diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 6ba0fe2..e1d178b 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,2 +1,2 @@
# This should match the owning team set up in https://github.com/orgs/opensearch-project/teams
-* @opensearch-project/engineering-effectiveness
\ No newline at end of file
+* @bbarani @saravanan30erd @peterzhuamazon @prudhvigodithi @gaiksaya @TheAlgo
diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml
deleted file mode 100644
index 0a30f2f..0000000
--- a/.github/workflows/dco.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-name: Developer Certificate of Origin Check
-
-on: [pull_request]
-
-jobs:
- check:
- runs-on: ubuntu-latest
-
- steps:
- - name: Get PR Commits
- id: 'get-pr-commits'
- uses: tim-actions/get-pr-commits@v1.1.0
- with:
- token: ${{ secrets.GITHUB_TOKEN }}
- - name: DCO Check
- uses: tim-actions/dco@v1.1.0
- with:
- commits: ${{ steps.get-pr-commits.outputs.commits }}
diff --git a/.idea/.gitignore b/.idea/.gitignore
new file mode 100644
index 0000000..13566b8
--- /dev/null
+++ b/.idea/.gitignore
@@ -0,0 +1,8 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
index 4e19029..a771da7 100644
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@@ -1,11 +1,15 @@
-## Maintainers
+## Overview
-| Maintainer | GitHub ID | Affiliation |
-| --------------- | --------- | ----------- |
-| Barani Bikshandi | [bbarani](https://github.com/bbarani) | Amazon |
-| Peter Zhu | [peterzhuamazon](https://github.com/peterzhuamazon) | Amazon |
-| Sayali Gaikawad | [gaiksaya](https://github.com/gaiksaya) | Amazon |
-| Prudhvi Godithi | [prudhvigodithi](https://github.com/prudhvigodithi) | Amazon |
-| Saravanan Palanisamy | [saravanan30erd](https://github.com/saravanan30erd) | Community |
+This document contains a list of maintainers in this repo. See [opensearch-project/.github/RESPONSIBILITIES.md](https://github.com/opensearch-project/.github/blob/main/RESPONSIBILITIES.md#maintainer-responsibilities) that explains what the role of maintainer means, what maintainers do in this and other repos, and how they should be doing it. If you're interested in contributing, and becoming a maintainer, see [CONTRIBUTING](CONTRIBUTING.md).
+
+## Current Maintainers
+
+| Maintainer | GitHub ID | Affiliation |
+| ------------------- | --------------------------------------------------- | ----------- |
+| Barani Bikshandi | [bbarani](https://github.com/bbarani) | Amazon |
+| Peter Zhu | [peterzhuamazon](https://github.com/peterzhuamazon) | Amazon |
+| Sayali Gaikawad | [gaiksaya](https://github.com/gaiksaya) | Amazon |
+| Prudhvi Godithi | [prudhvigodithi](https://github.com/prudhvigodithi) | Amazon |
+|Dhiraj Kumar Jain | [TheAlgo](https://github.com/TheAlgo) | Amazon |
+| Saravanan Palanisamy | [saravanan30erd](https://github.com/saravanan30erd) | Community |
-[This document](https://github.com/opensearch-project/.github/blob/main/MAINTAINERS.md) explains what maintainers do in this repo, and how they should be doing it. If you're interested in contributing, see [CONTRIBUTING](CONTRIBUTING.md).
diff --git a/README.md b/README.md
index 2bb6373..a3d39a3 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,16 @@
A community repository for Ansible Playbook of OpenSearch Project.
+## Version and Branching
+As of now, this ansible-playbook repository maintains 2 branches:
+* _main_ (Version is 2.x.x for both `os_version` and `os_dashboards_version` in `inventories/opensearch/group_vars/all/all.yml`)
+* _1.x_ (Version is 1.x.x for both `os_version` and `os_dashboards_version` in `inventories/opensearch/group_vars/all/all.yml`)
+
+
+Contributors should choose the corresponding branch(es) when commiting their change(s):
+* If you have a change for a specific version, only open PR to specific branch
+* If you have a change for all available versions, first open a PR on `main`, then open a backport PR with `[backport 1.x]` in the title, with label `backport 1.x`, etc.
