From 34f08130e1d9b015f620dbfdc2739a26c8285786 Mon Sep 17 00:00:00 2001 From: Jeffrey Everling Date: Tue, 24 Apr 2018 12:51:03 +0200 Subject: [PATCH 01/22] Added changes to add required functionality and fix a bug --- tasks/elasticsearch-Debian.yml | 8 ++++---- tasks/xpack/elasticsearch-xpack.yml | 2 +- templates/elasticsearch.yml.j2 | 19 +++++++++++++++++++ 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index ebaaa617..3677b3ed 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -25,10 +25,6 @@ - { repo: "{{ es_apt_url }}", state: "present" } when: es_use_repository -- name: Debian - Include versionlock - include: elasticsearch-Debian-version-lock.yml - when: es_version_lock - - name: Debian - Ensure elasticsearch is installed become: yes apt: name=elasticsearch{% if es_version is defined and es_version != "" %}={{ es_version }}{% endif %} state=present force={{force_install}} allow_unauthenticated={{ 'no' if es_apt_key else 'yes' }} cache_valid_time=86400 @@ -36,6 +32,10 @@ register: debian_elasticsearch_install_from_repo notify: restart elasticsearch +- name: Debian - Include versionlock + include: elasticsearch-Debian-version-lock.yml + when: es_version_lock + - name: Debian - Download elasticsearch from url get_url: url={% if es_custom_package_url is defined %}{{ es_custom_package_url }}{% else %}{{ es_package_url }}-{{ es_version }}.deb{% endif %} dest=/tmp/elasticsearch-{{ es_version }}.deb validate_certs=no when: not es_use_repository diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index ace1500a..ec82a68a 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -1,7 +1,7 @@ --- - name: set fact es_version_changed - set_fact: es_version_changed={{ ((elasticsearch_install_from_package is defined and ((debian_elasticsearch_install_from_repo is defined and debian_elasticsearch_install_from_repo.changed) or (redhat_elasticsearch_install_from_repo is defined and redhat_elasticsearch_install_from_repo.changed))) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) }} + set_fact: es_version_changed={{ ((elasticsearch_install_from_package is defined and (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) }} - name: include elasticsearch-xpack-install.yml include: elasticsearch-xpack-install.yml diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 111f6f46..170dd7f8 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -23,6 +23,10 @@ path.data: {{ data_dirs | array_to_str }} path.logs: {{ log_dir }} +path.repo: {{ path_repo }} + +action.auto_create_index: {{ action_auto_create_index }} + {% if es_enable_xpack %} {% if not "security" in es_xpack_features %} xpack.security.enabled: false @@ -44,3 +48,18 @@ xpack.ml.enabled: false xpack.graph.enabled: false {% endif %} {% endif %} + +{% if es_mail_config['account'] is defined %} +xpack.notification.email: + account: + {{ es_mail_config['account'] }}: + profile: {{ es_mail_config['profile'] }} + email_defaults: + from: {{ es_mail_config['from'] }} + smtp: + auth: {{ es_mail_config['require_auth'] }} + host: {{ es_mail_config['host'] }} + port: {{ es_mail_config['port'] }} + user: {{ es_mail_config['user'] }} + password: {{ es_mail_config['pass'] }} +{% endif %} \ No newline at end of file From 7aebcaefa64802b76d8b17dc95079210f02e3090 Mon Sep 17 00:00:00 2001 From: Jeffrey Everling Date: Thu, 26 Apr 2018 15:01:18 +0200 Subject: [PATCH 02/22] Added documentation for added features Updated configuration template with if statements for optional features --- README.md | 16 +++++++++++++++- templates/elasticsearch.yml.j2 | 7 ++++++- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 85f97acf..bc93e445 100644 --- a/README.md +++ b/README.md @@ -338,6 +338,7 @@ In addition to es_config, the following parameters allow the customization of th * ```es_start_service``` (true (default) or false) * ```es_plugins_reinstall``` (true or false (default) ) * ```es_plugins``` an array of plugin definitions e.g.: +* ```es_path_repo``` Sets the whitelist for allowing local back-up repositories ```yml es_plugins: - plugin: ingest-geoip @@ -352,7 +353,20 @@ In addition to es_config, the following parameters allow the customization of th Earlier examples illustrate the installation of plugins using `es_plugins`. For officially supported plugins no version or source delimiter is required. The plugin script will determine the appropriate plugin version based on the target Elasticsearch version. For community based plugins include the full url. This approach should NOT be used for the X-Pack plugin. See X-Pack below for details here. -If installing Monitoring or Alerting, ensure the license plugin is also specified. Security configuration is currently not supported but planned for later versions. +If installing Monitoring or Alerting, ensure the license plugin is also specified. Security configuration currently has limited support, but more support is planned for later versions. + +To configure X-pack to send mail, the following configuration can be added to the role. When require_auth is true, you will also need to provide the user and password. If not these can be removed: +``` + es_mail_config: + account: + profile: standard + from: + require_auth: + host: + port: + user: --optional + pass: --optional +``` * ```es_user``` - defaults to elasticsearch. * ```es_group``` - defaults to elasticsearch. diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 170dd7f8..56df8439 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -23,7 +23,9 @@ path.data: {{ data_dirs | array_to_str }} path.logs: {{ log_dir }} -path.repo: {{ path_repo }} +{% if es_path_repo %} +path.repo: {{ es_path_repo }} +{% endif %} action.auto_create_index: {{ action_auto_create_index }} @@ -60,6 +62,9 @@ xpack.notification.email: auth: {{ es_mail_config['require_auth'] }} host: {{ es_mail_config['host'] }} port: {{ es_mail_config['port'] }} + {% if es_mail_config['require_auth'] == true %} user: {{ es_mail_config['user'] }} password: {{ es_mail_config['pass'] }} + {% endif %} + {% endif %} \ No newline at end of file From 7640a0383a99f698ef1c9949f22cdeb5b51579bc Mon Sep 17 00:00:00 2001 From: Jeffrey E Date: Thu, 3 May 2018 06:37:50 +0200 Subject: [PATCH 03/22] Update elasticsearch.yml.j2 --- templates/elasticsearch.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 56df8439..4c306558 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -23,7 +23,7 @@ path.data: {{ data_dirs | array_to_str }} path.logs: {{ log_dir }} -{% if es_path_repo %} +{% if es_path_repo is defined %} path.repo: {{ es_path_repo }} {% endif %} @@ -67,4 +67,4 @@ xpack.notification.email: password: {{ es_mail_config['pass'] }} {% endif %} -{% endif %} \ No newline at end of file +{% endif %} From 4caefef9615b84030fb61cecc06b78c6a7b5ba8d Mon Sep 17 00:00:00 2001 From: Jeffrey E Date: Thu, 3 May 2018 07:23:24 +0200 Subject: [PATCH 04/22] Added es_action_auto_create_index: true --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index ad2be6ec..524f65dd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -22,6 +22,7 @@ es_config_log4j2: log4j2.properties.j2 es_pid_dir: "/var/run/elasticsearch" es_data_dirs: "/var/lib/elasticsearch" es_log_dir: "/var/log/elasticsearch" +es_action_auto_create_index: true es_max_open_files: 65536 es_max_threads: "{{ 2048 if ( es_version | version_compare('6.0.0', '<')) else 8192 }}" es_max_map_count: 262144 From 11a1e4b38a14a8d432d4edd4423e98d75f5f57d8 Mon Sep 17 00:00:00 2001 From: Jeffrey E Date: Thu, 3 May 2018 07:33:17 +0200 Subject: [PATCH 05/22] Adjust variable name to match standard --- templates/elasticsearch.