Provide user and role management for Elasticsearch

[widhalmt]

We already create users and roles in the logstash role. In many use cases we could need more users and roles. So we should build a way of creating and managing users in Elasticsearch.

Since this could be quite a complex task, it calls either for an early release prototype via JSON files (like in the Logstash role) or a dedicated module we build for user handling.

helps with #81

[thorteschenk]

We are also very interested in have a user management role in the collection. Manually do user management is hard to do if you have a lot of users. Directory services are only available with licensed versions. So it would be great to manage with ansible.

[pdolinic]

This sounds interesting to me, in theory it is just a post request with the information

https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-user.html

POST /_security/user/jacknich
{
  "password" : "l0ng-r4nd0m-p@ssw0rd",
  "roles" : [ "admin", "other_role1" ],
  "full_name" : "Jack Nicholson",
  "email" : "jacknich@example.com",
  "metadata" : {
    "intelligence" : 7
  }
}

curl -X POST "localhost:9200/_security/user/jacknich?pretty" -H 'Content-Type: application/json' -d' {   "password" : "l0ng-r4nd0m-p@ssw0rd",   "roles" : [ "admin", "other_role1" ],   "full_name" : "Jack Nicholson",   "email" : "jacknich@example.com",   "metadata" : {     "intelligence" : 7   } } ' 

This could probably be also handled nicely with Python or Shell

So the question is if it really needs Ansible for this because - this also means protecting the CSV file with all credentials at all times, compared to where a Post Request is a one time thing.

This would mean multiple tasks

1) Store all users in a CSV <- here one problem would be still that permissions / roles and metadata would be need to be dynamically defined per user 2) Encrypt it with Ansible Vault 3) Use Ansible to read that file 4) Write a Parser from CSV -> Ansible -> Elastic 5) Start that Role

[pdolinic]

Hello @thorteschenk I have created a new "early alpha role" for user management and role management via the Elasttic API managed by Ansible:

Small update as of 2023-08-31:

• The role has has 2 encrypted vaults, one for the users secrets, one for the elastic API password

• To get the feature/usermanagement-branch, one can find it here:

https://github.com/pdolinic/ansible-collection-elasticstack.git

• The central tasks-main.yml lets to select the desired tasks, and tasks can be switched around for full management:

https://github.com/pdolinic/ansible-collection-elasticstack/tree/feature/usermanagement/roles/management/tasks

For further information, everything so far should be explained hopefully in the docs:

https://github.com/pdolinic/ansible-collection-elasticstack/blob/feature/usermanagement/roles/management/docs/usage.md

---

Fully working tasks as of my latest testing with the test files provided:

• getting users

• adding users

• deleting users

• getting roles

• adding to roles

• deleting to roles

---

Some small idea on updating roles via a trick:

• a working trick would be, since one API-Post method can only add, to get roles (stored on disk as well), add the ones to update for deleting, and add the role, this creates the "update"-effect

• there are 4 working files provided for adding users, deleting users, adding roles, deleting roles

Please notice:

• We will see which features we will take upstream, where and if to place them
• We might need more testing for this, but maybe it should work fine on a playground
• Things might change quickly on it, depending on the feedback I get

Kind regards, Patrick

[tbauriedel]

Modules to create roles and users are implemented with #308 (Ping @thorteschenk - You can already use that modules in your playbook to manage users and roles) Current code to handle user and roles will be replaced by the module with #323