+
## OpenSearch Installation with Dashboards
This ansible playbook supports the following,
@@ -23,6 +33,8 @@ This ansible playbook supports the following,
- Configure TLS/SSL for OpenSearch transport layer(Nodes to Nodes communication) and REST API layer
- Generate self-signed certificates to configure TLS/SSL for opensearch
- Configure the Internal Users Database with limited users and user-defined passwords
+- Configuration of authentication and authorization via OpenID
+- Overriding default settings with your own
- Install and configure the Apache2.0 opensource OpenSearch Dashboards
### Prerequisite
@@ -83,17 +95,57 @@ cluster_type: single-node
# Deploy with ansible playbook - run the playbook as root
- ansible-playbook -i inventories/opensearch/hosts opensearch.yml --extra-vars "admin_password=Test@123 kibanaserver_password=Test@6789"
+ ansible-playbook -i inventories/opensearch/hosts opensearch.yml --extra-vars "admin_password=Test@123 kibanaserver_password=Test@6789 logstash_password=Test@456"
-You should set the reserved users(`admin` and `kibanaserver`) password using `admin_password` and `kibanaserver_password` variables.
+You should set the reserved users(`admin`, `kibanaserver`, and `logstash`) password using `admin_password`, `kibanaserver_password`, and `logstash_password` variables.
+
+If you define your own internal users (in addition to the reserved `admin`, `kibanaserver`, and `logstash`) in custom configuration
+files, then passwords to them should be set via variables on the principle of `_password`
It will install and configure the opensearch. Once the deployment completed, you can access the opensearch Dashboards with user `admin` and password which you provided for variable `admin_password`.
# Deploy with ansible playbook - run the playbook as non-root user which have sudo privileges,
- ansible-playbook -i inventories/opensearch/hosts opensearch.yml --extra-vars "admin_password=Test@123 kibanaserver_password=Test@6789" --become
+ ansible-playbook -i inventories/opensearch/hosts opensearch.yml --extra-vars "admin_password=Test@123 kibanaserver_password=Test@6789 logstash_password=Test@456" --become
**Note**: Change the user details in `ansible_user` parameter in `inventories/opensearch/hosts` inventory file.
+### OpenID authentification
+To enable authentication via OpenID, you need to change the `auth_type` variable in the inventory file
+`inventories/opensearch/group_vars/all/all.yml` by setting the value `oidc` and prescribe the necessary settings
+in the `oidc:` block.
+
+### Custom configuration files
+
+To override the default settings files, you need to put your settings in the `files` directory. The files should be
+named exactly the same as the original ones (internal_users.yml, roles.yml, tenants.yml, etc.)
+
+Especially note the file `files/internal_users.yml`. If it exists and the `copy_custom_security_configs: true` setting is enabled,
+then only in this case the task of setting passwords for internal users from variables is started. If the file `internal_users.yml`
+is not located in the `files` directory, but, for example, in one of its subdirectories, then playbook will not work correctly
+
+### IaC (Infrastructure-as-Code)
+
+If you want to use the role not only for the initial deployment of the cluster, but also for further management of it,
+then set the `iac_enable` parameter to `true`.
+
+By default, if the /tmp/opensearch-nodecerts directory with certificates exists on the server from which the playbook
+is launched, it is assumed that the configuration has not changed and some settings are not copied to the target servers.
+
+Conversely, if the /tmp/opensearch-nodecerts directory does not exist on the server from which the playbook is launched,
+then new certificates and settings are generated and they are copied to the target servers.
+
+If you use this repository not only for the initial deployment of the cluster, but also for its automatic configuration
+via CI/CD, then new certificates will be generated every time the pipeline is launched, overwriting existing ones, which
+is not always necessary if the cluster is already in production.
+
+When iac_enable enabling, and all the cluster servers have all the necessary certificates, they will not be copied again.