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 4c306558..8baae10a 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -27,7 +27,7 @@ path.logs: {{ log_dir }} path.repo: {{ es_path_repo }} {% endif %} -action.auto_create_index: {{ action_auto_create_index }} +action.auto_create_index: {{ es_action_auto_create_index }} {% if es_enable_xpack %} {% if not "security" in es_xpack_features %} From 96f3a87d95948ea02442ac54776058a7cb23a44d Mon Sep 17 00:00:00 2001 From: Jeffrey E Date: Thu, 3 May 2018 16:27:27 +0200 Subject: [PATCH 06/22] Fixed documentation Added documentation for es_action_auto_create_index and fixed the order --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index bc93e445..e4d0ac68 100644 --- a/README.md +++ b/README.md @@ -338,11 +338,13 @@ In addition to es_config, the following parameters allow the customization of th * ```es_start_service``` (true (default) or false) * ```es_plugins_reinstall``` (true or false (default) ) * ```es_plugins``` an array of plugin definitions e.g.: -* ```es_path_repo``` Sets the whitelist for allowing local back-up repositories ```yml es_plugins: - plugin: ingest-geoip ``` +* ```es_path_repo``` Sets the whitelist for allowing local back-up repositories +* ```es_action_auto_create_index ``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false): + es_action_auto_create_index: '[".watches", ".triggered_watches", ".watcher-history-*"]' * ```es_allow_downgrades``` For development purposes only. (true or false (default) ) * ```es_java_install``` If set to false, Java will not be installed. (true (default) or false) * ```update_java``` Updates Java to the latest version. (true or false (default)) From da527ec19b8ed59e3239419bc6257e1629198806 Mon Sep 17 00:00:00 2001 From: Jeffrey E Date: Thu, 3 May 2018 16:29:17 +0200 Subject: [PATCH 07/22] Added support for providing an array with indices --- templates/elasticsearch.yml.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 8baae10a..d68a0dcf 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -27,7 +27,13 @@ path.logs: {{ log_dir }} path.repo: {{ es_path_repo }} {% endif %} +{% if es_action_auto_create_index == true %} +action.auto_create_index: true +{% elif not es_action_auto_create_index %} +action.auto_create_index: false +{% else %} action.auto_create_index: {{ es_action_auto_create_index }} +{% endif %} {% if es_enable_xpack %} {% if not "security" in es_xpack_features %} From cc28b6149af9866455f9b1b90ac601596e4635a4 Mon Sep 17 00:00:00 2001 From: Jeffrey Everling Date: Thu, 3 May 2018 16:45:04 +0200 Subject: [PATCH 08/22] Added more x-pack config options --- README.md | 2 + defaults/main.yml | 3 +- tasks/elasticsearch-Debian-version-lock.yml | 6 +- tasks/xpack/elasticsearch-xpack-install.yml | 3 + tasks/xpack/elasticsearch-xpack-ssl.yml | 146 ++++++++++++++++++ .../elasticsearch-security-native.yml | 16 +- .../elasticsearch-xpack-activation.yml | 4 +- templates/elasticsearch.yml.j2 | 22 ++- 8 files changed, 188 insertions(+), 14 deletions(-) create mode 100644 tasks/xpack/elasticsearch-xpack-ssl.yml diff --git a/README.md b/README.md index bc93e445..7c49204a 100644 --- a/README.md +++ b/README.md @@ -339,6 +339,8 @@ In addition to es_config, the following parameters allow the customization of th * ```es_plugins_reinstall``` (true or false (default) ) * ```es_plugins``` an array of plugin definitions e.g.: * ```es_path_repo``` Sets the whitelist for allowing local back-up repositories +* ```es_action_auto_create_index ``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false): + es_action_auto_create_index: '[".watches", ".triggered_watches", ".watcher-history-*"]' ```yml es_plugins: - plugin: ingest-geoip diff --git a/defaults/main.yml b/defaults/main.yml index e72e4f28..56b2df94 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -22,6 +22,7 @@ es_config_log4j2: log4j2.properties.j2 es_pid_dir: "/var/run/elasticsearch" es_data_dirs: "/var/lib/elasticsearch" es_log_dir: "/var/log/elasticsearch" +es_action_auto_create_index: true es_max_open_files: 65536 es_max_threads: "{{ 2048 if ( es_version | version_compare('6.0.0', '<')) else 8192 }}" es_max_map_count: 262144 @@ -33,7 +34,7 @@ es_xpack_features: ["alerting","monitoring","graph","ml","security"] es_api_host: "localhost" es_api_port: 9200 es_debian_startup_timeout: 10 - +es_http_type: http # Since ansible 2.2 the following variables need to be defined # to allow the role to be conditionally played with a when condition. pid_dir: '' diff --git a/tasks/elasticsearch-Debian-version-lock.yml b/tasks/elasticsearch-Debian-version-lock.yml index d9fdd698..cbd6598f 100644 --- a/tasks/elasticsearch-Debian-version-lock.yml +++ b/tasks/elasticsearch-Debian-version-lock.yml @@ -1,6 +1,10 @@ --- -- name: Debian - hold elasticsearch version +- name: Debian - hold elasticsearch version with apt become: yes command: apt-mark hold elasticsearch register: hold_elasticsearch_result changed_when: "hold_elasticsearch_result.stdout != 'elasticsearch was already set on hold.'" +- name: Debian - hold elasticsearch version with aptitude + become: yes + command: aptitude hold elasticsearch + register: aptitude_hold_elasticsearch_result \ No newline at end of file diff --git a/tasks/xpack/elasticsearch-xpack-install.yml b/tasks/xpack/elasticsearch-xpack-install.yml index 522f8161..b1b58c8c 100644 --- a/tasks/xpack/elasticsearch-xpack-install.yml +++ b/tasks/xpack/elasticsearch-xpack-install.yml @@ -66,3 +66,6 @@ ES_PATH_CONF: "{{ conf_dir }}" ES_INCLUDE: "{{ instance_default_file }}" ES_JAVA_OPTS: "{% if es_proxy_host is defined and es_proxy_host != '' %}-Dhttp.proxyHost={{ es_proxy_host }} -Dhttp.proxyPort={{ es_proxy_port }} -Dhttps.proxyHost={{ es_proxy_host }} -Dhttps.proxyPort={{ es_proxy_port }}{% endif %}" + +- name: Generate SSL/TLS environment + include: ./elasticsearch-xpack-ssl.yml \ No newline at end of file diff --git a/tasks/xpack/elasticsearch-xpack-ssl.yml b/tasks/xpack/elasticsearch-xpack-ssl.yml new file mode 100644 index 00000000..ae96e148 --- /dev/null +++ b/tasks/xpack/elasticsearch-xpack-ssl.yml @@ -0,0 +1,146 @@ +#### Install SSL/TLS certificates when platinum license is present +#ES_PATH_CONF="/etc/elasticsearch/ases1" && export ES_PATH_CONF +#/usr/share/elasticsearch/bin/x-pack/setup-passwords auto --url https://localhost:9200 + +- name: Check if /etc/ssl/elasticsearch folder exists + file: + path: /etc/ssl/elasticsearch + state: directory + owner: elasticsearch + group: elasticsearch + mode: 0755 + register: es_ssl_folder + +- name: Verify if elastic CA keys are present + stat: + path: "/etc/ssl/elasticsearch/elastic-ca.p12" + become: true + become_user: elasticsearch + register: es_ssl_ca_present + when: es_ssl_folder + +- name: Generate SSL/TLS CA Authority (required for platinum license) + environment: + - ES_PATH_CONF: "{{conf_dir}}" + command: /usr/share/elasticsearch/bin/x-pack/certutil ca --silent -out /etc/ssl/elasticsearch/elastic-ca.p12 -pass "test" + become: true + become_user: elasticsearch + register: elastic_ca + when: es_platinum_license is defined and es_ssl_config["enabled"] is defined and not es_ssl_ca_present.stat.exists + +- name: Check if /usr/local/share/ca-certificates/local-elastic-ca folder exists + file: + path: /usr/local/share/ca-certificates/local-elastic-ca + state: directory + owner: root + group: root + mode: 0755 + register: es_ca_folder + +- name: Extract CA certificate to the trusted CA folder + command: openssl pkcs12 -in /etc/ssl/elasticsearch/elastic-ca.p12 -clcerts -nokeys -out /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt -passin pass:test + when: es_ca_folder + +- name: Add CA certificate to cacerts + become: true + command: update-ca-certificates + +- name: Verify if elastic Cert keys are present + stat: + path: "{{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12" + become: true + become_user: elasticsearch + register: es_ssl_cert_present + +- name: Generate SSL/TLS certificate for ES (required for platinum license) + environment: + - ES_PATH_CONF: "{{conf_dir}}" + command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca /etc/ssl/elasticsearch/elastic-ca.p12 --ca-pass "test" --ip {{ es_ssl_config['ip'] }} --dns {{ es_ssl_config['dns'] }},localhost --out {{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12 --pass "test" + become: true + become_user: elasticsearch + when: es_ssl_regen_cert is defined or not es_ssl_cert_present.stat.exists + +- name: Add SSL/TLS keystore password to ES keystore (required for platinum license) + environment: + - ES_PATH_CONF: "{{conf_dir}}" + shell: echo "test" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.keystore.secure_password -x --force + become: true + become_user: elasticsearch + when: elastic_ca + +- name: Add SSL/TLS truststore password to ES keystore (required for platinum license) + environment: + - ES_PATH_CONF: "{{conf_dir}}" + shell: echo "test" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.truststore.secure_password -x --force + become: true + become_user: elasticsearch + when: elastic_ca + +- name: set fact es_http_type to HTTPS + set_fact: es_http_type=https + when: elastic_ca + +##################################### Kibana certificates ##################################### + +- name: Verify if kibana Cert keys are present + stat: + path: "/etc/ssl/elasticsearch/kb-{{ item }}.zip" + become: true + become_user: elasticsearch + register: es_kb_ssl_cert_present + loop: "{{ groups['kibana_droplets'] }}" + +- name: Generate SSL/TLS certificate for Kibana + environment: + - ES_PATH_CONF: "{{conf_dir}}" + command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca /etc/ssl/elasticsearch/elastic-ca.p12 --ca-pass "test" --ip "{{ hostvars[item.item].ansible_host }}" --dns {{ item.item }},localhost --out /etc/ssl/elasticsearch/kb-{{ item.item }}.zip --pem --name {{ item.item }} + become: true + become_user: elasticsearch + when: es_ssl_regen_certs is defined or not item.stat.exists + loop: "{{ es_kb_ssl_cert_present.results }}" + +- name: Find kibana certificates in /etc/ssl/elasticsearch + find: + paths: /etc/ssl/elasticsearch + patterns: 'kb-.