Configure/Set username/password for Mongo #256
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds auth to mongo when the mongodb_auth_enable flag is true. Any additional users should be passed in via mongodb_users. There are several other default variables as well (like mongodb_host, mongodb_port) that can be overridden in the play or inventory that uses this role. This only adds users if explicitly requested. External tasks/roles can also import the mongodb_auth.yml tasks to add users as required after mongo is installed. This uses lineinfile to edit mongod.conf with regexs to catch as many edge cases in yaml formatting (spaces, quotes) as possible. Also, this uses a bit of python to validate that the yaml file was modified in such a way that it is still valid yaml, and the entries introduced in the file are present as expected. This uses the mongo shell to see if authorization is required before adding any users. Before adding users, including admin, we need to know if authentication is already enabled in the running instance of mongodb to (a) have an idempotent playbook, and (b) to cleanly handle edge cases where people are configuring a mongo instance that is already has auth configured or partially configured. For a truly idempotent playbook, the playbook needs to be able to run both before authentication is enabled and after it is enabled. The check validates the state of mongo auth including: Is auth enabled? Are users configured?. Even after mongo is restarted with auth enabled, the check task will still return rc=0 until users are added due to the localhost exception[1]. As explained in code comments, we only update mongo user passwords on_create (vs always) because of a mongodb restriction that prevents the ansible module from idempotently/sanely setting the password. The role allows overriding that by setting mongodb_force_update_password. Part of StackStorm#75. [1] https://docs.mongodb.com/manual/core/security-users/#localhost-exception
pull-request-size
bot
added
the
size/L
punkrokk
reviewed
Feb 12, 2020
|
This PR is an orphan if anyone wants to pick it up, go for it. |
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds auth to mongo when the
mongodb_auth_enableflag is true.Any additional users should be passed in via
mongodb_users.There are several other default variables as well (like
mongodb_host,mongodb_port) that can be overridden in the play or inventory that usesthis role.
This only adds users if explicitly requested. External tasks/roles can
also import the mongodb_auth.yml tasks to add users as required after
mongo is installed.
This uses lineinfile to edit mongod.conf with regexs to catch as many
edge cases in yaml formatting (spaces, quotes) as possible.
Also, this uses a bit of python to validate that the yaml file was
modified in such a way that it is still valid yaml, and the entries
introduced in the file are present as expected.
This uses the mongo shell to see if authorization is required before
adding any users. Before adding users, including admin, we need to know
if authentication is already enabled in the running instance of mongodb
to (a) have an idempotent playbook, and (b) to cleanly handle edge cases
where people are configuring a mongo instance that is already has auth
configured or partially configured.
For a truly idempotent playbook, the playbook needs to be able to run
both before authentication is enabled and after it is enabled. The check
validates the state of mongo auth including: Is auth enabled? Are users
configured?. Even after mongo is restarted with auth enabled, the check
task will still return
rc=0until users are added due to the localhostexception[1].
As explained in code comments, we only update mongo user passwords
on_create (vs always) because of a mongodb restriction that prevents the
ansible module from idempotently/sanely setting the password. The role
allows overriding that by setting
mongodb_force_update_password.Part of #75 (Configure/Set username/password for Mongo)
[1] https://docs.mongodb.com/manual/core/security-users/#localhost-exception