+If at least on one server (for example, when adding a new server to the cluster) if there is not at least one certificate
+from the list, then all certificates on all cluster servers will be updated
+
+Also, if the option is enabled, the settings files will be updated with each execution (previously, the settings were
+updated only if the /tmp/opensearch-nodecerts directory was missing on the server from which the playbook was launched
+and new certificates were generated)
+
## Contributing
See [developer guide](DEVELOPER_GUIDE.md) and [how to contribute to this project](CONTRIBUTING.md).
diff --git a/files/internal_users.yml b/files/internal_users.yml
new file mode 100644
index 0000000..e19bb07
--- /dev/null
+++ b/files/internal_users.yml
@@ -0,0 +1,26 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+ type: "internalusers"
+ config_version: 2
+
+# Define your internal users here
+
+admin:
+ hash: "{{ admin_password }}"
+ reserved: true
+ backend_roles:
+ - "admin"
+ description: "admin user"
+
+kibanaserver:
+ hash: "{{ kibanaserver_password }}"
+ reserved: true
+ description: "kibanaserver user"
+
+logstash:
+ hash: "{{ logstash_password }}"
+ reserved: true
+ description: "logstash user"
\ No newline at end of file
diff --git a/files/roles.yml b/files/roles.yml
new file mode 100644
index 0000000..36a2af7
--- /dev/null
+++ b/files/roles.yml
@@ -0,0 +1,54 @@
+---
+_meta:
+ type: "roles"
+ config_version: 2
+
+
+indexes_full_access:
+ reserved: false
+ index_permissions:
+ - index_patterns:
+ - "*"
+ allowed_actions:
+ - "*"
+ tenant_permissions:
+ - tenant_patterns:
+ - "*"
+ allowed_actions:
+ - "kibana_all_write"
+# ----------------------------------------------------
+indexes_security_search_full_access:
+ reserved: true
+ index_permissions:
+ - index_patterns:
+ - "kube-apiserver-audit-*"
+ - "syslog-*"
+ allowed_actions:
+ - "indices:data/read/search*"
+ - "read"
+ - "view_index_metadata"
+ tenant_permissions:
+ - tenant_patterns:
+ - "SECURITY"
+ allowed_actions:
+ - "kibana_all_write"
+# ----------------------------------------------------
+indexes_web_search_full_access:
+ reserved: true
+ index_permissions:
+ - index_patterns:
+ - "ingress-nginx-*"
+ - "mywebapp-*"
+ allowed_actions:
+ - "indices:data/read/search*"
+ - "read"
+ - "view_index_metadata"
+ tenant_permissions:
+ - tenant_patterns:
+ - "WEB"
+ allowed_actions:
+ - "kibana_all_write"
+# ----------------------------------------------------
+# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards
+kibana_read_only:
+ reserved: true
diff --git a/files/roles_mapping.yml b/files/roles_mapping.yml
new file mode 100644
index 0000000..acd807c
--- /dev/null
+++ b/files/roles_mapping.yml
@@ -0,0 +1,59 @@
+---
+# In this file users, backendroles and hosts can be mapped to Security roles.
