + es_ssl_keystore: "files/certs/keystore-password.p12" + es_ssl_truststore: "files/certs/truststore-password.p12" + es_ssl_keystore_password: password1 + es_ssl_truststore_password: password2 + es_validate_certs: no + es_role_mapping: + power_user: + - "cn=admins,dc=example,dc=com" + user: + - "cn=users,dc=example,dc=com" + - "cn=admins,dc=example,dc=com" + es_users: + native: + kibana4_server: + password: changeMe + roles: + - kibana4_server + logstash_system: + #this should be successfully modified + password: aNewLogstashPassword + #this will be ignored + roles: + - kibana4_server + elastic: + password: elasticChanged + file: + es_admin: + password: changeMe + roles: + - admin + testUser: + password: changeMeAlso! + roles: + - power_user + - user + es_roles: + file: + admin: + cluster: + - all + indices: + - names: '*' + privileges: + - all + power_user: + cluster: + - monitor + indices: + - names: '*' + privileges: + - all + user: + indices: + - names: '*' + privileges: + - read + kibana4_server: + cluster: + - monitor + indices: + - names: '.kibana' + privileges: + - all + native: + logstash: + cluster: + - manage_index_templates + indices: + - names: 'logstash-*' + privileges: + - write + - delete + - create_index + #this will be ignored - its reserved + logstash_system: + cluster: + - manage_index_templates + indices: + - names: 'logstash-*' + privileges: + - write + - delete + - create_index + +#modifies the installation. Changes es_admin password and upgrades ES. Tests confirm the correct version is installed. +- name: Elasticsearch Xpack HTTP SSL and shared keystore without password + hosts: localhost + post_tasks: + - include: elasticsearch/test/integration/debug.yml + roles: + - elasticsearch + vars: + es_config_6x: + xpack.security.authc.realms.file1.order: 0 + xpack.security.authc.realms.file1.type: file + xpack.security.authc.realms.native1.order: 1 + xpack.security.authc.realms.native1.type: native + es_config_7x: + xpack.security.authc.realms.file.file1.order: 0 + xpack.security.authc.realms.native.native1.order: 1 + es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" + es_heap_size: "1g" + es_templates: true + es_xpack_license: "" + es_xpack_trial: false + es_plugins: + - plugin: ingest-attachment + es_xpack_features: + - security + - alerting + es_api_basic_auth_username: elastic + es_api_basic_auth_password: elasticChanged + es_enable_http_ssl: true + es_enable_transport_ssl: true + es_ssl_keystore: "files/certs/shared-store-no-password.p12" + es_ssl_truststore: "files/certs/shared-store-no-password.p12" + es_ssl_keystore_password: "" + es_ssl_truststore_password: "" + es_validate_certs: no + es_role_mapping: + power_user: + - "cn=admins,dc=example,dc=com" + user: + - "cn=users,dc=example,dc=com" + - "cn=admins,dc=example,dc=com" + es_users: + native: + kibana4_server: + password: changeMe + roles: + - kibana4_server + logstash_system: + #this will be ignored + roles: + - kibana4_server + file: + es_admin: + password: changeMeAgain + roles: + - admin + testUser: + password: changeMeAlso! + roles: + - power_user + - user diff --git a/test/integration/xpack-upgrade.yml b/test/integration/xpack-upgrade.yml index 12700076..a493633f 100644 --- a/test/integration/xpack-upgrade.yml +++ b/test/integration/xpack-upgrade.yml @@ -1,5 +1,5 @@ --- -- name: Elasticsearch Xpack tests initial +- name: Elasticsearch Xpack HTTP different keystore and truststore with password hosts: localhost post_tasks: - include: elasticsearch/test/integration/debug.yml @@ -27,6 +27,13 @@ - alerting es_api_basic_auth_username: elastic es_api_basic_auth_password: changeme + es_enable_http_ssl: false + es_enable_transport_ssl: true + es_ssl_keystore: "files/certs/keystore-password.p12" + es_ssl_truststore: "files/certs/truststore-password.p12" + es_ssl_keystore_password: password1 + es_ssl_truststore_password: password2 + es_validate_certs: no es_role_mapping: power_user: - "cn=admins,dc=example,dc=com" @@ -107,7 +114,7 @@ - create_index #modifies the installation. Changes es_admin password and upgrades ES. Tests confirm the correct version is installed. -- name: Elasticsearch Xpack modify +- name: Elasticsearch Xpack HTTP SSL and shared keystore without password hosts: localhost post_tasks: - include: elasticsearch/test/integration/debug.yml @@ -133,6 +140,13 @@ - alerting es_api_basic_auth_username: elastic es_api_basic_auth_password: elasticChanged + es_enable_http_ssl: true + es_enable_transport_ssl: true + es_ssl_keystore: "files/certs/shared-store-no-password.p12" + es_ssl_truststore: "files/certs/shared-store-no-password.p12" + es_ssl_keystore_password: "" + es_ssl_truststore_password: "" + es_validate_certs: no es_role_mapping: power_user: - "cn=admins,dc=example,dc=com" From b59262cb34608cd430c8f0727a89ade8e734b159 Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 18 Oct 2019 18:27:55 +0100 Subject: [PATCH 20/35] Fix deprecated license URL --- tasks/xpack/security/elasticsearch-xpack-activation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/xpack/security/elasticsearch-xpack-activation.yml b/tasks/xpack/security/elasticsearch-xpack-activation.yml index b29f83bc..b0315ba4 100644 --- a/tasks/xpack/security/elasticsearch-xpack-activation.yml +++ b/tasks/xpack/security/elasticsearch-xpack-activation.yml @@ -2,7 +2,7 @@ - name: Activate ES license (with security authentication) uri: method: PUT - url: "{{ es_api_uri }}/_xpack/license?acknowledge=true" + url: "{{ es_api_uri }}/_{{ 'xpack/' if es_version is version_compare('7.0.0', '<') else '' }}license?acknowledge=true" user: "{{es_api_basic_auth_username | default(omit)}}" password: "{{es_api_basic_auth_password | default(omit)}}" body_format: json From 42fb7192b9fc0297594f7994be108c954c5dcdc5 Mon Sep 17 00:00:00 2001 From: pemontto Date: Tue, 22 Oct 2019 13:04:22 +0100 Subject: [PATCH 21/35] Add profiling to measure time spent on tasks --- ansible.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index d9a8c501..cf7951c8 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1 +1,2 @@ -[defaults] \ No newline at end of file +[defaults] +callback_whitelist = profile_tasks \ No newline at end of file From d59c452918af62dc2a3b90a98285ecb98c41c438 Mon Sep 17 00:00:00 2001 From: pemontto Date: Tue, 22 Oct 2019 13:04:56 +0100 Subject: [PATCH 22/35] Add tests specifically for SSL certificates --- .../helpers/serverspec/xpack_upgrade_spec.rb | 16 +++++++++++++++- test/integration/xpack-upgrade-trial.yml | 16 ++++++++-------- test/integration/xpack-upgrade.yml | 16 ++++++++-------- 3 files changed, 31 insertions(+), 17 deletions(-) diff --git a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb index abd2ff49..0a6fe247 100644 --- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb +++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb @@ -1,10 +1,14 @@ require 'spec_helper' require 'json' +require 'pathname' vars = JSON.parse(File.read('/tmp/vars.json')) es_api_url = "#{vars['es_api_scheme']}://localhost:#{vars['es_api_port']}" username = vars['es_api_basic_auth_username'] password = vars['es_api_basic_auth_password'] +es_keystore_path = "#{vars['es_ssl_certificate_path']}/#{Pathname.new(vars['es_ssl_keystore']).basename}" +es_truststore_path = "#{vars['es_ssl_certificate_path']}/#{Pathname.new(vars['es_ssl_truststore']).basename}" + if vars['es_major_version'] == '7.x' es_security_api = "_security" else @@ -61,7 +65,7 @@ end describe 'security users' do - result = curl_json("#{es_api_url}/#{es_security_api}/user", username='elastic', password='elasticChanged') + result = curl_json("#{es_api_url}/#{es_security_api}/user", username=username, password=password) it 'should have the elastic user' do expect(result['elastic']['username']).to eq('elastic') expect(result['elastic']['roles']).to eq(['superuser']) @@ -89,4 +93,14 @@ expect(curl_json(es_api_url, username='logstash_system', password='aNewLogstashPassword')['version']['number']).to eq(vars['es_version']) end end + + describe 'SSL certificate check' do + certificates = curl_json("#{es_api_url}/_ssl/certificates", username=username, password=password) + it 'should list the keystore file' do + expect(certificates.any? { |cert| cert['path'] == es_keystore_path }).to be true + end + it 'should list the truststore file' do + expect(certificates.any? { |cert| cert['path'] == es_truststore_path }).to be true + end + end end diff --git a/test/integration/xpack-upgrade-trial.yml b/test/integration/xpack-upgrade-trial.yml index a7196c13..04d6dba8 100644 --- a/test/integration/xpack-upgrade-trial.yml +++ b/test/integration/xpack-upgrade-trial.yml @@ -30,10 +30,10 @@ es_api_basic_auth_password: changeme es_enable_http_ssl: false es_enable_transport_ssl: true - es_ssl_keystore: "files/certs/keystore-password.p12" - es_ssl_truststore: "files/certs/truststore-password.p12" - es_ssl_keystore_password: password1 - es_ssl_truststore_password: password2 + es_ssl_keystore: "files/certs/shared-store-no-password.p12" + es_ssl_truststore: "files/certs/shared-store-no-password.p12" + es_ssl_keystore_password: "" + es_ssl_truststore_password: "" es_validate_certs: no es_role_mapping: power_user: @@ -144,10 +144,10 @@ es_api_basic_auth_password: elasticChanged es_enable_http_ssl: true es_enable_transport_ssl: true - es_ssl_keystore: "files/certs/shared-store-no-password.p12" - es_ssl_truststore: "files/certs/shared-store-no-password.p12" - es_ssl_keystore_password: "" - es_ssl_truststore_password: "" + es_ssl_keystore: "files/certs/keystore-password.p12" + es_ssl_truststore: "files/certs/truststore-password.p12" + es_ssl_keystore_password: password1 + es_ssl_truststore_password: password2 es_validate_certs: no es_role_mapping: power_user: diff --git a/test/integration/xpack-upgrade.yml b/test/integration/xpack-upgrade.yml index a493633f..36a35a3e 100644 --- a/test/integration/xpack-upgrade.yml +++ b/test/integration/xpack-upgrade.yml @@ -29,10 +29,10 @@ es_api_basic_auth_password: changeme es_enable_http_ssl: false es_enable_transport_ssl: true - es_ssl_keystore: "files/certs/keystore-password.p12" - es_ssl_truststore: "files/certs/truststore-password.p12" - es_ssl_keystore_password: password1 - es_ssl_truststore_password: password2 + es_ssl_keystore: "files/certs/shared-store-no-password.p12" + es_ssl_truststore: "files/certs/shared-store-no-password.p12" + es_ssl_keystore_password: "" + es_ssl_truststore_password: "" es_validate_certs: no es_role_mapping: power_user: @@ -142,10 +142,10 @@ es_api_basic_auth_password: elasticChanged es_enable_http_ssl: true es_enable_transport_ssl: true - es_ssl_keystore: "files/certs/shared-store-no-password.p12" - es_ssl_truststore: "files/certs/shared-store-no-password.p12" - es_ssl_keystore_password: "" - es_ssl_truststore_password: "" + es_ssl_keystore: "files/certs/keystore-password.p12" + es_ssl_truststore: "files/certs/truststore-password.p12" + es_ssl_keystore_password: password1 + es_ssl_truststore_password: password2 es_validate_certs: no es_role_mapping: power_user: From ea0a026e91f0592831b248809e4fc56f255a1f38 Mon Sep 17 00:00:00 2001 From: pemontto Date: Tue, 22 Oct 2019 14:23:52 +0100 Subject: [PATCH 23/35] Use es_conf_dir for default cert location --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index f6f990f5..08826f97 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -58,7 +58,7 @@ es_ssl_key: "" es_ssl_key_password: "" es_ssl_certificate: "" es_ssl_certificate_authority: "" -es_ssl_certificate_path: "/etc/elasticsearch/certs" +es_ssl_certificate_path: "{{ es_conf_dir }}/certs" es_ssl_verification_mode: "certificate" es_validate_certs: "yes" delete_unmanaged_file: true From 235a656350e54b79bef9cb441944ae0afa8ead11 Mon Sep 17 00:00:00 2001 From: pemontto Date: Tue, 22 Oct 2019 14:27:56 +0100 Subject: [PATCH 24/35] Add documentation for SSL/TLS --- .kitchen.yml | 2 +- README.md | 81 ++++++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 77 insertions(+), 6 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index 66eb2f0f..dc727c2a 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -139,4 +139,4 @@ suites: - name: issue-test-trial provisioner: playbook: test/integration/issue-test-trial.yml - idempotency_test: false \ No newline at end of file + idempotency_test: false diff --git a/README.md b/README.md index 7f7bbc9b..f827601e 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ The latest Elasticsearch versions of 7.x & 6.x are actively tested. * For multi-instances use cases, we are now recommending Docker containers using our official images (https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html). ## Dependency + This role uses the json_query filter which [requires jmespath](https://github.com/ansible/ansible/issues/24319) on the local machine. ## Usage @@ -69,6 +70,10 @@ This playbook uses [Kitchen](https://kitchen.ci/) for CI and local testing. ### Running the tests +* Ensure you have checked out this repository to `elaticsearch`, not `ansible-elasticsearch`. +* If you don't have a Gold or Platinum license to test with you can run the trial versions of the `xpack-upgrade` and `issue-test` suites by appending `-trial` to the `PATTERN` variable. +* You may need to explicity specify `VERSION=7.x` if some suites are failing. + Install the ruby dependencies with bundler ```sh @@ -151,12 +156,13 @@ Whilst the role installs Elasticsearch with the default configuration parameters * ```es_config['http.port']``` - the http port for the node * ```es_config['transport.port']``` - the transport port for the node * ```es_config['discovery.seed_hosts']``` - the unicast discovery list, in the comma separated format ```":,:"``` (typically the clusters dedicated masters) +* ```es_config['cluster.initial_master_nodes']``` - for 7.x and above the list of master-eligible nodes to boostrap the cluster, in the comma separated format ```":,:"``` (typically the node names of the clusters dedicated masters) * ```es_config['network.host']``` - sets both network.bind_host and network.publish_host to the same host value. The network.bind_host setting allows to control the host different network components will bind on. -The network.publish_host setting allows to control the host the node will publish itself within the cluster so other nodes will be able to connect to it. +The `network.publish_host` setting allows to control the host the node will publish itself within the cluster so other nodes will be able to connect to it. See https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html for further details on default binding behaviour and available options. -The role makes no attempt to enforce the setting of these are requires users to specify them appropriately. IT is recommended master nodes are listed and thus deployed first where possible. +The role makes no attempt to enforce the setting of these are requires users to specify them appropriately. It is recommended master nodes are listed and thus deployed first where possible. A more complex example: @@ -262,7 +268,7 @@ ansible-playbook -i hosts ./your-playbook.yml X-Pack features, such as Security, are supported. The parameter `es_xpack_features` allows to list xpack features to install (example: `["alerting","monitoring","graph","security","ml"]`). -When the list is empty, it install all features available with the current licence. +When the list is empty, it installs all features available with the current licence. * ```es_role_mapping``` Role mappings file declared as yml as described [here](https://www.elastic.co/guide/en/x-pack/current/mapping-roles.html) @@ -347,6 +353,8 @@ es_roles: es_xpack_license: "{{ lookup('file', playbook_dir + '/files/' + es_cluster_name + '/license.json') }}" ``` +If you don't have a license you can enable the 30-day trial by setting `es_xpack_trial` to `true`. + X-Pack configuration parameters can be added to the elasticsearch.yml file using the normal `es_config` parameter. For a full example see [here](https://github.com/elastic/ansible-elasticsearch/blob/master/test/integration/xpack-upgrade.yml) @@ -360,12 +368,72 @@ In order for native users and roles to be