search

NETWAYS / ansible-collection-elasticstack

A collection to install and manage the Elastic Stack
GNU General Public License v3.0
9 stars 8 forks source link

Add elasticsearch_role and elasticsearch_user module #308

Closed tbauriedel closed 4 months ago

tbauriedel commented 5 months ago

First draft for a elasticsearch_role module.

With that module you can create, update and delete access roles inside elasticsearch. Uses the elasticsearch API.

Example Usage:

    - name: Create role
      netways.elasticstack.elasticsearch_role:
        name: new-role
        cluster:
          - manage_own_api_key
          - delegate_pki
        indicies:
          - names:
              - foobar321
              - barfoo123
            privileges:
              - read
              - write
        state: present
        host: https://localhost:9200
        auth_user: elastic
        auth_pass: changeMe123!
        verify_certs: false
        ca_certs: /etc/elasticsearch/certs/http_ca.crt
tbauriedel commented 5 months ago

Example usage for the elasticsearch_user module:

With that module you can create, update and delete access users inside elasticsearch. Uses the elasticsearch API.

- name: Create elasticsearch user 'new-user'
      netways.elasticstack.elasticsearch_user:
        name: new-user1
        fullname: New User
        password: changeMe123!
        email: new@user.de
        roles:
          - new-role1
          - logstash-writer
        enabled: true
        state: present
        host: https://localhost:9200
        auth_user: elastic
        auth_pass: changeMe321!
        verify_certs: false
tbauriedel commented 5 months ago

@widhalmt since that modules where requested from your side, could you please have a look at it? Maybe test them also.

widhalmt commented 5 months ago

I have local testing environments and I will put this change through a few tests. I'm the wrong person to review the code of the module (yet) but I can do integration tests and check everything around the module.

lcndsmr commented 5 months ago

Genuine question: why would we need a module which calls upon a role? I have never seen this before, is this commonly done?

tbauriedel commented 5 months ago

Inspiration for the two modules comes from here, for example. Roles and users are repeatedly created in the collection via several tasks so that the needed component has a user in Elastic. In order to be able to do this cleanly and not always require several tasks with requests, etc., these modules were requested.

With them you can easily create, update and delete them.

Sure, you could do this in your Kibana. But we have some known customers which do this all within the collection (or want to)

The whole thing has turned into a discussion of principles, as the idea of creating an internal Elastic user within the Logstash role is somewhat at odds with the idea of separating roles. However, this will be addressed later and assumed as a requirement.

lcndsmr commented 5 months ago

OH NOW I GET IT I misunderstood "role" as ansible-role. No objections then. I will have a closer look at the code later!

tbauriedel commented 4 months ago

I have already implemented a workflow to test the modules.

@lcndsmr I guess you can remove the change request now. I have requested Thomas for review. As long as he dont approve it, it should be finde. Auto-merging is also not enabled for this PR.

@widhalmt would you please give us a last "okay it works"? :)