+# Permissions for OpenSearch roles are configured in roles.yml
+
+_meta:
+ type: "rolesmapping"
+ config_version: 2
+
+kibana_server:
+ reserved: true
+ users:
+ - "kibanaserver"
+
+logstash:
+ reserved: true
+ users:
+ - "logstash"
+
+# Define your roles mapping here
+all_access:
+ reserved: false
+ backend_roles:
+ - "admin"
+ - "opensearch_admin"
+ description: "Maps admin to all_access"
+# ----------------------------------------------------
+indexes_full_access:
+ reserved: false
+ backend_roles:
+ - "opensearch_admin"
+ description: "Maps admin to indexes_full_access"
+# ----------------------------------------------------
+own_index:
+ reserved: false
+ users:
+ - "*"
+ description: "Allow full access to an index named like the username"
+# ----------------------------------------------------
+readall:
+ reserved: false
+ backend_roles:
+ - "opensearch_index_read_all"
+# ----------------------------------------------------
+indexes_security_search_full_access:
+ reserved: true
+ backend_roles:
+ - "opensearch_index_read_all"
+ - "opensearch_index_read_security"
+ description: "Maps users to indexes_security_search_full_access"
+# ----------------------------------------------------
+indexes_web_search_full_access:
+ reserved: true
+ backend_roles:
+ - "opensearch_index_read_all"
+ - "opensearch_index_read_web"
+ description: "Maps users to indexes_web_search_full_access"
+
+
+
diff --git a/files/tenants.yml b/files/tenants.yml
new file mode 100644
index 0000000..da8ce76
--- /dev/null
+++ b/files/tenants.yml
@@ -0,0 +1,12 @@
+---
+_meta:
+ type: "tenants"
+ config_version: 2
+
+# Define your tenants here
+SECURITY:
+ reserved: false
+ description: "Tenant for security logs (e.g. kubernetes audit or opensearch audit)"
+WEB:
+ reserved: false
+ description: "Tenant for web-app logs"
diff --git a/inventories/opensearch/group_vars/all/all.yml b/inventories/opensearch/group_vars/all/all.yml
index 4975cd5..c551796 100644
--- a/inventories/opensearch/group_vars/all/all.yml
+++ b/inventories/opensearch/group_vars/all/all.yml
@@ -7,15 +7,11 @@ os_download_url: https://artifacts.opensearch.org/releases/bundle/opensearch
# opensearch version
# 1.x Latest Version
-os_version: "1.3.2"
-# 2.x Latest Version
-# os_version: "2.0.0-rc1"
+os_version: "1.3.19"
# opensearch dashboards version
# 1.x Latest Version
-os_dashboards_version: "1.3.2"
-# 2.x Latest Version
-# os_dashboards_version: "2.0.0-rc1"
+os_dashboards_version: "1.3.19"
# Configure hostnames for opensearch nodes
# It is required to configure SSL
@@ -34,3 +30,65 @@ cluster_type: multi-node
os_user: opensearch
os_dashboards_user: opensearch-dashboards
+
+# Number of days that certificates are valid
+cert_valid_days: 730
+
+# Auth type: 'internal' or 'oidc' (OpenID). Default: internal
+auth_type: internal
+
+# OIDC settings
+oidc:
+ description: "Authenticate via IdP"
+ # OpenID server URI
+ connect_url: https://oidc.example.com/auth/realms//.well-known/openid-configuration
+ # The JWT token field that contains the user name
+ subject_key: preferred_username
+ # the JWT token field that contains a list of user roles
+ roles_key: roles
+ # Scopes
+ scopes: "openid profile email"
+ # The address of Dashboards to redirect the user to after successful authentication
+ dashboards_url: http(s)://.example.com
+ # IdP client ID
+ client_id: opensearch
+ # IdP client secret
+ client_secret: "00000000-0000-0000-0000-000000000000"
+
+# Overwrite demo configurations with your own
+copy_custom_security_configs: false
+
+# To override demo configurations, you can use your own configuration files.
+# Place them in the "files" directory. Specify the path to the files
+custom_security_plugin_configs:
+ - files/tenants.yml
+ - files/roles.yml
+ - files/roles_mapping.yml
+ - files/internal_users.yml
+
+# By default, if the /tmp/opensearch-nodecerts directory with certificates
+# exists on the server from which the playbook is launched, it is assumed
+# that the configuration has not changed and some settings are not copied
+# to the target servers.
+#
+# Conversely, if the /tmp/opensearch-nodecerts directory does not exist on
+# the server from which the playbook is launched, then new certificates and
+# settings are generated and they are copied to the target servers.
+#
+# If you use this repository not only for the initial deployment of the
+# cluster, but also for its automatic configuration via CI/CD, then new
+# certificates will be generated every time the pipeline is launched,
+# overwriting existing ones, which is not always necessary if the cluster is
+# already in production.