configured, the role calls the Elastic These can either be set to a user declared in the file based realm, with admin permissions, or the default "elastic" superuser (default password is changeme). +#### X-Pack Security SSL/TLS + +The role allows configuring HTTP and transport layer SSL/TLS for the cluster. You will need to generate and provide your own PKCS12 or PEM encoded certificates as described in [Encrypting communications in Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.4/configuring-tls.html#configuring-tls). + +The following should be configured to ensure a security-enabled cluster successfully forms: + +* `es_enable_http_ssl` Default `false`. Setting this to `true` will enable HTTP client SSL/TLS +* `es_enable_transport_ssl` - Default `false`. Setting this to `true` will enable transport layer SSL/TLS + +When using a [PKCS12](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#security-http-pkcs12-files) keystore and truststore: + +* `es_ssl_keystore` path to your PKCS12 keystore (can be the same as `es_ssl_truststore`) +* `es_ssl_keystore_password` set this if your keystore is protected with a password +* `es_ssl_truststore` path to your PKCS12 keystore (can be the same as `es_ssl_keystore`) +* `es_ssl_truststore_password` set this if your truststore is protected with a password + +When using [PEM encoded](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#_pem_encoded_files_3) certificates: + +* `es_ssl_key` path to your SSL key +* `es_ssl_key_password` set this if your SSL key is protected with a password +* `es_ssl_certificate` the path to your SSL certificate + +##### Additional optional SSL/TLS configuration + +* `es_ssl_certificate_path` Default `{{ es_conf_dir }}/certs`. The location where certificates should be stored on the ES node. +* `es_ssl_verification_mode` Default `certificate`. See [SSL verification_mode](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#ssl-tls-settings) for options. +* `es_ssl_certificate_authority` PEM encoded certificate file that should be trusted. +* `es_validate_certs` Default `yes`. Determines if ansible should validate SSL certificates when performing actions over HTTPS. e.g. installing templates and managing native users. + +##### Example SSL/TLS configuration + +```yaml +- name: Elasticsearch with SSL/TLS enabled + hosts: localhost + roles: + - role: elastic.elasticsearch + vars: + es_config: + node.name: "node1" + cluster.name: "custom-cluster" + discovery.seed_hosts: "localhost:9301" + http.port: 9201 + transport.port: 9301 + node.data: false + node.master: true + bootstrap.memory_lock: true + xpack.security.authc.realms.file.file1.order: 0 + xpack.security.authc.realms.native.native1.order: 1 + es_heap_size: 1g + es_api_basic_auth_username: elastic + es_api_basic_auth_password: changeme + es_enable_http_ssl: true + es_enable_transport_ssl: true + es_ssl_keystore: "my-keystore.p12" + es_ssl_truststore: "my-truststore.p12" + es_ssl_keystore_password: "keystore_password" + es_ssl_truststore_password: "truststore_password" + es_validate_certs: no +``` ### Additional Configuration In addition to es_config, the following parameters allow the customization of the Java and Elasticsearch versions as well as the role behaviour. Options include: * ```es_enable_xpack``` Default `true`. Setting this to `false` will install the oss release of elasticsearch +* `es_xpack_trial` Default `false`. Setting this to `true` will start the 30-day trail once the cluster starts. * ```es_version``` (e.g. "7.4.0"). * ```es_api_host``` The host name used for actions requiring HTTP e.g. installing templates. Defaults to "localhost". * ```es_api_port``` The port used for actions requiring HTTP e.g. installing templates. Defaults to 9200. **CHANGE IF THE HTTP PORT IS NOT 9200** @@ -374,12 +442,14 @@ In addition to es_config, the following parameters allow the customization of th * ```es_start_service``` (true (default) or false) * ```es_plugins_reinstall``` (true or false (default) ) * ```es_plugins``` an array of plugin definitions e.g.: + ```yaml es_plugins: - plugin: ingest-attachment ``` + * ```es_path_repo``` Sets the whitelist for allowing local back-up repositories -* ```es_action_auto_create_index ``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false): +* ```es_action_auto_create_index``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false): es_action_auto_create_index: '[".watches", ".triggered_watches", ".watcher-history-*"]' * ```es_allow_downgrades``` For development purposes only. (true or false (default) ) * ```es_java_install``` If set to true, Java will be installed. (false (default for 7.x) or true (default for 6.x)) @@ -397,6 +467,7 @@ Earlier examples illustrate the installation of plugins using `es_plugins`. For If installing Monitoring or Alerting, ensure the license plugin is also specified. Security configuration currently has limited support, but more support is planned for later versions. To configure X-pack to send mail, the following configuration can be added to the role. When require_auth is true, you will also need to provide the user and password. If not these can be removed: + ```yaml es_mail_config: account: @@ -445,7 +516,7 @@ To define proxy only for a particular plugin during its installation: * The playbook relies on the inventory_name of each host to ensure its directories are unique * KitchenCI has been used for testing. This is used to confirm images reach the correct state after a play is first applied. We currently test the latest version of 7.x and 6.x on all supported platforms. * The role aims to be idempotent. Running the role multiple times, with no changes, should result in no state change on the server. If the configuration is changed, these will be applied and Elasticsearch restarted where required. -* In order to run x-pack tests a license file with security enabled is required. A trial license is appropriate. Set the environment variable `ES_XPACK_LICENSE_FILE` to the full path of the license file prior to running tests. +* In order to run x-pack tests a license file with security enabled is required. Set the environment variable `ES_XPACK_LICENSE_FILE` to the full path of the license file prior to running tests. A trial license is appropriate and can be used by setting `es_xpack_trial` to `true` ## IMPORTANT NOTES RE PLUGIN MANAGEMENT From f4e4216ed5014236ad99c9c6c5eecbc580940670 Mon Sep 17 00:00:00 2001 From: pemontto Date: Tue, 22 Oct 2019 14:40:51 +0100 Subject: [PATCH 25/35] Add section on generating a keystore --- README.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f827601e..529f2aee 100644 --- a/README.md +++ b/README.md @@ -390,6 +390,22 @@ When using [PEM encoded](https://www.elastic.co/guide/en/elasticsearch/reference * `es_ssl_key_password` set this if your SSL key is protected with a password * `es_ssl_certificate` the path to your SSL certificate +##### Generating an SSL keystore + +With a password: + +```shell +$ bin/elasticsearch-certutil ca --out ./my-ca.p12 --pass "ca_password" +$ bin/elasticsearch-certutil cert --ca ./my-ca.p12 --ca-pass "ca_password" --out ./my-keystore.p12 --pass "keystore_password" +``` + +Without a password: + +```shell +$ bin/elasticsearch-certutil ca --out ./my-ca.p12 --pass "" +$ bin/elasticsearch-certutil cert --ca ./my-ca.p12 --out ./my-keystore.p12 --pass "" +``` + ##### Additional optional SSL/TLS configuration * `es_ssl_certificate_path` Default `{{ es_conf_dir }}/certs`. The location where certificates should be stored on the ES node. @@ -421,8 +437,8 @@ When using [PEM encoded](https://www.elastic.co/guide/en/elasticsearch/reference es_api_basic_auth_password: changeme es_enable_http_ssl: true es_enable_transport_ssl: true - es_ssl_keystore: "my-keystore.p12" - es_ssl_truststore: "my-truststore.p12" + es_ssl_keystore: "files/certs/my-keystore.p12" + es_ssl_truststore: "files/certs/my-truststore.p12" es_ssl_keystore_password: "keystore_password" es_ssl_truststore_password: "truststore_password" es_validate_certs: no From 