Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure/Set username/password for Mongo #256

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Configure/Set username/password for Mongo #256

wants to merge 2 commits into from

Commits on Jan 29, 2020

  1. Add ability to enable mongo auth and add mongo users 

    Adds auth to mongo when the mongodb_auth_enable flag is true.
Any additional users should be passed in via mongodb_users.
There are several other default variables as well (like mongodb_host,
mongodb_port) that can be overridden in the play or inventory that uses
this role.

This only adds users if explicitly requested. External tasks/roles can
also import the mongodb_auth.yml tasks to add users as required after
mongo is installed.

This uses lineinfile to edit mongod.conf with regexs to catch as many
edge cases in yaml formatting (spaces, quotes) as possible.
Also, this uses a bit of python to validate that the yaml file was
modified in such a way that it is still valid yaml, and the entries
introduced in the file are present as expected.

This uses the mongo shell to see if authorization is required before
adding any users. Before adding users, including admin, we need to know
if authentication is already enabled in the running instance of mongodb
to (a) have an idempotent playbook, and (b) to cleanly handle edge cases
where people are configuring a mongo instance that is already has auth
configured or partially configured.

For a truly idempotent playbook, the playbook needs to be able to run
both before authentication is enabled and after it is enabled. The check
validates the state of mongo auth including: Is auth enabled? Are users
configured?. Even after mongo is restarted with auth enabled, the check
task will still return rc=0 until users are added due to the localhost
exception[1].

As explained in code comments, we only update mongo user passwords
on_create (vs always) because of a mongodb restriction that prevents the
ansible module from idempotently/sanely setting the password. The role
allows overriding that by setting mongodb_force_update_password.

Part of StackStorm#75.

[1] https://docs.mongodb.com/manual/core/security-users/#localhost-exception
    @cognifloyd
    cognifloyd committed Jan 29, 2020
    Configuration menu
    Copy the full SHA
    8e99d1b View commit details
    Browse the repository at this point in the history

  2. Add test suite to test playbook with mongo auth

    @cognifloyd
    cognifloyd committed Jan 29, 2020
    Configuration menu
    Copy the full SHA
    251f39d View commit details
    Browse the repository at this point in the history