+#
+# When iac_enable enabling, and all the cluster servers have all the necessary
+# certificates, they will not be copied again. If at least on one server (for
+# example, when adding a new server to the cluster) if there is not at least one
+# certificate from the list, then all certificates on all cluster servers will
+# be updated
+#
+# Also, if the option is enabled, the settings files will be updated with each
+# execution (previously, the settings were updated only if the
+# /tmp/opensearch-nodecerts directory was missing on the server from which the
+# playbook was launched and new certificates were generated)
+iac_enable: false
diff --git a/opensearch.yml b/opensearch.yml
index f1c24db..79804b5 100644
--- a/opensearch.yml
+++ b/opensearch.yml
@@ -1,12 +1,12 @@
---
-- name: opensearch installation & configuration
+- name: Opensearch installation & configuration
hosts: os-cluster
gather_facts: true
roles:
- { role: linux/opensearch }
-- name: opensearch dashboards installation & configuration
+- name: Opensearch dashboards installation & configuration
hosts: dashboards
gather_facts: true
roles:
diff --git a/roles/linux/dashboards/defaults/main.yml b/roles/linux/dashboards/defaults/main.yml
index d257a22..13c224d 100644
--- a/roles/linux/dashboards/defaults/main.yml
+++ b/roles/linux/dashboards/defaults/main.yml
@@ -17,3 +17,6 @@ os_nodes_dashboards: |-
{%- endfor %}
systemctl_path: /etc/systemd/system
+
+# Auth type: 'internal' or 'oidc' (OpenID). Default: internal
+auth_type: internal
diff --git a/roles/linux/dashboards/handlers/main.yml b/roles/linux/dashboards/handlers/main.yml
index 69d704b..d3d8043 100644
--- a/roles/linux/dashboards/handlers/main.yml
+++ b/roles/linux/dashboards/handlers/main.yml
@@ -1,3 +1,3 @@
---
- name: restart dashboards
- systemd: name=dashboards state=restarted enabled=yes
+ ansible.builtin.systemd: name=dashboards state=restarted enabled=true
diff --git a/roles/linux/dashboards/tasks/dashboards.yml b/roles/linux/dashboards/tasks/dashboards.yml
index 0be1588..f7a2d8a 100644
--- a/roles/linux/dashboards/tasks/dashboards.yml
+++ b/roles/linux/dashboards/tasks/dashboards.yml
@@ -1,40 +1,56 @@
---
- name: Dashboards Install | Download opensearch dashbaord {{ os_dashboards_version }}
- get_url:
+ ansible.builtin.get_url:
url: "{{ os_download_url }}-dashboards/{{ os_dashboards_version }}/opensearch-dashboards-{{ os_dashboards_version }}-linux-x64.tar.gz"
dest: "/tmp/opensearch-dashboards.tar.gz"
register: download
-- name: Dashboards Install | Create opensearch user
- user:
+- name: Dashboards Install | Create opensearch dashboard user
+ ansible.builtin.user:
name: "{{ os_dashboards_user }}"
state: present
- shell: /bin/bash
- when: download.changed
+ shell: /bin/false
+ create_home: true
+ home: "{{ os_dashboards_home }}"
+ when: download.changed or iac_enable
- name: Dashboards Install | Create home directory
- file:
+ ansible.builtin.file:
path: "{{ os_dashboards_home }}"
state: directory
owner: "{{ os_dashboards_user }}"
group: "{{ os_dashboards_user }}"
- when: download.changed
+ when: download.changed or iac_enable
- name: Dashboards Install | Extract the tar file
- command: chdir=/tmp/ tar -xvzf opensearch-dashboards.tar.gz -C "{{ os_dashboards_home }}" --strip-components=1
- when: download.changed
+ ansible.builtin.command: chdir=/tmp/ tar -xvzf opensearch-dashboards.tar.gz -C "{{ os_dashboards_home }}" --strip-components=1