7fd243827c2cdaf75c810c7f42c80c29eff589ce Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 25 Oct 2019 10:10:42 +0100 Subject: [PATCH 26/35] Add configurable native realm sleep --- defaults/main.yml | 1 + tasks/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 08826f97..546bd055 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -40,6 +40,7 @@ es_api_scheme: "http" es_api_host: "localhost" es_api_port: 9200 es_api_uri: "{{ es_api_scheme }}://{{ es_api_host }}:{{ es_api_port }}" +es_api_sleep: 15 es_debian_startup_timeout: 10 # JVM custom parameters diff --git a/tasks/main.yml b/tasks/main.yml index 1e62770f..8cd4bf57 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -82,8 +82,8 @@ - (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined) # If playbook runs too fast, Native commands could fail as the Native Realm is not yet up -- name: Wait 15 seconds for the Native Realm to come up - command: sleep 15 +- name: Wait {{ es_api_sleep }} seconds for the Native Realm to come up + command: "sleep {{ es_api_sleep }}" when: manage_native_realm | bool - name: activate-license From 49e36125a562b882f2f06150f5e52a4c2f92e7d8 Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 25 Oct 2019 10:18:00 +0100 Subject: [PATCH 27/35] Update SSL/TLS tests --- .../helpers/serverspec/xpack_upgrade_spec.rb | 12 ++++++++---- test/integration/xpack-upgrade-trial.yml | 18 ++++++++++-------- test/integration/xpack-upgrade.yml | 18 ++++++++++-------- 3 files changed, 28 insertions(+), 20 deletions(-) diff --git a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb index 0a6fe247..237b1de8 100644 --- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb +++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb @@ -6,8 +6,8 @@ es_api_url = "#{vars['es_api_scheme']}://localhost:#{vars['es_api_port']}" username = vars['es_api_basic_auth_username'] password = vars['es_api_basic_auth_password'] -es_keystore_path = "#{vars['es_ssl_certificate_path']}/#{Pathname.new(vars['es_ssl_keystore']).basename}" -es_truststore_path = "#{vars['es_ssl_certificate_path']}/#{Pathname.new(vars['es_ssl_truststore']).basename}" +es_keystore = Pathname.new(vars['es_ssl_keystore']).basename.to_s +es_truststore = Pathname.new(vars['es_ssl_truststore']).basename.to_s if vars['es_major_version'] == '7.x' es_security_api = "_security" @@ -46,6 +46,10 @@ it { should contain 'security.authc.realms.native1.order: 1' } it { should contain 'security.authc.realms.native1.type: native' } end + it { should contain 'xpack.security.transport.ssl.enabled: true' } + it { should contain 'xpack.security.http.ssl.enabled: true' } + it { should contain es_keystore } + it { should contain es_truststore } end #Test contents of role_mapping.yml @@ -97,10 +101,10 @@ describe 'SSL certificate check' do certificates = curl_json("#{es_api_url}/_ssl/certificates", username=username, password=password) it 'should list the keystore file' do - expect(certificates.any? { |cert| cert['path'] == es_keystore_path }).to be true + expect(certificates.any? { |cert| cert['path'].include? es_keystore }).to be true end it 'should list the truststore file' do - expect(certificates.any? { |cert| cert['path'] == es_truststore_path }).to be true + expect(certificates.any? { |cert| cert['path'].include? es_truststore }).to be true end end end diff --git a/test/integration/xpack-upgrade-trial.yml b/test/integration/xpack-upgrade-trial.yml index 04d6dba8..3efff8cc 100644 --- a/test/integration/xpack-upgrade-trial.yml +++ b/test/integration/xpack-upgrade-trial.yml @@ -28,12 +28,13 @@ - alerting es_api_basic_auth_username: elastic es_api_basic_auth_password: changeme + es_api_sleep: 5 es_enable_http_ssl: false es_enable_transport_ssl: true - es_ssl_keystore: "files/certs/shared-store-no-password.p12" - es_ssl_truststore: "files/certs/shared-store-no-password.p12" - es_ssl_keystore_password: "" - es_ssl_truststore_password: "" + es_ssl_keystore: "files/certs/keystore-password.p12" + es_ssl_truststore: "files/certs/truststore-password.p12" + es_ssl_keystore_password: password1 + es_ssl_truststore_password: password2 es_validate_certs: no es_role_mapping: power_user: @@ -142,12 +143,13 @@ - alerting es_api_basic_auth_username: elastic es_api_basic_auth_password: elasticChanged + es_api_sleep: 5 es_enable_http_ssl: true es_enable_transport_ssl: true - es_ssl_keystore: "files/certs/keystore-password.p12" - es_ssl_truststore: "files/certs/truststore-password.p12" - es_ssl_keystore_password: password1 - es_ssl_truststore_password: password2 + es_ssl_keystore: "files/certs/shared-store-no-password.p12" + es_ssl_truststore: "files/certs/shared-store-no-password.p12" + es_ssl_keystore_password: "" + es_ssl_truststore_password: "" es_validate_certs: no es_role_mapping: power_user: diff --git a/test/integration/xpack-upgrade.yml b/test/integration/xpack-upgrade.yml index 36a35a3e..ba322026 100644 --- a/test/integration/xpack-upgrade.yml +++ b/test/integration/xpack-upgrade.yml @@ -27,12 +27,13 @@ - alerting es_api_basic_auth_username: elastic es_api_basic_auth_password: changeme + es_api_sleep: 5 es_enable_http_ssl: false es_enable_transport_ssl: true - es_ssl_keystore: "files/certs/shared-store-no-password.p12" - es_ssl_truststore: "files/certs/shared-store-no-password.p12" - es_ssl_keystore_password: "" - es_ssl_truststore_password: "" + es_ssl_keystore: "files/certs/keystore-password.p12" + es_ssl_truststore: "files/certs/truststore-password.p12" + es_ssl_keystore_password: password1 + es_ssl_truststore_password: password2 es_validate_certs: no es_role_mapping: power_user: @@ -140,12 +141,13 @@ - alerting es_api_basic_auth_username: elastic es_api_basic_auth_password: elasticChanged + es_api_sleep: 5 es_enable_http_ssl: true es_enable_transport_ssl: true - es_ssl_keystore: "files/certs/keystore-password.p12" - es_ssl_truststore: "files/certs/truststore-password.p12" - es_ssl_keystore_password: password1 - es_ssl_truststore_password: password2 + es_ssl_keystore: "files/certs/shared-store-no-password.p12" + es_ssl_truststore: "files/certs/shared-store-no-password.p12" + es_ssl_keystore_password: "" + es_ssl_truststore_password: "" es_validate_certs: no es_role_mapping: power_user: From a2c4012197a78e539fde30dbb07cbe882de030bb Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 28 Oct 2019 14:25:52 +0000 Subject: [PATCH 28/35] Update and document unmanaged user vars --- README.md | 2 ++ defaults/main.yml | 4 ++-- tasks/xpack/security/elasticsearch-security-file.yml | 4 ++-- tasks/xpack/security/elasticsearch-security-native.yml | 4 ++-- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index c535dbaa..3aa380eb 100644 --- a/README.md +++ b/README.md @@ -455,6 +455,8 @@ In addition to es_config, the following parameters allow the customization of th * ```es_api_port``` The port used for actions requiring HTTP e.g. installing templates. Defaults to 9200. **CHANGE IF THE HTTP PORT IS NOT 9200** * ```es_api_basic_auth_username``` The Elasticsearch username for making admin changing actions. Used if Security is enabled. Ensure this user is admin. * ```es_api_basic_auth_password``` The password associated with the user declared in `es_api_basic_auth_username` +* `es_delete_unmanaged_file` Default `true`. Set to false to keep file realm users that have been added outside of ansible. +* `es_delete_unmanaged_native` Default `true`. Set to false to keep native realm users that have been added outside of ansible. * ```es_start_service``` (true (default) or false) * ```es_plugins_reinstall``` (true or false (default) ) * ```es_plugins``` an array of plugin definitions e.g.: diff --git a/defaults/main.yml b/defaults/main.yml index fa4d756e..666614e1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -62,5 +62,5 @@ es_ssl_certificate_authority: "" es_ssl_certificate_path: "{{ es_conf_dir }}/certs" es_ssl_verification_mode: "certificate" es_validate_certs: "yes" -delete_unmanaged_file: true -delete_unmanaged_native: true +es_delete_unmanaged_file: true +es_delete_unmanaged_native: true diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index 