search

voxpupuli / puppet-elasticsearch

Elasticsearch Puppet module
Apache License 2.0
404 stars 477 forks source link

Allow users, roles and password changes without restarting elastic #971

Open bilsch opened 6 years ago

bilsch commented 6 years ago

Bug description

I'm working on upgrading to the mainstream 6.3 puppet module from our fork. In our fork we had allowed for the role and user adds to not trigger a restart given elasticsearch will simply poll / re-open the file.

[2018-07-30 15:02:48,859][INFO ][shield.authc.esusers     ] [cluster-host-apps] users_roles file [/etc/elasticsearch/apps/shield/users_roles] changed. updating users roles...

I am not sure if this is related specifically to shield or if it also applies to the x-pack ( will test that when I get there - later this week )

manifest snippet:

  class { '::elasticsearch':
    autoupgrade            => false,
    manage_repo            => false,
    restart_config_change  => false,
    restart_plugin_change  => true,
    restart_package_change => true,
    plugins                => $_plugins,
    version                => $version,
    users                  => $users,
    roles                  => $roles,
    security_plugin        => $_security_plugin,
  }

In this case I'm simply changing the value in roles for a user ( drop/add the first char ). The only way I could make it not restart elasticsearch service was to set the restart_config_change to false which is not ideal IMO.

Feature Description

Please allow for the users and roles files to change without restarting. Thinking subscribe the service to the jvm options and elasticsearch.yml, plugin installs etc explicitly. Not sure exactly where in the manifest the notify/subscribe is happening.

tylerjl commented 6 years ago

Thanks for the report, @bilsch. Agreed that the module shouldn't trigger restarts on user/role changes since Elasticsearch will watch for file updates anyway.

The source for this is coming from this resource in instance.pp:

https://github.com/elastic/puppet-elasticsearch/blob/35de20e8131840029a1cae32a58fbae5daca9fcb/manifests/instance.pp#L352-L380

The change made in 6.3 to recursively copy in /etc/elasticsearch into instance directories detects changes to x-pack users/roles files and thus percolates the resource change to $notify_service.