search

StackStorm / ansible-st2

Ansible Roles and Playbooks to deploy StackStorm
https://galaxy.ansible.com/StackStorm/stackstorm/
Apache License 2.0
100 stars 75 forks source link

Configure/Set username/password for Mongo #256

Open cognifloyd opened 4 years ago

cognifloyd commented 4 years ago

Adds auth to mongo when the mongodb_auth_enable flag is true. Any additional users should be passed in via mongodb_users. There are several other default variables as well (like mongodb_host, mongodb_port) that can be overridden in the play or inventory that uses this role.

This only adds users if explicitly requested. External tasks/roles can also import the mongodb_auth.yml tasks to add users as required after mongo is installed.

This uses lineinfile to edit mongod.conf with regexs to catch as many edge cases in yaml formatting (spaces, quotes) as possible. Also, this uses a bit of python to validate that the yaml file was modified in such a way that it is still valid yaml, and the entries introduced in the file are present as expected.

This uses the mongo shell to see if authorization is required before adding any users. Before adding users, including admin, we need to know if authentication is already enabled in the running instance of mongodb to (a) have an idempotent playbook, and (b) to cleanly handle edge cases where people are configuring a mongo instance that is already has auth configured or partially configured.

For a truly idempotent playbook, the playbook needs to be able to run both before authentication is enabled and after it is enabled. The check validates the state of mongo auth including: Is auth enabled? Are users configured?. Even after mongo is restarted with auth enabled, the check task will still return rc=0 until users are added due to the localhost exception[1].

As explained in code comments, we only update mongo user passwords on_create (vs always) because of a mongodb restriction that prevents the ansible module from idempotently/sanely setting the password. The role allows overriding that by setting mongodb_force_update_password.

Part of #75 (Configure/Set username/password for Mongo)

[1] https://docs.mongodb.com/manual/core/security-users/#localhost-exception

cognifloyd commented 4 years ago

This PR is an orphan if anyone wants to pick it up, go for it.

CLAassistant commented 2 years ago

CLA assistant check
All committers have signed the CLA.