82aca12e..b3ed0274 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -33,7 +33,7 @@ - name: set fact users_to_remove set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys() | list) }} - when: manage_file_users and delete_unmanaged_file + when: manage_file_users and es_delete_unmanaged_file #Remove users - name: Remove Users @@ -49,7 +49,7 @@ - name: set fact users_to_add set_fact: users_to_add={{ es_users.file.keys() | list | difference (current_file_users.stdout_lines) }} - when: manage_file_users and delete_unmanaged_file + when: manage_file_users and es_delete_unmanaged_file #Add users - name: Add Users diff --git a/tasks/xpack/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml index ec407f72..7a27fd4a 100644 --- a/tasks/xpack/security/elasticsearch-security-native.yml +++ b/tasks/xpack/security/elasticsearch-security-native.yml @@ -82,7 +82,7 @@ password: "{{es_api_basic_auth_password}}" force_basic_auth: yes validate_certs: "{{ es_validate_certs }}" - when: manage_native_users and delete_unmanaged_native + when: manage_native_users and es_delete_unmanaged_native with_items: "{{ users_to_remove | default([]) }}" - name: set fact users_to_ignore @@ -178,7 +178,7 @@ password: "{{es_api_basic_auth_password}}" force_basic_auth: yes validate_certs: "{{ es_validate_certs }}" - when: manage_native_roles and delete_unmanaged_native + when: manage_native_roles and es_delete_unmanaged_native with_items: "{{roles_to_remove | default([]) }}" - name: set fact roles_to_modify From 32ce4b19b91e6934545a470dad316834ef90feba Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 31 Oct 2019 10:52:50 +0000 Subject: [PATCH 29/35] Move SSL/TLS setup to it's own document --- README.md | 73 +---------------------------------------- docs/ssl-tls-setup.md | 75 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+), 72 deletions(-) create mode 100644 docs/ssl-tls-setup.md diff --git a/README.md b/README.md index 3aa380eb..7f6debf5 100644 --- a/README.md +++ b/README.md @@ -370,79 +370,8 @@ These can either be set to a user declared in the file based realm, with admin p #### X-Pack Security SSL/TLS -The role allows configuring HTTP and transport layer SSL/TLS for the cluster. You will need to generate and provide your own PKCS12 or PEM encoded certificates as described in [Encrypting communications in Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.4/configuring-tls.html#configuring-tls). +* To configure your cluster with SSL/TLS for HTTP and/or transport communications follow the [SSL/TLS setup procedure](./docs/ssl-tls-setup.md) -The following should be configured to ensure a security-enabled cluster successfully forms: - -* `es_enable_http_ssl` Default `false`. Setting this to `true` will enable HTTP client SSL/TLS -* `es_enable_transport_ssl` - Default `false`. Setting this to `true` will enable transport layer SSL/TLS - -When using a [PKCS12](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#security-http-pkcs12-files) keystore and truststore: - -* `es_ssl_keystore` path to your PKCS12 keystore (can be the same as `es_ssl_truststore`) -* `es_ssl_keystore_password` set this if your keystore is protected with a password -* `es_ssl_truststore` path to your PKCS12 keystore (can be the same as `es_ssl_keystore`) -* `es_ssl_truststore_password` set this if your truststore is protected with a password - -When using [PEM encoded](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#_pem_encoded_files_3) certificates: - -* `es_ssl_key` path to your SSL key -* `es_ssl_key_password` set this if your SSL key is protected with a password -* `es_ssl_certificate` the path to your SSL certificate - -##### Generating an SSL keystore - -With a password: - -```shell -$ bin/elasticsearch-certutil ca --out ./my-ca.p12 --pass "ca_password" -$ bin/elasticsearch-certutil cert --ca ./my-ca.p12 --ca-pass "ca_password" --out ./my-keystore.p12 --pass "keystore_password" -``` - -Without a password: - -```shell -$ bin/elasticsearch-certutil ca --out ./my-ca.p12 --pass "" -$ bin/elasticsearch-certutil cert --ca ./my-ca.p12 --out ./my-keystore.p12 --pass "" -``` - -##### Additional optional SSL/TLS configuration - -* `es_ssl_certificate_path` Default `{{ es_conf_dir }}/certs`. The location where certificates should be stored on the ES node. -* `es_ssl_verification_mode` Default `certificate`. See [SSL verification_mode](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#ssl-tls-settings) for options. -* `es_ssl_certificate_authority` PEM encoded certificate file that should be trusted. -* `es_validate_certs` Default `yes`. Determines if ansible should validate SSL certificates when performing actions over HTTPS. e.g. installing templates and managing native users. - -##### Example SSL/TLS configuration - -```yaml -- name: Elasticsearch with SSL/TLS enabled - hosts: localhost - roles: - - role: elastic.elasticsearch - vars: - es_config: - node.name: "node1" - cluster.name: "custom-cluster" - discovery.seed_hosts: "localhost:9301" - http.port: 9201 - transport.port: 9301 - node.data: false - node.master: true - bootstrap.memory_lock: true - xpack.security.authc.realms.file.file1.order: 0 - xpack.security.authc.realms.native.native1.order: 1 - es_heap_size: 1g - es_api_basic_auth_username: elastic - es_api_basic_auth_password: changeme - es_enable_http_ssl: true - es_enable_transport_ssl: true - es_ssl_keystore: "files/certs/my-keystore.p12" - es_ssl_truststore: "files/certs/my-truststore.p12" - es_ssl_keystore_password: "keystore_password" - es_ssl_truststore_password: "truststore_password" - es_validate_certs: no -``` ### Additional Configuration diff --git a/docs/ssl-tls-setup.md b/docs/ssl-tls-setup.md new file mode 100644 index 00000000..3e24a0c7 --- /dev/null +++ b/docs/ssl-tls-setup.md @@ -0,0 +1,75 @@ +# X-Pack Security SSL/TLS + +The role allows configuring HTTP and transport layer SSL/TLS for the cluster. You will need to generate and provide your own PKCS12 or PEM encoded certificates as described in [Encrypting communications in Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.4/configuring-tls.html#configuring-tls). + +The following should be configured to ensure a security-enabled cluster successfully forms: + +* `es_enable_http_ssl` Default `false`. Setting this to `true` will enable HTTP client SSL/TLS +* `es_enable_transport_ssl` - Default `false`. Setting this to `true` will enable transport layer SSL/TLS + +When using a [PKCS12](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#security-http-pkcs12-files) keystore and truststore: + +* `es_ssl_keystore` path to your PKCS12 keystore (can be the same as `es_ssl_truststore`) +* `es_ssl_keystore_password` set this if your keystore is protected with a password +* `es_ssl_truststore` path to your PKCS12 keystore (can be the same as `es_ssl_keystore`) +* `es_ssl_truststore_password` set this if your truststore is protected with a password + +When using [PEM encoded](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#_pem_encoded_files_3) certificates: + +* `es_ssl_key` path to your SSL key +* `es_ssl_key_password` set this if your SSL key is protected with a password +* `es_ssl_certificate` the path to your SSL certificate + +## Generating an SSL keystore + +With a password: + +```shell +$ bin/elasticsearch-certutil ca --out ./my-ca.p12 --pass "ca_password" +$ bin/elasticsearch-certutil cert --ca ./my-ca.p12 --ca-pass "ca_password" --out ./my-keystore.p12 --pass "keystore_password" +``` + +Without a password: + +```shell +$ bin/elasticsearch-certutil ca --out ./my-ca.p12 --pass "" +$ bin/elasticsearch-certutil cert --ca ./my-ca.p12 --out ./my-keystore.p12 --pass "" +``` + +## Additional optional SSL/TLS configuration + +* `es_ssl_certificate_path` Default `{{ es_conf_dir }}/certs`. The location where certificates should be stored on the ES node. +* `es_ssl_verification_mode` Default `certificate`. See [SSL verification_mode](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#ssl-tls-settings) for options. +* `es_ssl_certificate_authority` PEM