*\.zip' + use_regex: yes + register: es_kb_ssl_cert_archives + +- debug: + msg: "Found Kibana certificate ZIP files: {{ es_kb_ssl_cert_archives }}" + +# - name: Unarchive certificates for Kibana + # unarchive: + # src: "{{item.path}}" + # dest: "{{item.path | regex_replace('(.*).zip$', '\\1')}}" + # remote_src: yes + # become: true + # become_user: elasticsearch + # loop: "{{ es_kb_ssl_cert_archives.files }}" + +# - name: Unarchive certificates for Kibana +# command: unzip {{item.path}} +# become: true +# become_user: elasticsearch +# loop: "{{ es_kb_ssl_cert_archives.files }}" + +# - name: Find kibana certificate directories in /etc/ssl/elasticsearch +# find: +# paths: /etc/ssl/elasticsearch +# patterns: 'kb-.*' +# use_regex: yes +# file_type: directory +# register: es_kb_ssl_cert_folder + +- name: Fetch certificates for Kibana + fetch: + src: "{{item.path}}" + dest: /tmp/certs/ + flat: true + loop: "{{ es_kb_ssl_cert_archives.files }}" + +- name: Fetch CA certificate from primary ES server + fetch: + src: /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt + dest: /tmp/certs/ + flat: true \ No newline at end of file diff --git a/tasks/xpack/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml index 63024fad..4a821d4f 100644 --- a/tasks/xpack/security/elasticsearch-security-native.yml +++ b/tasks/xpack/security/elasticsearch-security-native.yml @@ -21,7 +21,7 @@ #List current users - name: List Native Users uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user + url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/user" method: GET user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" @@ -50,7 +50,7 @@ - name: Update API User Password uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{es_api_basic_auth_username}}/_password + url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{es_api_basic_auth_username}}/_password" method: POST body_format: json body: "{ \"password\":\"{{native_users[es_api_basic_auth_username].password}}\" }" @@ -72,7 +72,7 @@ #Delete all non required users NOT inc. reserved - name: Delete Native Users uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}} + url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}" method: DELETE status_code: 200 user: "{{es_api_basic_auth_username}}" @@ -93,7 +93,7 @@ #Update password on all reserved users - name: Update Reserved User Passwords uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}/_password + url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}/_password" method: POST body_format: json body: "{ \"password\":\"{{native_users[item].password}}\" }" @@ -112,7 +112,7 @@ #Overwrite all other users NOT inc. those reserved - name: Update Non-Reserved Native User Details uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}} + url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}" method: POST body_format: json body: "{{ native_users[item] | to_json }}" @@ -129,7 +129,7 @@ #List current roles not. inc those reserved - name: List Native Roles uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role + url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/role" method: GET body_format: json user: "{{es_api_basic_auth_username}}" @@ -163,7 +163,7 @@ #Delete all non required roles NOT inc. reserved - name: Delete Native Roles uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}} + url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}}" method: DELETE status_code: 200 user: "{{es_api_basic_auth_username}}" @@ -179,7 +179,7 @@ #Update other roles - NOT inc. reserved roles - name: Update Native Roles uri: - url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}} + url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}}" method: POST body_format: json body: "{{ es_roles.native[item] | to_json}}" diff --git a/tasks/xpack/security/elasticsearch-xpack-activation.yml b/tasks/xpack/security/elasticsearch-xpack-activation.yml index cd72d6a7..c6c8ce7a 100644 --- a/tasks/xpack/security/elasticsearch-xpack-activation.yml +++ b/tasks/xpack/security/elasticsearch-xpack-activation.yml @@ -18,7 +18,7 @@ - name: Activate ES license (with security authentication) uri: method: PUT - url: "http://{{es_api_host}}:{{es_api_port}}/_xpack/license?acknowledge=true" + url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/license?acknowledge=true" user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" body_format: json @@ -26,7 +26,7 @@ body: "{{ es_xpack_license }}" return_content: yes register: license_activated - no_log: True + no_log: false when: "'security' in es_xpack_features" failed_when: > license_activated.status != 200 or diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 56df8439..ee93abaa 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -23,11 +23,17 @@ path.data: {{ data_dirs | array_to_str }} path.logs: {{ log_dir }} -{% if es_path_repo %} +{% if es_path_repo is defined %} path.repo: {{ es_path_repo }} {% endif %} -action.auto_create_index: {{ action_auto_create_index }} +{% if es_action_auto_create_index == true %} +action.auto_create_index: true +{% elif not es_action_auto_create_index %} +action.auto_create_index: false +{% else %} +action.auto_create_index: {{ es_action_auto_create_index }} +{% endif %} {% if es_enable_xpack %} {% if not "security" in es_xpack_features %} @@ -51,6 +57,18 @@ xpack.graph.enabled: false {% endif %} {% endif %} +{% if es_ssl_config['enabled'] is defined %} +xpack.security.transport.ssl.enabled: true +xpack.security.http.ssl.enabled: true +xpack.security.http.ssl.keystore.path: {{conf_dir}}/ssl/{{es_ssl_config['dns']}}.p12 +#Legacy config required for /usr/share/elasticsearch/bin/x-pack/setup-passwords +xpack.security.http.ssl.keystore.password: "test" +xpack.security.http.ssl.truststore.path: {{conf_dir}}/ssl/{{es_ssl_config['dns']}}.p12 +#Legacy config required for /usr/share/elasticsearch/bin/x-pack/setup-passwords +xpack.security.http.ssl.truststore.password: "test" +xpack.security.http.ssl.client_authentication: none +{% endif %} + {% if es_mail_config['account'] is defined %} xpack.notification.email: account: From a3ea8e0c84babd4eb47d0f9c46876c1985b6f38e Mon Sep 17 00:00:00 2001 From: Jeffrey Everling Date: Thu, 3 May 2018 16:58:29 +0200 Subject: [PATCH 09/22] Fixed documentation commit issue --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index 49432f2a..e4d0ac68 100644 --- a/README.md +++ b/README.md @@ -343,9 +343,6 @@ In addition to es_config, the following parameters allow the customization of th - plugin: ingest-geoip ``` * ```es_path_repo``` Sets the whitelist for allowing local back-up repositories -* ```es_action_auto_create_index ``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false): - es_action_auto_create_index: '[".watches", ".triggered_watches", ".watcher-history-*"]' -* ```es_path_repo``` Sets the whitelist for allowing local back-up repositories * ```es_action_auto_create_index ``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false): es_action_auto_create_index: '[".watches", ".triggered_watches", ".watcher-history-*"]' * ```es_allow_downgrades``` For development purposes only. (true or false (default) ) From 80baf268e56c59211dcd46606e93e4a2da570f15 Mon Sep 17 00:00:00 2001 From: Jeffrey Everling Date: Sat, 5 May 2018 07:42:08 +0200 Subject: [PATCH 10/22] SSL support optimisation --- tasks/xpack/elasticsearch-xpack-ssl.yml | 78 +++++++++++-------------- templates/elasticsearch.yml.j2 | 23 +++++--- 2 files changed, 48 insertions(+), 53 deletions(-) diff --git