encoded certificate file that should be trusted. +* `es_validate_certs` Default `yes`. Determines if ansible should validate SSL certificates when performing actions over HTTPS. e.g. installing templates and managing native users. + +## Example SSL/TLS configuration + +```yaml +- name: Elasticsearch with SSL/TLS enabled + hosts: localhost + roles: + - role: elastic.elasticsearch + vars: + es_config: + node.name: "node1" + cluster.name: "custom-cluster" + discovery.seed_hosts: "localhost:9301" + http.port: 9201 + transport.port: 9301 + node.data: false + node.master: true + bootstrap.memory_lock: true + xpack.security.authc.realms.file.file1.order: 0 + xpack.security.authc.realms.native.native1.order: 1 + es_heap_size: 1g + es_api_basic_auth_username: elastic + es_api_basic_auth_password: changeme + es_enable_http_ssl: true + es_enable_transport_ssl: true + es_ssl_keystore: "files/certs/my-keystore.p12" + es_ssl_truststore: "files/certs/my-truststore.p12" + es_ssl_keystore_password: "keystore_password" + es_ssl_truststore_password: "truststore_password" + es_validate_certs: no +``` From 9b427f148dc5c7f82fb78d7bc8983f68452d3464 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 31 Oct 2019 10:54:28 +0000 Subject: [PATCH 30/35] Move integration test files to test directory --- .../files/certs/keystore-password-ca.p12 | Bin 0 -> 2527 bytes .../files}/certs/keystore-password.p12 | Bin .../files/certs/shared-store-no-password-ca.p12 | Bin 0 -> 2527 bytes .../files}/certs/shared-store-no-password.p12 | Bin .../files/certs/truststore-password-ca.p12 | Bin 0 -> 2527 bytes .../files}/certs/truststore-password.p12 | Bin .../integration/files}/templates-6.x/basic.json | 0 .../integration/files}/templates-7.x/basic.json | 0 test/integration/xpack-upgrade-trial.yml | 10 ++++++---- test/integration/xpack-upgrade.yml | 10 ++++++---- 10 files changed, 12 insertions(+), 8 deletions(-) create mode 100644 test/integration/files/certs/keystore-password-ca.p12 rename {files => test/integration/files}/certs/keystore-password.p12 (100%) create mode 100644 test/integration/files/certs/shared-store-no-password-ca.p12 rename {files => test/integration/files}/certs/shared-store-no-password.p12 (100%) create mode 100644 test/integration/files/certs/truststore-password-ca.p12 rename {files => test/integration/files}/certs/truststore-password.p12 (100%) rename {files => test/integration/files}/templates-6.x/basic.json (100%) rename {files => test/integration/files}/templates-7.x/basic.json (100%) diff --git a/test/integration/files/certs/keystore-password-ca.p12 b/test/integration/files/certs/keystore-password-ca.p12 new file mode 100644 index 0000000000000000000000000000000000000000..e8331cf9cf38740742a703f39c29b3c183cf1129 GIT binary patch literal 2527 zcmY+Ec{~%0AICS_Fe{|VZI+=;nA=E29_DDSE=P_WiyS#B3q~_j{h#^T+3(_vicl{Q1U`pllu>2up%y^FlER_=K&)KtA9T z67)Wp1dThuQCJeh{a+Qt4ord&4zR^ROnG7d`#K~5dEi9T>;Q#nwTnY?7 zu@y3rdSu51XI<-YjXy9zDY9;n2L$M}0h7SJsASngq|TP44|BH!85d6qf4?OUitIrr znc`h$6VOTLCjmugs2Sz5Fbsg)c5I}4rg2JSfwp)@mS$8GJ@fiEz<14F*?h!{?ar{C zm~8G*2X4IeLO}w}m#OOW!_I?xpzK znviA%Ga;}A&&4U9D{}Vz$~N}396e%qUnQJI6-+m?YZE=4PTm`hKUx$&v!`T}vaU;k z8xD=!3ZmS`39oQCD|~=}`atPZ=X4x|8VE<$YEHQ%FHqzkedqBXIWFwf9uz3mL?2*P1|LamnU}p7Q9F=o55yo8+}g`)m6r z8vV>4aN^d7Q07|Wq9?&PASR7^_2afHz#}_16ce` z#VUo$Xmr@hX!7QmypH$1Ed`83Y}>Kd#ZjKNMk+P%(aK*~gMmGiZb`ZjMw-HV zI_s*Lgvyz=nW^{Jm7aEUK{p|Ti zrBt1l`YmAX#51cww^%~{%XQJf$s96JiCRv73LvUt01QnD6C*Pry z6n7mF^Xbm3C#xI2wyL0=h()31H(7g;52kDF3<@d$J<}*W?L8rG~6=^iJnVvoAolg$) z>(|z6UJ9A_`eaP1MHV|Xz=yg%FVjspBl!%!nfQ(uK@nH1>OnC9&3-OI3KyIUc)_(x z(2JUSu^HYz`>n#Wc+}%lDYH=z_@e7vb!+6JA}?RL|6upM72^~Q49z*?lb5O-UAl{-cTr!g|7kg zuyFK7m;*^{xXN6TUDpM78S6Gb@f;Q*R|)TvG=VnZXoMSQFhZj_Q{c`*D{igHx13CN ze%oCzKQ~%^{1P?(In&oK`CVYtBY5zH2h1i(3F*auuT{|h%z2O=iV}zze7(R{y#NnT z*TWwDTa{3_ITs~g1s{JeIdyGabuFx(mbL~?L*qc2@V}4vcn>@Z zIY2-jAOK4OegCHc{>!Yq|1oPAnVmDjsZN_h8!u5O^6GNzKRf={tg$3e8~5vM1koh{ zwnvg0r(=Ur24^w!P67pa0_kV(eng&vK|@ll{`3?s0n9UgNi~(Xjnpv|vn_#5RLuH^ zMa&~^e6Mz`EpSXK!%v=Z{mJ~UPt$HBCz(`flj<;5J=wN%XRB4M_lzFPi8M7dj&xe5 z1U>Ayx8qf$>@}p3_~;9b&}piZtP_0J6a^0NN7$JX{oHpVS5=IkOP|!b>1S;nud~w6NO?a&IR;wt<H6X6sf6xqq4>S$)I$s;?qzVh^OY(R z+TTO_gtpr;~>DM|{j&w?BZHA2-@q;-oDZaVu*=+Z{KPU}&mr zT7=xS1hXu6rl-=@)9tJUrX1JbP?(0Oi}lWSi1Sl^!B$RCHl`Y_v43n#|11on4|yEY z1-_bES;<+p9u|HxT|@L_NYBd>)j-vxCL<&c@c-32@s75Z20pfRsP4W$wFk5BS$WGDNfDy zr(JGyaMZ7O)w$m;7laPkM=5J6Cz8E^1d=r~4l}Q(1B!P&!y$|`V)L;s0V?}+Z zY=k9Hp5-RwF)qEVr;tz&K{U39fYztyioXn37XWZmKLz`{)bfX1L@arvSQUb$F7>NZ zu_7ILZr2ta9}41Kz>!xzf*O8Fxb3Fb)Za8W;v??6-QtpKZ>RL8bF7SWuWBp2y~7(D zr8AOO_Nb&CCUI6+$NMs^13~x(IyEed-LFh;^*vt(eTUVQup1mBh>V-w{=DI1%-WnB z;1e;4h8SlD>RP`=KB1pA30R#>q|u{6u(txn>3i6iZ=Z!KQq0?9`89#4tS<}VVMEse z$ZNH0_g)!h--aY~y_a?PyzisExMHi#D&&^RXYtHtv<%0M!T_Qi$MtF7?VQ~peSysI zC1s$EVq(FMu-OlOnCAah}D!c literal 0 HcmV?d00001 diff --git a/files/certs/keystore-password.p12 b/test/integration/files/certs/keystore-password.p12 similarity index 100% rename from files/certs/keystore-password.p12 rename to test/integration/files/certs/keystore-password.p12 diff --git a/test/integration/files/certs/shared-store-no-password-ca.p12 b/test/integration/files/certs/shared-store-no-password-ca.p12 new file mode 100644 index 0000000000000000000000000000000000000000..9b76934b535b05e4399a41286f3f30993d80477f GIT binary patch literal 2527 zcmY+EXFMB<8pabM#8xqD)D|-|NVHVdDpgTVtTw2kwMs)zi&VsDslAI{G#nI1Y3&-Z zYgHpwsZFgIRik2D_x|oZ=XX9lU;fYgJ|F*ZB4mOA$OtDwQos;}NR!BY4j?lymk5af z5h0;x7!M~hIsc<#x&ZvXfl%BdcU!F4n^h5VqgTcp+Q7Y_kwm#*|IY&tiF*Tcq-G|;IjSga?eGtv6{xA z^D@rbPg7qGPUFqKYKNPv3cUbBoI4 zE_qtI;%(t2Vx57F1aV>AV*uvX_gvc{a_?umKm@<<1fe$V>*5cC{JB5x3}t1}5pMDt z@;;ewo~?J9N3j##LV$aII3MVz>pieLIaV(}I6K!p;;g5hD;^<_RnH`rxhGtSzOBe6 zGrst4DW{x#`zW&ibX?SB?QPFf9Yez;n~w+gFj_L2M^QLrjdy>FjJel%T(f=2@^~B4 zQEAUPXu_W2_h;i?PF7I?#6Y0x+qGGLUk-OAeAE;#br5CYP*$NOZAbOD5A)5NRV|cA zS5>syos^tll9y;pzUc)zpzXuCD%ALOlz~E8Jes=oY3;gWp=j9of9W%typ{LXShvP~wDaVx4Xd_zN)3HPs zhuzP}@PD=0^z>!ywGR)VAa|{JkOaFxX%B`7fi21)d}l2#-FK^d$PKG@?|%4Ql%~P4 z*ziQBnUp0NYNVUED>MF6`O6WZkRpM`JR1G3bC0ykVMPKYoo8X4qlD=j<>+sWFdD$} zUifgR=6)>oT1KB2YTCsZIaL!-P7NFy0>QtrMmHwwNxJ0ZdGqR3k5-TIK+hl5Fsr6bc)7Ustw`ohOn8VY{TlHIhZWJohS}4{zLXvO3ej}-LYn%^%l;k(uIa*r znCs8Yu;(sXqXd|{URls!<*OfmZUl_cn@=%Ip3MQT&{FbVY4ZwK`l9)bvAK^U;Ck9! zTQm0IF2A*^3Wu<@jO?dx3{09yRjeJ{+s|A$E@k7S9hgt!2i9v(9FCy78X*eaqNpsY zcOXPiZuewUo0)Z(Ghx@-b(+sJg+h}qd2p*j`c!H^H(%05Lfx-M8?Cv8{j|83jU8-@$IMcGHaGcvuUfr0M{PQkM?<5|1~Rt$k_6`Neth10TlPX z!C1ksu}C~nlg6^O$=3-G@!Av5H&&2~y?CONDW8~*qpfb$rOHCcEWocEe?XjsTnKJ{tzFDjQ!M-t z1=TxcCvnNMQ#ZME=B8$DA1sBNxibJ4s+N3yw1W?AQ_Uf!#ioAaRQIgdS%9}Z*1l0h2Wq{_Q~LMtxyivi1lbBeujDqO!D<2nYXSYPLlH~8KtBV8PO-UaTl zJFo1RP#*!*9+fSCt$H=z5B58LYZ5PwhLwGt4SG|K^*&G+(BEeJ0UULvG2>3LC9JW2xYr=2o`3{JFcpPb&0<2AKHB9S(wS^y4ly3s?1|E zsZ5uz9I)_i*fSly6A80?t@%BuN*t-9A`Yv%@u;jPMY><~N3DC^|XW>FCOv zlll~#*cUr7zTZiS{mw?Rn%XYJn&-W4tT<(+O38L~H|^K?%X^Z@#AytUU`RE1z67xq z7O?Sawxf_mDI!a5Q4~jp_<2o=EIzZpZ<`d|k@xj{>eLW-WI~m?BaUATND&{Hb?ubH>xm=%F8_uwo&%PMGwL%Z`kQVA01jXGgJR}O9 zC}dq!XKNl_!NmBOX_`~6wv{?`Iy(Cdyik~M)6uw+f#MW+pK|?aFZU}I;l+|I>>k1? zHKh0rx$A9$gq}e{rrVAyI4Sl++4s$ISwCfkSq{JI4$utvEBB$hVGFiuRZ*>XeMRh1 zeQ9`u5&n5!6ty<<=@kKu#bd=}<<*H`>NeM2YbY%U7EDJ}k>}9GESci?<|5;T2SIme z-|GEuLEq2iyNC!cVxgfNX_walxLho_m9FyGO>NCKcFsL$e@>@0#Eu9}$W?gZqW6CK@7!s8(uUMX4a9|dE| zk%U`5mBoXL&MMh(UAP1s0%lU=WMmL#0)U{Zs8IQZCmzNoEy9oAg!X;={qnVJ5EN^8 bgpa4L7ABPPD&FUxzS@&sfn#6_Tz2GdqqXo9xawihc^o&N`f|LXnZpDMH4HlNmBIGP08K z%gA_aXZ3iV*Yo^-uiqb^f8L+(_w(l)ML@e+m*C+ZRp7=SduTmm8rLO_I{ z<6sm4>iCZeY6>Ah4bQROd30cO|NEk+1%h%3kYf}9a)1(p(f%KwkMls-?T6xj{NQ|6 z4}K#`7ox7ML5;iu1Azgbj3ER_*CCc`Ag>~7`6ArnM{dWn21Q|NRwr^pKs=al^i3s{ z4lA+lR&d>Xetaxjo2B@-lgy42leukchNe}Ov_)E;Ch@gB-s?0L4mYkS3_tknlw6mS z9Y6}vD#x8D8GL;-jP1l){N#+$3B|o*>t!(H5R^EIuuKe^IV?XQaNmeB83U7M^+d1C zW%qMda=*R&3HKcTE>FGIgdpBm`wdOseyX!*IyJgr{GB@xw;TL~0Q|k!(ORqM@APph zE)YRC{vu~-IY9odX>3AnSo5b0si@_ec6ap}njk&{=Et*K4!EGk5s*zr&zS-L@Kmcp z`+HREv#hpdqdNs(C76{-0g5;L28%pRrNytF^=rxUoeg;6pQ_qF^5yAG%>Ru?sj=wzbm6x1MQy3{$04LdQVqMV)lUT)m+Y$wa14^fv1K( z^;JrZ-On)jVafuwLFm04SSde&y3s2aeziwmb7_C&_HJc5D#I@CTPa)kW&)X+*++0y z8nd?S(d&?0Xhc6*EJ=<3F(d)ST{bbswGKjG8&wZ2&`X+=6;4xh4SNsG#%N9z3-O?~S;e6%_~s{<;&tH3~( zR0(1;@o@T>_OxT+td4>a6_hi~tK`{nnLI%;J@)`u00j6Rs?nQ-e*fyLnE((*C}7~r zfq^Vv!n~O&r6MPa{2?Mu_ZVbR=*SwoC>lmw5Wuu)IDWHbs{Bch*y8=|U+b&=-gNr= zt<5)7fGh1JjBeY4sZFWPudG(N_cawGf>#^6(@Wq&!DHzBTb*o|^<_e~(V{$xg|dZ| zm~AuMn*<@xiv<@2>$qHIbcu7BUKZKw*1oB#Kmia>r{QB4uX!_;V2jhuK zHaJTS6Xuocsd32m3_PKtk%7K)z`%ITsZrH*Wj>os-MmtCgiR)mNBK8)Gg%!_Jq4qJ zwmmz6DUN*>2?9E|ZplH>yRAjI7zdR=RSebV|Zu$TOz0k$NH_G;V z;-ulWR!uOoh@bH@Yl(_BpBX3QlW8q8ZJodp_29uJ>x=fOYM;8rK(aIxo|i!wW*T-nl+37ZV_DnG2mLMnIFlKq2EJ8 zL26vQUKIhbXTl3q9A*CTxZ#5bHXHE8U}+?WJl)3i(9vkX6E|9w1pan(5>syaG!8wx z(q&U*D9_wP5b9Ffy|aNvEm_JG)RHxD<+Rv%v^9Wgl0G^%+PtF2$|yOJu_=7V?mMddWdN-0!@4$Vj1_J-=N@VXiDS+l}r5bop~W_ljJ!&QBg^52Ha| zg;Q~z_jpqO;ZG)(Eurph=FOy?nAJbhmfh12hg{ZnBaRY^E>Y6!TA_a~vDk&Q+;trw zPrbipB$k`UI^rzuKEhEV^4bMmBIg#B$C=(cRKHlJwnfXR*{5RY>ha}JS!hhH=QxD- z)4iLLvtP-Y57J;Neg%3`vpzRBF0C=#-dMa|Pa#BJa$~>GsX)i+Eko73eaDnfgEX4V zTgiS9!h4l`y{F#y`>KokMg!|u`0>_h#es9^Hx1{vF*FZt)I}yPbi%uPA_JC5{?_{@ zHEb>R)z9KqtSqawUqOK_bm2!)4!109jJ)t;Ax@`F!x_H}W$uUu_fKQyUtkxA4>nh- zGjP*S71l;L8(UVosM(+0O<75OV-D{Dt{yzd z*aLt0lP5(wB9cw}^IE66djsuKd>J;=zYpLdGSfyg1)&c4-QS~}l`$-8Dt0Kxrl~iRj?zrcoAHTmx%W z!2z7bzua;#D;tA}lJyu$d!#V=(9czm=Vmm;axBBUSQz+E@#ca$5-%<yre@xu z={}RBVC8Wddz3m#0EK`-B^bdVZYTi4u1!yT&h+3qz>MpmYia))!=6Nf283PLlv}$Y YAbTw#S1=98aLJ0=k$D*e1`>1s4H+hnY5)KL literal 0 HcmV?d00001 diff --git a/files/certs/truststore-password.p12 b/test/integration/files/certs/truststore-password.p12 similarity index 100% rename from files/certs/truststore-password.p12 rename to test/integration/files/certs/truststore-password.p12 diff --git a/files/templates-6.x/basic.json b/test/integration/files/templates-6.x/basic.json similarity index 100% rename from files/templates-6.x/basic.json rename to test/integration/files/templates-6.x/basic.json diff --git a/files/templates-7.x/basic.json b/test/integration/files/templates-7.x/basic.json similarity index 100% rename from files/templates-7.x/basic.json rename to test/integration/files/templates-7.x/basic.json diff --git a/test/integration/xpack-upgrade-trial.yml b/test/integration/xpack-upgrade-trial.yml index 3efff8cc..e2500d2d 100644 --- a/test/integration/xpack-upgrade-trial.yml +++ b/test/integration/xpack-upgrade-trial.yml @@ -17,6 +17,7 @@ es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" es_heap_size: "1g" es_templates: true + es_templates_fileglob: "test/integration/files/templates-{{ es_major_version }}/*.json" es_major_version: "7.x" es_version: "{{ '7.0.0' if es_major_version == '7.x' else '6.7.1' }}" # This is set to an older version than the current default to force an upgrade es_xpack_license: "" @@ -31,8 +32,8 @@ es_api_sleep: 5 es_enable_http_ssl: false es_enable_transport_ssl: true - es_ssl_keystore: "files/certs/keystore-password.p12" - es_ssl_truststore: "files/certs/truststore-password.p12" + es_ssl_keystore: "test/integration/files/certs/keystore-password.p12" + es_ssl_truststore: "test/integration/files/certs/truststore-password.p12" es_ssl_keystore_password: password1 es_ssl_truststore_password: password2 es_validate_certs: no @@ -134,6 +135,7 @@ es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" es_heap_size: "1g" es_templates: true + es_templates_fileglob: "test/integration/files/templates-{{ es_major_version }}/*.json" es_xpack_license: "" es_xpack_trial: false es_plugins: @@ -146,8 +148,8 @@ es_api_sleep: 5 es_enable_http_ssl: true es_enable_transport_ssl: true - es_ssl_keystore: "files/certs/shared-store-no-password.p12" - es_ssl_truststore: "files/certs/shared-store-no-password.p12" + es_ssl_keystore: "test/integration/files/certs/shared-store-no-password.p12" + es_ssl_truststore: "test/integration/files/certs/shared-store-no-password.p12" es_ssl_keystore_password: "" es_ssl_truststore_password: "" es_validate_certs: no diff --git a/test/integration/xpack-upgrade.yml b/test/integration/xpack-upgrade.yml index ba322026..abfe8ab5 100644 --- a/test/integration/xpack-upgrade.yml +++ b/test/integration/xpack-upgrade.yml @@ -17,6 +17,7 @@ es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" es_heap_size: "1g" es_templates: true + es_templates_fileglob: "test/integration/files/templates-{{ es_major_version }}/*.json" es_major_version: "7.x" es_version: "{{ '7.0.0' if es_major_version == '7.x' else '6.7.1' }}" # This is set to an older version than the current default to force an upgrade es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}" @@ -30,8 +31,8 @@ es_api_sleep: 5 es_enable_http_ssl: false es_enable_transport_ssl: true - es_ssl_keystore: "files/certs/keystore-password.p12" - es_ssl_truststore: "files/certs/truststore-password.p12" + es_ssl_keystore: "test/integration/files/certs/keystore-password.p12" + es_ssl_truststore: "test/integration/files/certs/truststore-password.p12" es_ssl_keystore_password: password1 es_ssl_truststore_password: password2 es_validate_certs: no @@ -133,6 +134,7 @@ es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" es_heap_size: "1g" es_templates: true + es_templates_fileglob: "test/integration/files/templates-{{ es_major_version }}/*.json" es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}" es_plugins: - plugin: ingest-attachment @@ -144,8 +146,8 @@ es_api_sleep: 5 es_enable_http_ssl: true es_enable_transport_ssl: true - es_ssl_keystore: "files/certs/shared-store-no-password.p12" - es_ssl_truststore: "files/certs/shared-store-no-password.p12" + es_ssl_keystore: "test/integration/files/certs/shared-store-no-password.p12" + es_ssl_truststore: "test/integration/files/certs/shared-store-no-password.p12" es_ssl_keystore_password: "" es_ssl_truststore_password: "" es_validate_certs: no From 70143c6327d6f84f3ee62032deb77580ee3ca0bf Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 31 Oct 2019 10:54:53 +0000 Subject: [PATCH 31/35] Add es_license_api variable --- defaults/main.yml | 4 ++-- tasks/xpack/security/elasticsearch-xpack-activation.yml | 2 +- tasks/xpack/security/elasticsearch-xpack-trial-activation.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 666614e1..601c6911 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -40,14 +40,14 @@ es_api_scheme: "http" es_api_host: "localhost" es_api_port: 9200 es_api_uri: "{{ es_api_scheme }}://{{ es_api_host }}:{{ es_api_port }}" +es_security_api: "{{ '_security' if es_version is version_compare('7.0.0', '>=') else '_xpack/security' }}" +es_license_api: "{{ '_license' if es_version is version_compare('7.0.0', '>=') else '_xpack/license' }}" es_api_sleep: 15 es_debian_startup_timeout: 10 # JVM custom parameters es_jvm_custom_parameters: '' -es_security_api: "{{ '_security' if es_version is version_compare('7.0.0', '>=') else '_xpack/security' }}" - # SSL/TLS parameters es_enable_http_ssl: false es_enable_transport_ssl: false diff --git a/tasks/xpack/security/elasticsearch-xpack-activation.yml b/tasks/xpack/security/elasticsearch-xpack-activation.yml index b0315ba4..5bf08cb6 100644 --- a/tasks/xpack/security/elasticsearch-xpack-activation.yml +++ b/tasks/xpack/security/elasticsearch-xpack-activation.yml @@ -2,7 +2,7 @@ - name: Activate ES license (with security authentication) uri: method: PUT - url: "{{ es_api_uri }}/_{{ 'xpack/' if es_version is version_compare('7.0.0', '<') else '' }}license?acknowledge=true" + url: "{{ es_api_uri }}/{{ es_license_api }}?acknowledge=true" user: "{{es_api_basic_auth_username | default(omit)}}" password: "{{es_api_basic_auth_password | default(omit)}}" body_format: json diff --git a/tasks/xpack/security/elasticsearch-xpack-trial-activation.yml b/tasks/xpack/security/elasticsearch-xpack-trial-activation.yml index b8306c47..e0cc73e0 100644 --- a/tasks/xpack/security/elasticsearch-xpack-trial-activation.yml +++ b/tasks/xpack/security/elasticsearch-xpack-trial-activation.yml @@ -2,7 +2,7 @@ - name: Activate ES trial license (with security authentication) uri: method: POST - url: "{{ es_api_uri }}/_{{ 'xpack/' if es_version is version_compare('7.0.0', '<') else '' }}license/start_trial?acknowledge=true" + url: "{{ es_api_uri }}/{{ es_license_api }}/start_trial?acknowledge=true" user: "{{es_api_basic_auth_username | default(omit)}}" password: "{{es_api_basic_auth_password | default(omit)}}" return_content: yes From 8fb9e81289c8676944678baad0fe813f6e2db7b1 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 31 Oct 2019 10:55:13 +0000 Subject: [PATCH 32/35] Remove issue-test-trail test suite --- .kitchen.yml | 4 --- test/integration/issue-test-trial | 1 - test/integration/issue-test-trial.yml | 46 --------------------------- 3 files changed, 51 deletions(-) delete mode 120000 test/integration/issue-test-trial delete mode 100644 test/integration/issue-test-trial.yml diff --git a/.kitchen.yml b/.kitchen.yml index 4f463719..8a11f204 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -136,7 +136,3 @@ suites: provisioner: playbook: test/integration/xpack-upgrade-trial.yml idempotency_test: false - - name: issue-test-trial - provisioner: - playbook: test/integration/issue-test-trial.yml - idempotency_test: false diff --git a/test/integration/issue-test-trial b/test/integration/issue-test-trial deleted file mode 120000 index 0746a3ce..00000000 --- a/test/integration/issue-test-trial +++ /dev/null @@ -1 +0,0 @@ -issue-test \ No newline at end of file diff --git a/test/integration/issue-test-trial.yml b/test/integration/issue-test-trial.yml deleted file mode 100644 index efd726c0..00000000 --- a/test/integration/issue-test-trial.yml +++ /dev/null @@ -1,46 +0,0 @@ -#This file is for users to test issues and reproduce them using the test framework. -#Modify the playbook below and test with kitchen i.e. `kitchen test issue-test` -#To add custom tests modify the serverspec file ./helpers/serverspec/issue_test_spec.rb -#Idempot test is enabled for this test - -- name: Simple Example - hosts: localhost - post_tasks: - - include: elasticsearch/test/integration/debug.yml - roles: - - elasticsearch - vars: - es_xpack_license: "" - es_xpack_trial: true - es_config: - xpack.security.authc.realms.file.file1.order: 1 - xpack.security.authc.realms.native.native1.type: "native" - es_heap_size: "1g" - es_plugins: - - plugin: ingest-attachment - es_xpack_features: - - security - - alerting - es_api_basic_auth_username: elastic - es_api_basic_auth_password: changeme - es_users: - file: - test_user: - password: changeme - roles: - - kibana_system - native: - kibana: - password: changeme - roles: - - kibana_system - elastic: - password: aNewPassWord - es_roles: - native: - logstash: - cluster: - - manage_index_templates - logstash_system: - cluster: - - manage_index_templates From 6b1e5c2b6317a7f5aa09911851e382ff5a84b548 Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 31 Oct 2019 10:55:40 +0000 Subject: [PATCH 33/35] Fix permissions of cert directory and files --- tasks/elasticsearch-ssl.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tasks/elasticsearch-ssl.yml b/tasks/elasticsearch-ssl.yml index 7f56a98b..b4d2212d 100644 --- a/tasks/elasticsearch-ssl.yml +++ b/tasks/elasticsearch-ssl.yml @@ -11,11 +11,17 @@ file: dest: "{{ es_ssl_certificate_path }}" state: directory + owner: root + group: "{{ es_group }}" + mode: 0750 - name: Upload SSL/TLS keystore copy: src: "{{ es_ssl_keystore }}" dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}" + owner: "{{ es_user }}" + group: "{{ es_group }}" + mode: 0640 when: es_ssl_keystore and es_ssl_truststore notify: restart elasticsearch register: copy_keystore @@ -24,6 +30,9 @@ copy: src: "{{ es_ssl_truststore }}" dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}" + owner: "{{ es_user }}" + group: "{{ es_group }}" + mode: 0640 when: es_ssl_keystore and es_ssl_truststore notify: restart elasticsearch register: copy_truststore @@ -32,6 +41,9 @@ copy: src: "{{ item }}" dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}" + owner: "{{ es_user }}" + group: "{{ es_group }}" + mode: 0640 with_items: - "{{ es_ssl_key }}" - "{{ es_ssl_certificate }}" @@ -44,6 +56,9 @@ copy: src: "{{ es_ssl_certificate_authority }}" dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" + owner: "{{ es_user }}" + group: "{{ es_group }}" + mode: 0640 #Restart if this changes notify: restart elasticsearch when: es_ssl_certificate_authority | bool From 1e6a77ada3c383639851507f5aadcc5b120a564d Mon Sep 17 00:00:00 2001 From: pemontto Date: Thu, 31 Oct 2019 13:30:32 +0000 Subject: [PATCH 34/35] Remove ansible profiling --- ansible.cfg | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index cf7951c8..0440d489 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,2 +1 @@ [defaults] -callback_whitelist = profile_tasks \ No newline at end of file From 8156ab48215768a1d8559ddd54c86aaabe2e2d89 Mon Sep 17 00:00:00 2001 From: pemontto Date: Fri, 15 Nov 2019 12:24:29 +0000 Subject: [PATCH 35/35] Add option to forgo autogenerated SSL config --- defaults/main.yml | 1 + docs/ssl-tls-setup.md | 3 +++ templates/elasticsearch.yml.j2 | 8 ++------ 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 601c6911..32e0b730 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -49,6 +49,7 @@ es_debian_startup_timeout: 10 es_jvm_custom_parameters: '' # SSL/TLS parameters +es_enable_auto_ssl_configuration: true es_enable_http_ssl: false es_enable_transport_ssl: false es_ssl_keystore: "" diff --git a/docs/ssl-tls-setup.md b/docs/ssl-tls-setup.md index 3e24a0c7..a887e653 100644 --- a/docs/ssl-tls-setup.md +++ b/docs/ssl-tls-setup.md @@ -2,6 +2,8 @@ The role allows configuring HTTP and transport layer SSL/TLS for the cluster. You will need to generate and provide your own PKCS12 or PEM encoded certificates as described in [Encrypting communications in Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.4/configuring-tls.html#configuring-tls). +If you don't want this role to add autogenerated SSL configuration to elasticsearch.yml set `es_enable_auto_ssl_configuration` to `false` (default: `true`). + The following should be configured to ensure a security-enabled cluster successfully forms: * `es_enable_http_ssl` Default `false`. Setting this to `true` will enable HTTP client SSL/TLS @@ -38,6 +40,7 @@ $ bin/elasticsearch-certutil cert --ca ./my-ca.p12 --out ./my-keystore.p12 --pas ## Additional optional SSL/TLS configuration +* `es_enable_auto_ssl_configuration` Default `true`. Whether this role should add automatically generated SSL config to elasticsearch.yml. * `es_ssl_certificate_path` Default `{{ es_conf_dir }}/certs`. The location where certificates should be stored on the ES node. * `es_ssl_verification_mode` Default `certificate`. See [SSL verification_mode](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#ssl-tls-settings) for options. * `es_ssl_certificate_authority` PEM encoded certificate file that should be trusted. diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index f29cfc8a..6adaa0dd 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -34,7 +34,7 @@ action.auto_create_index: {{ es_action_auto_create_index }} {% if es_enable_xpack and es_api_basic_auth_username is defined and es_api_basic_auth_password is defined %} xpack.security.enabled: true -{% if es_enable_transport_ssl | bool %} +{% if es_enable_transport_ssl and es_enable_auto_ssl_configuration %} xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: "{{ es_ssl_verification_mode }}" {% if es_ssl_keystore and es_ssl_truststore %} @@ -47,11 +47,9 @@ xpack.security.transport.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_s xpack.security.transport.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" {% endif %} {% endif %} -{% else %} -# xpack.security.transport.ssl.enabled: false {% endif %} -{% if es_enable_http_ssl | bool %} +{% if es_enable_http_ssl and es_enable_auto_ssl_configuration %} xpack.security.http.ssl.enabled: true {% if es_ssl_keystore and es_ssl_truststore %} xpack.security.http.ssl.keystore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}" @@ -63,8 +61,6 @@ xpack.security.http.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_ce xpack.security.http.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}" {% endif %} {% endif %} -{% else %} -# xpack.security.http.ssl.enabled: false {% endif %} {% endif %}