a/tasks/xpack/elasticsearch-xpack-ssl.yml b/tasks/xpack/elasticsearch-xpack-ssl.yml index ae96e148..403f6479 100644 --- a/tasks/xpack/elasticsearch-xpack-ssl.yml +++ b/tasks/xpack/elasticsearch-xpack-ssl.yml @@ -2,9 +2,9 @@ #ES_PATH_CONF="/etc/elasticsearch/ases1" && export ES_PATH_CONF #/usr/share/elasticsearch/bin/x-pack/setup-passwords auto --url https://localhost:9200 -- name: Check if /etc/ssl/elasticsearch folder exists +- name: Check if {{ es_ssl_config['ca_folder'] }} folder exists file: - path: /etc/ssl/elasticsearch + path: "{{ es_ssl_config['ca_folder'] }}" state: directory owner: elasticsearch group: elasticsearch @@ -13,7 +13,7 @@ - name: Verify if elastic CA keys are present stat: - path: "/etc/ssl/elasticsearch/elastic-ca.p12" + path: "{{ es_ssl_config['ca_folder'] }}/elastic-ca.p12" become: true become_user: elasticsearch register: es_ssl_ca_present @@ -22,11 +22,11 @@ - name: Generate SSL/TLS CA Authority (required for platinum license) environment: - ES_PATH_CONF: "{{conf_dir}}" - command: /usr/share/elasticsearch/bin/x-pack/certutil ca --silent -out /etc/ssl/elasticsearch/elastic-ca.p12 -pass "test" + command: /usr/share/elasticsearch/bin/x-pack/certutil ca --silent -out {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 -pass "{{ es_ssl_config['ca_password'] }}" become: true become_user: elasticsearch register: elastic_ca - when: es_platinum_license is defined and es_ssl_config["enabled"] is defined and not es_ssl_ca_present.stat.exists + when: es_platinum_license is defined and es_ssl_config is defined and es_ssl_config['ca_password'] is defined and (not es_ssl_ca_present.stat.exists or es_ssl_config['regen_certs']) - name: Check if /usr/local/share/ca-certificates/local-elastic-ca folder exists file: @@ -38,12 +38,14 @@ register: es_ca_folder - name: Extract CA certificate to the trusted CA folder - command: openssl pkcs12 -in /etc/ssl/elasticsearch/elastic-ca.p12 -clcerts -nokeys -out /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt -passin pass:test - when: es_ca_folder + command: openssl pkcs12 -in {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 -clcerts -nokeys -out /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt -passin pass:{{ es_ssl_config['ca_password'] }} + when: es_ca_folder and es_ssl_config['ca_password'] is defined and (not es_ssl_ca_present.stat.exists or elastic_ca.changed) + register: es_ca_sytem_import_prep - name: Add CA certificate to cacerts become: true command: update-ca-certificates + when: es_ca_sytem_import_prep.changed - name: Verify if elastic Cert keys are present stat: @@ -52,56 +54,58 @@ become_user: elasticsearch register: es_ssl_cert_present -- name: Generate SSL/TLS certificate for ES (required for platinum license) +- name: Generate SSL/TLS certificate for primary ES (required for platinum license) environment: - ES_PATH_CONF: "{{conf_dir}}" - command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca /etc/ssl/elasticsearch/elastic-ca.p12 --ca-pass "test" --ip {{ es_ssl_config['ip'] }} --dns {{ es_ssl_config['dns'] }},localhost --out {{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12 --pass "test" + command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 --ca-pass "{{ es_ssl_config['ca_password'] }}" --ip {{ es_ssl_config['ip'] }} --dns {{ es_ssl_config['dns'] }},localhost --out {{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12 --pass "{{ es_ssl_config['es_password'] }}" become: true become_user: elasticsearch - when: es_ssl_regen_cert is defined or not es_ssl_cert_present.stat.exists + register: es_ssl_cert_generated + when: es_ssl_config is defined and es_ssl_config['regen_certs'] or not es_ssl_cert_present.stat.exists - name: Add SSL/TLS keystore password to ES keystore (required for platinum license) environment: - ES_PATH_CONF: "{{conf_dir}}" - shell: echo "test" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.keystore.secure_password -x --force + shell: echo "{{ es_ssl_config['es_password'] }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.keystore.secure_password -x --force become: true become_user: elasticsearch - when: elastic_ca + when: es_ssl_cert_generated - name: Add SSL/TLS truststore password to ES keystore (required for platinum license) environment: - ES_PATH_CONF: "{{conf_dir}}" - shell: echo "test" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.truststore.secure_password -x --force + shell: echo "{{ es_ssl_config['es_password'] }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.truststore.secure_password -x --force become: true become_user: elasticsearch - when: elastic_ca + when: es_ssl_cert_generated - name: set fact es_http_type to HTTPS set_fact: es_http_type=https - when: elastic_ca + when: es_ssl_cert_generated ##################################### Kibana certificates ##################################### - name: Verify if kibana Cert keys are present stat: - path: "/etc/ssl/elasticsearch/kb-{{ item }}.zip" + path: "{{ es_ssl_config['ca_folder'] }}/kb-{{ item }}.zip" become: true become_user: elasticsearch register: es_kb_ssl_cert_present - loop: "{{ groups['kibana_droplets'] }}" + loop: "{{ groups['kibana_machines'] }}" -- name: Generate SSL/TLS certificate for Kibana +- name: Generate SSL/TLS certificates for Kibana machines environment: - ES_PATH_CONF: "{{conf_dir}}" - command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca /etc/ssl/elasticsearch/elastic-ca.p12 --ca-pass "test" --ip "{{ hostvars[item.item].ansible_host }}" --dns {{ item.item }},localhost --out /etc/ssl/elasticsearch/kb-{{ item.item }}.zip --pem --name {{ item.item }} + command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 --ca-pass "test" --ip "{{ hostvars[item.item].ansible_host }}" --dns {{ item.item }},localhost --out {{ es_ssl_config['ca_folder'] }}/kb-{{ item.item }}.zip --pem --name {{ item.item }} become: true become_user: elasticsearch - when: es_ssl_regen_certs is defined or not item.stat.exists + when: es_ssl_config is defined and es_ssl_config['regen_certs'] or not item.stat.exists + # with_items: "{{ es_kb_ssl_cert_present.results }}" loop: "{{ es_kb_ssl_cert_present.results }}" -- name: Find kibana certificates in /etc/ssl/elasticsearch +- name: Find kibana certificates in {{ es_ssl_config['ca_folder'] }} find: - paths: /etc/ssl/elasticsearch + paths: "{{ es_ssl_config['ca_folder'] }}" patterns: 'kb-.*\.zip' use_regex: yes register: es_kb_ssl_cert_archives @@ -109,28 +113,14 @@ - debug: msg: "Found Kibana certificate ZIP files: {{ es_kb_ssl_cert_archives }}" -# - name: Unarchive certificates for Kibana - # unarchive: - # src: "{{item.path}}" - # dest: "{{item.path | regex_replace('(.*).zip$', '\\1')}}" - # remote_src: yes - # become: true - # become_user: elasticsearch - # loop: "{{ es_kb_ssl_cert_archives.files }}" - -# - name: Unarchive certificates for Kibana -# command: unzip {{item.path}} -# become: true -# become_user: elasticsearch -# loop: "{{ es_kb_ssl_cert_archives.files }}" - -# - name: Find kibana certificate directories in /etc/ssl/elasticsearch -# find: -# paths: /etc/ssl/elasticsearch -# patterns: 'kb-.*' -# use_regex: yes -# file_type: directory -# register: es_kb_ssl_cert_folder +# Maybe encrypt certificates first as these are not p12 files? +# Generate a private/public key pair +# $ openssl genrsa -out rsa_key.pri 2048; openssl rsa -in rsa_key.pri -out rsa_key.pub -outform PEM -pubout +# Encrypt the string using public key, and store in a file +# $ echo "stockexchange.com" | openssl rsautl -encrypt -inkey rsa_key.pub -pubin -out secret.dat +# Un-encrypt using private key +# $ string=`openssl rsautl -decrypt -inkey rsa_key.pri -in secret.dat `; echo $string +# stockexchange.com - name: Fetch certificates for Kibana fetch: diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 739ed149..df0e896a 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -57,19 +57,25 @@ xpack.graph.enabled: false {% endif %} {% endif %} -{% if es_ssl_config['enabled'] is defined %} +{% if es_ssl_config is defined %} xpack.security.transport.ssl.enabled: true xpack.security.http.ssl.enabled: true -xpack.security.http.ssl.keystore.path: {{conf_dir}}/ssl/{{es_ssl_config['dns']}}.p12 +xpack.security.http.ssl.keystore.path: "{{ es_ssl_config['keystore'] }}" +{% if es_ssl_config['keystore_password'] is defined and es_ssl_config['legacy_password_config'] %} #Legacy config required for /usr/share/elasticsearch/bin/x-pack/setup-passwords -xpack.security.http.ssl.keystore.password: "test" -xpack.security.http.ssl.truststore.path: {{conf_dir}}/ssl/{{es_ssl_config['dns']}}.p12 +xpack.security.http.ssl.keystore.password: "{{ es_ssl_config['keystore_password'] }}" +{% endif %} +xpack.security.http.ssl.truststore.path: "{{ es_ssl_config['truststore'] }}" +{% if es_ssl_config['truststore_password'] is defined and es_ssl_config['legacy_password_config'] %} #Legacy config required for /usr/share/elasticsearch/bin/x-pack/setup-passwords -xpack.security.http.ssl.truststore.password: "test" -xpack.security.http.ssl.client_authentication: none +xpack.security.http.ssl.truststore.password: "{{ es_ssl_config['truststore_password'] }}" +{% endif %} +{% if es_ssl_config['client_authentication'] is defined %} +xpack.security.http.ssl.client_authentication: {{ es_ssl_config['client_authentication'] }} +{% endif %} {% endif %} -{% if es_mail_config['account'] is defined %} +{% if es_mail_config is defined %} xpack.notification.email: account: {{ es_mail_config['account'] }}: @@ -83,6 +89,5 @@ xpack.notification.email: {% if es_mail_config['require_auth'] == true %} user: {{ es_mail_config['user'] }} password: {{ es_mail_config['pass'] }} - {% endif %} - + {% endif %} {% endif %} From b1e350f004b38d54ae602237549f0391800ec353 Mon Sep 17 00:00:00 2001 From: Jeffrey Everling Date: Sat, 5 May 2018 07:52:08 +0200 Subject: [PATCH 11/22] Revert "Added support for providing an array with indices" This reverts commit da527ec19b8ed59e3239419bc6257e1629198806. --- templates/elasticsearch.yml.j2 | 6 ------ 1 file changed, 6 deletions(-) diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index df0e896a..634fbe3e 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -27,13 +27,7 @@ path.logs: {{ log_dir }} path.repo: {{ es_path_repo }} {% endif %} -{% if es_action_auto_create_index == true %} -action.auto_create_index: true -{% elif not es_action_auto_create_index %} -action.auto_create_index: false -{% else %} action.auto_create_index: {{ es_action_auto_create_index }} -{% endif %} {% if es_enable_xpack %} {% if not "security" in es_xpack_features %} From 40e5252ff4e226337e3711a80c2b80c11562dd3e Mon Sep 17 00:00:00 2001 From: Jeffrey E Date: Thu, 3 May 2018 16:29:17 +0200 Subject: [PATCH 12/22] Added support for providing an array with indices --- templates/elasticsearch.yml.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 634fbe3e..df0e896a 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -27,7 +27,13 @@ path.logs: {{ log_dir }} path.repo: {{ es_path_repo }} {% endif %} +{% if es_action_auto_create_index == true %} +action.auto_create_index: true +{% elif not es_action_auto_create_index %} +action.auto_create_index: false +{% else %} action.auto_create_index: {{ es_action_auto_create_index }} +{% endif %} {% if es_enable_xpack %} {% if not "security" in es_xpack_features %} From ba080bc3c8587370221f27baa045f01dffb0d715 Mon Sep 17 00:00:00 2001 From: Jeffrey Everling Date: Sat, 5 May 2018 07:56:16 +0200 Subject: [PATCH 13/22] Revert "SSL support optimisation" This reverts commit 80baf268e56c59211dcd46606e93e4a2da570f15. --- tasks/xpack/elasticsearch-xpack-ssl.yml | 78 ++++++++++++++----------- templates/elasticsearch.yml.j2 | 23 +++----- 2 files changed, 53 insertions(+), 48 deletions(-) diff --git a/tasks/xpack/elasticsearch-xpack-ssl.yml b/tasks/xpack/elasticsearch-xpack-ssl.yml index 403f6479..ae96e148 100644 --- a/tasks/xpack/elasticsearch-xpack-ssl.yml +++ b/tasks/xpack/elasticsearch-xpack-ssl.yml @@ -2,9 +2,9 @@ #ES_PATH_CONF="/etc/elasticsearch/ases1" && export ES_PATH_CONF #/usr/share/elasticsearch/bin/x-pack/setup-passwords auto --url https://localhost:9200 -- name: Check if {{ es_ssl_config['ca_folder'] }} folder exists +- name: Check if /etc/ssl/elasticsearch folder exists file: - path: "{{ es_ssl_config['ca_folder'] }}" + path: /etc/ssl/elasticsearch state: directory owner: elasticsearch group: elasticsearch @@ -13,7 +13,7 @@ - name: Verify if elastic CA keys are present stat: - path: "{{ es_ssl_config['ca_folder'] }}/elastic-ca.p12" + path: "/etc/ssl/elasticsearch/elastic-ca.p12" become: true become_user: elasticsearch register: es_ssl_ca_present @@ -22,11 +22,11 @@ - name: Generate SSL/TLS CA Authority (required for platinum license) environment: - ES_PATH_CONF: "{{conf_dir}}" - command: /usr/share/elasticsearch/bin/x-pack/certutil ca --silent -out {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 -pass "{{ es_ssl_config['ca_password'] }}" + command: /usr/share/elasticsearch/bin/x-pack/certutil ca --silent -out /etc/ssl/elasticsearch/elastic-ca.p12 -pass "test" become: true become_user: elasticsearch register: elastic_ca - when: es_platinum_license is defined and es_ssl_config is defined and es_ssl_config['ca_password'] is defined and (not es_ssl_ca_present.stat.exists or es_ssl_config['regen_certs']) + when: es_platinum_license is defined and es_ssl_config["enabled"] is defined and not es_ssl_ca_present.stat.exists - name: Check if /usr/local/share/ca-certificates/local-elastic-ca folder exists file: @@ -38,14 +38,12 @@ register: es_ca_folder - name: Extract CA certificate to the trusted CA folder - command: openssl pkcs12 -in {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 -clcerts -nokeys -out /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt -passin pass:{{ es_ssl_config['ca_password'] }} - when: es_ca_folder and es_ssl_config['ca_password'] is defined and (not es_ssl_ca_present.stat.exists or elastic_ca.changed) - register: es_ca_sytem_import_prep + command: openssl pkcs12 -in /etc/ssl/elasticsearch/elastic-ca.p12 -clcerts -nokeys -out /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt -passin pass:test + when: es_ca_folder - name: Add CA certificate to cacerts become: true command: update-ca-certificates - when: es_ca_sytem_import_prep.changed - name: Verify if elastic Cert keys are present stat: @@ -54,58 +52,56 @@ become_user: elasticsearch register: es_ssl_cert_present -- name: Generate SSL/TLS certificate for primary ES (required for platinum license) +- name: Generate SSL/TLS certificate for ES (required for platinum license) environment: - ES_PATH_CONF: "{{conf_dir}}" - command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 --ca-pass "{{ es_ssl_config['ca_password'] }}" --ip {{ es_ssl_config['ip'] }} --dns {{ es_ssl_config['dns'] }},localhost --out {{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12 --pass "{{ es_ssl_config['es_password'] }}" + command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca /etc/ssl/elasticsearch/elastic-ca.p12 --ca-pass "test" --ip {{ es_ssl_config['ip'] }} --dns {{ es_ssl_config['dns'] }},localhost --out {{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12 --pass "test" become: true become_user: elasticsearch - register: es_ssl_cert_generated - when: es_ssl_config is defined and es_ssl_config['regen_certs'] or not es_ssl_cert_present.stat.exists + when: es_ssl_regen_cert is defined or not es_ssl_cert_present.stat.exists - name: Add SSL/TLS keystore password to ES keystore (required for platinum license) environment: - ES_PATH_CONF: "{{conf_dir}}" - shell: echo "{{ es_ssl_config['es_password'] }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.keystore.secure_password -x --force + shell: echo "test" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.keystore.secure_password -x --force become: true become_user: elasticsearch - when: es_ssl_cert_generated + when: elastic_ca - name: Add SSL/TLS truststore password to ES keystore (required for platinum license) environment: - ES_PATH_CONF: "{{conf_dir}}" - shell: echo "{{ es_ssl_config['es_password'] }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.truststore.secure_password -x --force + shell: echo "test" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.truststore.secure_password -x --force become: true become_user: elasticsearch - when: es_ssl_cert_generated + when: elastic_ca - name: set fact es_http_type to HTTPS set_fact: es_http_type=https - when: es_ssl_cert_generated + when: elastic_ca ##################################### Kibana certificates ##################################### - name: Verify if kibana Cert keys are present stat: - path: "{{ es_ssl_config['ca_folder'] }}/kb-{{ item }}.zip" + path: "/etc/ssl/elasticsearch/kb-{{ item }}.zip" become: true become_user: elasticsearch register: es_kb_ssl_cert_present - loop: "{{ groups['kibana_machines'] }}" + loop: "{{ groups['kibana_droplets'] }}" -- name: Generate SSL/TLS certificates for Kibana machines +- name: Generate SSL/TLS certificate for Kibana environment: - ES_PATH_CONF: "{{conf_dir}}" - command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca {{ es_ssl_config['ca_folder'] }}/elastic-ca.p12 --ca-pass "test" --ip "{{ hostvars[item.item].ansible_host }}" --dns {{ item.item }},localhost --out {{ es_ssl_config['ca_folder'] }}/kb-{{ item.item }}.zip --pem --name {{ item.item }} + command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca /etc/ssl/elasticsearch/elastic-ca.p12 --ca-pass "test" --ip "{{ hostvars[item.item].ansible_host }}" --dns {{ item.item }},localhost --out /etc/ssl/elasticsearch/kb-{{ item.item }}.zip --pem --name {{ item.item }} become: true become_user: elasticsearch - when: es_ssl_config is defined and es_ssl_config['regen_certs'] or not item.stat.exists - # with_items: "{{ es_kb_ssl_cert_present.results }}" + when: es_ssl_regen_certs is defined or not item.stat.exists loop: "{{ es_kb_ssl_cert_present.results }}" -- name: Find kibana certificates in {{ es_ssl_config['ca_folder'] }} +- name: Find kibana certificates in /etc/ssl/elasticsearch find: - paths: "{{ es_ssl_config['ca_folder'] }}" + paths: /etc/ssl/elasticsearch patterns: 'kb-.*\.zip' use_regex: yes register: es_kb_ssl_cert_archives @@ -113,14 +109,28 @@ - debug: msg: "Found Kibana certificate ZIP files: {{ es_kb_ssl_cert_archives }}" -# Maybe encrypt certificates first as these are not p12 files? -# Generate a private/public key pair -# $ openssl genrsa -out rsa_key.pri 2048; openssl rsa -in rsa_key.pri -out rsa_key.pub -outform PEM -pubout -# Encrypt the string using public key, and store in a file -# $ echo "stockexchange.com" | openssl rsautl -encrypt -inkey rsa_key.pub -pubin -out secret.dat -# Un-encrypt using private key -# $ string=`openssl rsautl -decrypt -inkey rsa_key.pri -in secret.dat `; echo $string -# stockexchange.com +# - name: Unarchive certificates for Kibana + # unarchive: + # src: "{{item.path}}" + # dest: "{{item.path | regex_replace('(.*).zip$', '\\1')}}" + # remote_src: yes + # become: true + # become_user: elasticsearch + # loop: "{{ es_kb_ssl_cert_archives.files }}" + +# - name: Unarchive certificates for Kibana +# command: unzip {{item.path}} +# become: true +# become_user: elasticsearch +# loop: "{{ es_kb_ssl_cert_archives.files }}" + +# - name: Find kibana certificate directories in /etc/ssl/elasticsearch +# find: +# paths: /etc/ssl/elasticsearch +# patterns: 'kb-.*' +# use_regex: yes +# file_type: directory +# register: es_kb_ssl_cert_folder - name: Fetch certificates for Kibana fetch: diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index df0e896a..739ed149 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -57,25 +57,19 @@ xpack.graph.enabled: false {% endif %} {% endif %} -{% if es_ssl_config is defined %} +{% if es_ssl_config['enabled'] is defined %} xpack.security.transport.ssl.enabled: true xpack.security.http.ssl.enabled: true -xpack.security.http.ssl.keystore.path: "{{ es_ssl_config['keystore'] }}" -{% if es_ssl_config['keystore_password'] is defined and es_ssl_config['legacy_password_config'] %} +xpack.security.http.ssl.keystore.path: {{conf_dir}}/ssl/{{es_ssl_config['dns']}}.p12 #Legacy config required for /usr/share/elasticsearch/bin/x-pack/setup-passwords -xpack.security.http.ssl.keystore.password: "{{ es_ssl_config['keystore_password'] }}" -{% endif %} -xpack.security.http.ssl.truststore.path: "{{ es_ssl_config['truststore'] }}" -{% if es_ssl_config['truststore_password'] is defined and es_ssl_config['legacy_password_config'] %} +xpack.security.http.ssl.keystore.password: "test" +xpack.security.http.ssl.truststore.path: {{conf_dir}}/ssl/{{es_ssl_config['dns']}}.p12 #Legacy config required for /usr/share/elasticsearch/bin/x-pack/setup-passwords -xpack.security.http.ssl.truststore.password: "{{ es_ssl_config['truststore_password'] }}" -{% endif %} -{% if es_ssl_config['client_authentication'] is defined %} -xpack.security.http.ssl.client_authentication: {{ es_ssl_config['client_authentication'] }} -{% endif %} +xpack.security.http.ssl.truststore.password: "test" +xpack.security.http.ssl.client_authentication: none {% endif %} -{% if es_mail_config is defined %} +{% if es_mail_config['account'] is defined %} xpack.notification.email: account: {{ es_mail_config['account'] }}: @@ -89,5 +83,6 @@ xpack.notification.email: {% if es_mail_config['require_auth'] == true %} user: {{ es_mail_config['user'] }} password: {{ es_mail_config['pass'] }} - {% endif %} + {% endif %} + {% endif %} From ff9a64ba563e61ec7963cf0aed0790df7df0c053 Mon Sep 17 00:00:00 2001 From: Jeffrey Everling Date: Sat, 5 May 2018 07:56:36 +0200 Subject: [PATCH 14/22] Revert "Fixed documentation commit issue" This reverts commit a3ea8e0c84babd4eb47d0f9c46876c1985b6f38e. --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index e4d0ac68..49432f2a 100644 --- a/README.md +++ b/README.md @@ -343,6 +343,9 @@ In addition to es_config, the following parameters allow the customization of th - plugin: ingest-geoip ``` * ```es_path_repo``` Sets the whitelist for allowing local back-up repositories +* ```es_action_auto_create_index ``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false): + es_action_auto_create_index: '[".watches", ".triggered_watches", ".watcher-history-*"]' +* ```es_path_repo``` Sets the whitelist for allowing local back-up repositories * ```es_action_auto_create_index ``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false): es_action_auto_create_index: '[".watches", ".triggered_watches", ".watcher-history-*"]' * ```es_allow_downgrades``` For development purposes only. (true or false (default) ) From 796731721cd74495606da86b9662581cb43b708e Mon Sep 17 00:00:00 2001 From: Jeffrey Everling Date: Sat, 5 May 2018 08:00:38 +0200 Subject: [PATCH 15/22] Removing ssl configuration --- README.md | 4 + defaults/main.yml | 3 +- tasks/elasticsearch-Debian-version-lock.yml | 6 +- tasks/xpack/elasticsearch-xpack-install.yml | 3 - tasks/xpack/elasticsearch-xpack-ssl.yml | 146 ------------------ .../elasticsearch-security-native.yml | 16 +- .../elasticsearch-xpack-activation.yml | 4 +- templates/elasticsearch.yml.j2 | 22 +-- 8 files changed, 18 insertions(+), 186 deletions(-) delete mode 100644 tasks/xpack/elasticsearch-xpack-ssl.yml diff --git a/README.md b/README.md index 49432f2a..f1e9e49d 100644 --- a/README.md +++ b/README.md @@ -338,6 +338,10 @@ In addition to es_config, the following parameters allow the customization of th * ```es_start_service``` (true (default) or false) * ```es_plugins_reinstall``` (true or false (default) ) * ```es_plugins``` an array of plugin definitions e.g.: +<<<<<<< HEAD +======= +* ```es_path_repo``` Sets the whitelist for allowing local back-up repositories +>>>>>>> parent of cc28b61... Added more x-pack config options ```yml es_plugins: - plugin: ingest-geoip diff --git a/defaults/main.yml b/defaults/main.yml index 52ec07ce..ad2be6ec 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -22,7 +22,6 @@ es_config_log4j2: log4j2.properties.j2 es_pid_dir: "/var/run/elasticsearch" es_data_dirs: "/var/lib/elasticsearch" es_log_dir: "/var/log/elasticsearch" -es_action_auto_create_index: true es_max_open_files: 65536 es_max_threads: "{{ 2048 if ( es_version | version_compare('6.0.0', '<')) else 8192 }}" es_max_map_count: 262144 @@ -34,7 +33,7 @@ es_xpack_features: ["alerting","monitoring","graph","ml","security"] es_api_host: "localhost" es_api_port: 9200 es_debian_startup_timeout: 10 -es_http_type: http + # Since ansible 2.2 the following variables need to be defined # to allow the role to be conditionally played with a when condition. pid_dir: '' diff --git a/tasks/elasticsearch-Debian-version-lock.yml b/tasks/elasticsearch-Debian-version-lock.yml index cbd6598f..d9fdd698 100644 --- a/tasks/elasticsearch-Debian-version-lock.yml +++ b/tasks/elasticsearch-Debian-version-lock.yml @@ -1,10 +1,6 @@ --- -- name: Debian - hold elasticsearch version with apt +- name: Debian - hold elasticsearch version become: yes command: apt-mark hold elasticsearch register: hold_elasticsearch_result changed_when: "hold_elasticsearch_result.stdout != 'elasticsearch was already set on hold.'" -- name: Debian - hold elasticsearch version with aptitude - become: yes - command: aptitude hold elasticsearch - register: aptitude_hold_elasticsearch_result \ No newline at end of file diff --git a/tasks/xpack/elasticsearch-xpack-install.yml b/tasks/xpack/elasticsearch-xpack-install.yml index b1b58c8c..522f8161 100644 --- a/tasks/xpack/elasticsearch-xpack-install.yml +++ b/tasks/xpack/elasticsearch-xpack-install.yml @@ -66,6 +66,3 @@ ES_PATH_CONF: "{{ conf_dir }}" ES_INCLUDE: "{{ instance_default_file }}" ES_JAVA_OPTS: "{% if es_proxy_host is defined and es_proxy_host != '' %}-Dhttp.proxyHost={{ es_proxy_host }} -Dhttp.proxyPort={{ es_proxy_port }} -Dhttps.proxyHost={{ es_proxy_host }} -Dhttps.proxyPort={{ es_proxy_port }}{% endif %}" - -- name: Generate SSL/TLS environment - include: ./elasticsearch-xpack-ssl.yml \ No newline at end of file diff --git a/tasks/xpack/elasticsearch-xpack-ssl.yml b/tasks/xpack/elasticsearch-xpack-ssl.yml deleted file mode 100644 index ae96e148..00000000 --- a/tasks/xpack/elasticsearch-xpack-ssl.yml +++ /dev/null @@ -1,146 +0,0 @@ -#### Install SSL/TLS certificates when platinum license is present -#ES_PATH_CONF="/etc/elasticsearch/ases1" && export ES_PATH_CONF -#/usr/share/elasticsearch/bin/x-pack/setup-passwords auto --url https://localhost:9200 - -- name: Check if /etc/ssl/elasticsearch folder exists - file: - path: /etc/ssl/elasticsearch - state: directory - owner: elasticsearch - group: elasticsearch - mode: 0755 - register: es_ssl_folder - -- name: Verify if elastic CA keys are present - stat: - path: "/etc/ssl/elasticsearch/elastic-ca.p12" - become: true - become_user: elasticsearch - register: es_ssl_ca_present - when: es_ssl_folder - -- name: Generate SSL/TLS CA Authority (required for platinum license) - environment: - - ES_PATH_CONF: "{{conf_dir}}" - command: /usr/share/elasticsearch/bin/x-pack/certutil ca --silent -out /etc/ssl/elasticsearch/elastic-ca.p12 -pass "test" - become: true - become_user: elasticsearch - register: elastic_ca - when: es_platinum_license is defined and es_ssl_config["enabled"] is defined and not es_ssl_ca_present.stat.exists - -- name: Check if /usr/local/share/ca-certificates/local-elastic-ca folder exists - file: - path: /usr/local/share/ca-certificates/local-elastic-ca - state: directory - owner: root - group: root - mode: 0755 - register: es_ca_folder - -- name: Extract CA certificate to the trusted CA folder - command: openssl pkcs12 -in /etc/ssl/elasticsearch/elastic-ca.p12 -clcerts -nokeys -out /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt -passin pass:test - when: es_ca_folder - -- name: Add CA certificate to cacerts - become: true - command: update-ca-certificates - -- name: Verify if elastic Cert keys are present - stat: - path: "{{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12" - become: true - become_user: elasticsearch - register: es_ssl_cert_present - -- name: Generate SSL/TLS certificate for ES (required for platinum license) - environment: - - ES_PATH_CONF: "{{conf_dir}}" - command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca /etc/ssl/elasticsearch/elastic-ca.p12 --ca-pass "test" --ip {{ es_ssl_config['ip'] }} --dns {{ es_ssl_config['dns'] }},localhost --out {{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12 --pass "test" - become: true - become_user: elasticsearch - when: es_ssl_regen_cert is defined or not es_ssl_cert_present.stat.exists - -- name: Add SSL/TLS keystore password to ES keystore (required for platinum license) - environment: - - ES_PATH_CONF: "{{conf_dir}}" - shell: echo "test" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.keystore.secure_password -x --force - become: true - become_user: elasticsearch - when: elastic_ca - -- name: Add SSL/TLS truststore password to ES keystore (required for platinum license) - environment: - - ES_PATH_CONF: "{{conf_dir}}" - shell: echo "test" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.truststore.secure_password -x --force - become: true - become_user: elasticsearch - when: elastic_ca - -- name: set fact es_http_type to HTTPS - set_fact: es_http_type=https - when: elastic_ca - -##################################### Kibana certificates ##################################### - -- name: Verify if kibana Cert keys are present - stat: - path: "/etc/ssl/elasticsearch/kb-{{ item }}.zip" - become: true - become_user: elasticsearch - register: es_kb_ssl_cert_present - loop: "{{ groups['kibana_droplets'] }}" - -- name: Generate SSL/TLS certificate for Kibana - environment: - - ES_PATH_CONF: "{{conf_dir}}" - command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca /etc/ssl/elasticsearch/elastic-ca.p12 --ca-pass "test" --ip "{{ hostvars[item.item].ansible_host }}" --dns {{ item.item }},localhost --out /etc/ssl/elasticsearch/kb-{{ item.item }}.zip --pem --name {{ item.item }} - become: true - become_user: elasticsearch - when: es_ssl_regen_certs is defined or not item.stat.exists - loop: "{{ es_kb_ssl_cert_present.results }}" - -- name: Find kibana certificates in /etc/ssl/elasticsearch - find: - paths: /etc/ssl/elasticsearch - patterns: 'kb-.*\.zip' - use_regex: yes - register: es_kb_ssl_cert_archives - -- debug: - msg: "Found Kibana certificate ZIP files: {{ es_kb_ssl_cert_archives }}" - -# - name: Unarchive certificates for Kibana - # unarchive: - # src: "{{item.path}}" - # dest: "{{item.path | regex_replace('(.*).zip$', '\\1')}}" - # remote_src: yes - # become: true - # become_user: elasticsearch - # loop: "{{ es_kb_ssl_cert_archives.files }}" - -# - name: Unarchive certificates for Kibana -# command: unzip {{item.path}} -# become: true -# become_user: elasticsearch -# loop: "{{ es_kb_ssl_cert_archives.files }}" - -# - name: Find kibana certificate directories in /etc/ssl/elasticsearch -# find: -# paths: /etc/ssl/elasticsearch -# patterns: 'kb-.*' -# use_regex: yes -# file_type: directory -# register: es_kb_ssl_cert_folder - -- name: Fetch certificates for Kibana - fetch: - src: "{{item.path}}" - dest: /tmp/certs/ - flat: true - loop: "{{ es_kb_ssl_cert_archives.files }}" - -- name: Fetch CA certificate from primary ES server - fetch: - src: /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt - dest: /tmp/certs/ - flat: true \ No newline at end of file diff --git a/tasks/xpack/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml index 4a821d4f..63024fad 100644 --- a/tasks/xpack/security/elasticsearch-security-native.yml +++ b/tasks/xpack/security/elasticsearch-security-native.yml @@ -21,7 +21,7 @@ #List current users - name: List Native Users uri: - url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/user" + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user method: GET user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" @@ -50,7 +50,7 @@ - name: Update API User Password uri: - url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{es_api_basic_auth_username}}/_password" + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{es_api_basic_auth_username}}/_password method: POST body_format: json body: "{ \"password\":\"{{native_users[es_api_basic_auth_username].password}}\" }" @@ -72,7 +72,7 @@ #Delete all non required users NOT inc. reserved - name: Delete Native Users uri: - url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}" + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}} method: DELETE status_code: 200 user: "{{es_api_basic_auth_username}}" @@ -93,7 +93,7 @@ #Update password on all reserved users - name: Update Reserved User Passwords uri: - url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}/_password" + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}/_password method: POST body_format: json body: "{ \"password\":\"{{native_users[item].password}}\" }" @@ -112,7 +112,7 @@ #Overwrite all other users NOT inc. those reserved - name: Update Non-Reserved Native User Details uri: - url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}}" + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/user/{{item}} method: POST body_format: json body: "{{ native_users[item] | to_json }}" @@ -129,7 +129,7 @@ #List current roles not. inc those reserved - name: List Native Roles uri: - url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/role" + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role method: GET body_format: json user: "{{es_api_basic_auth_username}}" @@ -163,7 +163,7 @@ #Delete all non required roles NOT inc. reserved - name: Delete Native Roles uri: - url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}}" + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}} method: DELETE status_code: 200 user: "{{es_api_basic_auth_username}}" @@ -179,7 +179,7 @@ #Update other roles - NOT inc. reserved roles - name: Update Native Roles uri: - url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}}" + url: http://{{es_api_host}}:{{es_api_port}}/_xpack/security/role/{{item}} method: POST body_format: json body: "{{ es_roles.native[item] | to_json}}" diff --git a/tasks/xpack/security/elasticsearch-xpack-activation.yml b/tasks/xpack/security/elasticsearch-xpack-activation.yml index c6c8ce7a..cd72d6a7 100644 --- a/tasks/xpack/security/elasticsearch-xpack-activation.yml +++ b/tasks/xpack/security/elasticsearch-xpack-activation.yml @@ -18,7 +18,7 @@ - name: Activate ES license (with security authentication) uri: method: PUT - url: "{{es_http_type}}://{{es_api_host}}:{{es_api_port}}/_xpack/license?acknowledge=true" + url: "http://{{es_api_host}}:{{es_api_port}}/_xpack/license?acknowledge=true" user: "{{es_api_basic_auth_username}}" password: "{{es_api_basic_auth_password}}" body_format: json @@ -26,7 +26,7 @@ body: "{{ es_xpack_license }}" return_content: yes register: license_activated - no_log: false + no_log: True when: "'security' in es_xpack_features" failed_when: > license_activated.status != 200 or diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 739ed149..389114b9 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -23,17 +23,11 @@ path.data: {{ data_dirs | array_to_str }} path.logs: {{ log_dir }} -{% if es_path_repo is defined %} +{% if es_path_repo %} path.repo: {{ es_path_repo }} {% endif %} -{% if es_action_auto_create_index == true %} -action.auto_create_index: true -{% elif not es_action_auto_create_index %} -action.auto_create_index: false -{% else %} -action.auto_create_index: {{ es_action_auto_create_index }} -{% endif %} +action.auto_create_index: {{ action_auto_create_index }} {% if es_enable_xpack %} {% if not "security" in es_xpack_features %} @@ -57,18 +51,6 @@ xpack.graph.enabled: false {% endif %} {% endif %} -{% if es_ssl_config['enabled'] is defined %} -xpack.security.transport.ssl.enabled: true -xpack.security.http.ssl.enabled: true -xpack.security.http.ssl.keystore.path: {{conf_dir}}/ssl/{{es_ssl_config['dns']}}.p12 -#Legacy config required for /usr/share/elasticsearch/bin/x-pack/setup-passwords -xpack.security.http.ssl.keystore.password: "test" -xpack.security.http.ssl.truststore.path: {{conf_dir}}/ssl/{{es_ssl_config['dns']}}.p12 -#Legacy config required for /usr/share/elasticsearch/bin/x-pack/setup-passwords -xpack.security.http.ssl.truststore.password: "test" -xpack.security.http.ssl.client_authentication: none -{% endif %} - {% if es_mail_config['account'] is defined %} xpack.notification.email: account: From 9ba10828418f90a3da595f57a1d5512d910113fa Mon Sep 17 00:00:00 2001 From: Jeffrey Everling Date: Sat, 5 May 2018 08:02:12 +0200 Subject: [PATCH 16/22] Commit README as well --- README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/README.md b/README.md index f1e9e49d..49432f2a 100644 --- a/README.md +++ b/README.md @@ -338,10 +338,6 @@ In addition to es_config, the following parameters allow the customization of th * ```es_start_service``` (true (default) or false) * ```es_plugins_reinstall``` (true or false (default) ) * ```es_plugins``` an array of plugin definitions e.g.: -<<<<<<< HEAD -======= -* ```es_path_repo``` Sets the whitelist for allowing local back-up repositories ->>>>>>> parent of cc28b61... Added more x-pack config options ```yml es_plugins: - plugin: ingest-geoip From 01fd5ceec4793a6063954faf24cac6da024bc64c Mon Sep 17 00:00:00 2001 From: Jeffrey Everling Date: Sat, 5 May 2018 08:03:00 +0200 Subject: [PATCH 17/22] Merging went wrong --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index 49432f2a..e4d0ac68 100644 --- a/README.md +++ b/README.md @@ -343,9 +343,6 @@ In addition to es_config, the following parameters allow the customization of th - plugin: ingest-geoip ``` * ```es_path_repo``` Sets the whitelist for allowing local back-up repositories -* ```es_action_auto_create_index ``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false): - es_action_auto_create_index: '[".watches", ".triggered_watches", ".watcher-history-*"]' -* ```es_path_repo``` Sets the whitelist for allowing local back-up repositories * ```es_action_auto_create_index ``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false): es_action_auto_create_index: '[".watches", ".triggered_watches", ".watcher-history-*"]' * ```es_allow_downgrades``` For development purposes only. (true or false (default) ) From e880cdf61f1c32a5b5804bc8e7171c33be626a8d Mon Sep 17 00:00:00 2001 From: Jeffrey E Date: Thu, 3 May 2018 16:29:17 +0200 Subject: [PATCH 18/22] test --- templates/elasticsearch.yml.j2 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 389114b9..3c23f2d6 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -27,7 +27,17 @@ path.logs: {{ log_dir }} path.repo: {{ es_path_repo }} {% endif %} +<<<<<<< HEAD action.auto_create_index: {{ action_auto_create_index }} +======= +{% if es_action_auto_create_index == true %} +action.auto_create_index: true +{% elif not es_action_auto_create_index %} +action.auto_create_index: false +{% else %} +action.auto_create_index: {{ es_action_auto_create_index }} +{% endif %} +>>>>>>> da527ec... Added support for providing an array with indices {% if es_enable_xpack %} {% if not "security" in es_xpack_features %} From 8cfa0cfd046802eed8f2347eeaf2b2b199da107d Mon Sep 17 00:00:00 2001 From: Jeffrey Everling Date: Sat, 5 May 2018 08:05:14 +0200 Subject: [PATCH 19/22] Merged change --- templates/elasticsearch.yml.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 3c23f2d6..fcda5f31 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -27,9 +27,6 @@ path.logs: {{ log_dir }} path.repo: {{ es_path_repo }} {% endif %} -<<<<<<< HEAD -action.auto_create_index: {{ action_auto_create_index }} -======= {% if es_action_auto_create_index == true %} action.auto_create_index: true {% elif not es_action_auto_create_index %} @@ -37,7 +34,6 @@ action.auto_create_index: false {% else %} action.auto_create_index: {{ es_action_auto_create_index }} {% endif %} ->>>>>>> da527ec... Added support for providing an array with indices {% if es_enable_xpack %} {% if not "security" in es_xpack_features %} From d72ce3c22b5caba429ccf44c2683dbdc70992c8f Mon Sep 17 00:00:00 2001 From: Jeffrey Everling Date: Tue, 8 May 2018 07:03:09 +0200 Subject: [PATCH 20/22] Added path repo is defined statement again --- templates/elasticsearch.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index fcda5f31..d68a0dcf 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -23,7 +23,7 @@ path.data: {{ data_dirs | array_to_str }} path.logs: {{ log_dir }} -{% if es_path_repo %} +{% if es_path_repo is defined %} path.repo: {{ es_path_repo }} {% endif %} From c79fd2ef090866d5fa5d8760e5e347f198d37d00 Mon Sep 17 00:00:00 2001 From: Jeffrey E Date: Tue, 22 May 2018 20:25:39 +0200 Subject: [PATCH 21/22] Readded es_action_auto_create_index Default value is es_action_auto_create_index: true --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index ad2be6ec..524f65dd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -22,6 +22,7 @@ es_config_log4j2: log4j2.properties.j2 es_pid_dir: "/var/run/elasticsearch" es_data_dirs: "/var/lib/elasticsearch" es_log_dir: "/var/log/elasticsearch" +es_action_auto_create_index: true es_max_open_files: 65536 es_max_threads: "{{ 2048 if ( es_version | version_compare('6.0.0', '<')) else 8192 }}" es_max_map_count: 262144 From cf4da019d0079b3b506856cc558b08c3e345cf19 Mon Sep 17 00:00:00 2001 From: Jeffrey E Date: Wed, 23 May 2018 06:15:50 +0200 Subject: [PATCH 22/22] Fixed es_mail_config again first check is es_mail_config is defined --- templates/elasticsearch.yml.j2 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index d68a0dcf..ef8dd9be 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -57,7 +57,7 @@ xpack.graph.enabled: false {% endif %} {% endif %} -{% if es_mail_config['account'] is defined %} +{% if es_mail_config is defined %} xpack.notification.email: account: {{ es_mail_config['account'] }}: @@ -71,6 +71,5 @@ xpack.notification.email: {% if es_mail_config['require_auth'] == true %} user: {{ es_mail_config['user'] }} password: {{ es_mail_config['pass'] }} - {% endif %} - + {% endif %} {% endif %}