+ when: download.changed or iac_enable
- name: Dashboards Install | Copy Configuration File
- template:
+ ansible.builtin.template:
src: opensearch_dashboards.yml
- dest: "{{os_conf_dir}}/opensearch_dashboards.yml"
+ dest: "{{ os_conf_dir }}/opensearch_dashboards.yml"
owner: "{{ os_dashboards_user }}"
group: "{{ os_dashboards_user }}"
mode: 0644
- backup: yes
+ backup: true
+
+- name: Dashboards Install | Set the file ownerships
+ ansible.builtin.file:
+ dest: "{{ os_dashboards_home }}"
+ owner: "{{ os_dashboards_user }}"
+ group: "{{ os_dashboards_user }}"
+ recurse: true
+
+- name: Dashboards Install | Set the folder permission
+ ansible.builtin.file:
+ dest: "{{ os_conf_dir }}"
+ owner: "{{ os_dashboards_user }}"
+ group: "{{ os_dashboards_user }}"
+ mode: 0700
- name: Dashboards Install | create systemd service
- template:
+ ansible.builtin.template:
src: dashboards.service
dest: "{{ systemctl_path }}/dashboards.service"
diff --git a/roles/linux/dashboards/tasks/etchosts.yml b/roles/linux/dashboards/tasks/etchosts.yml
index e7b614f..d70c4a8 100644
--- a/roles/linux/dashboards/tasks/etchosts.yml
+++ b/roles/linux/dashboards/tasks/etchosts.yml
@@ -1,13 +1,13 @@
---
- name: Hosts | populate inventory into hosts file
- blockinfile:
+ ansible.builtin.blockinfile:
dest: /etc/hosts
block: |-
{% for item in groups['dashboards'] %}
{{ hostvars[item]['ip'] }} {{ item }}.{{ domain_name }} {{ item }}
{% endfor %}
state: present
- create: yes
- backup: yes
+ create: true
+ backup: true
marker: "# Ansible inventory hosts {mark}"
when: populate_inventory_to_hosts_file
diff --git a/roles/linux/dashboards/tasks/main.yml b/roles/linux/dashboards/tasks/main.yml
index 57de979..89670af 100644
--- a/roles/linux/dashboards/tasks/main.yml
+++ b/roles/linux/dashboards/tasks/main.yml
@@ -1,33 +1,37 @@
---
-- hostname:
+- name: Set hostname
+ ansible.builtin.hostname:
name: "{{ inventory_hostname }}"
-# Disabling for Amazon Linux 2 as selinux is disabled by default.
+# Disabling for Amazon Linux 2, Ubuntu and Debian as selinux is disabled by default.
- name: Disable the selinux
- selinux:
+ ansible.posix.selinux:
state: disabled
- when: (ansible_distribution != "Ubuntu") and (ansible_distribution != "Amazon")
+ when:
+ - ansible_distribution != "Ubuntu"
+ - ansible_distribution != "Amazon"
+ - ansible_distribution != "Debian"
- name: Populate the nodes to /etc/hosts
- import_tasks: etchosts.yml
+ ansible.builtin.import_tasks: etchosts.yml
- name: Tune the system settings
- import_tasks: tune.yml
+ ansible.builtin.import_tasks: tune.yml
-- name: include dashboards installation
- include: dashboards.yml
+- name: Include dashboards installation
+ ansible.builtin.import_tasks: dashboards.yml
- name: Make sure opensearch dashboards is started
- service:
+ ansible.builtin.service:
name: dashboards
state: started
- enabled: yes
+ enabled: true
- name: Get all the installed dashboards plugins
- command: "sudo -u {{ os_dashboards_user }} {{ os_plugin_bin_path }} list"
+ ansible.builtin.command: "sudo -u {{ os_dashboards_user }} {{ os_plugin_bin_path }} list"
register: list_plugins
- name: Show all the installed dashboards plugins
- debug:
+ ansible.builtin.debug:
msg: "{{ list_plugins.stdout }}"
diff --git a/roles/linux/dashboards/tasks/tune.yml b/roles/linux/dashboards/tasks/tune.yml
index bac849e..d34bd4f 100644
--- a/roles/linux/dashboards/tasks/tune.yml
+++ b/roles/linux/dashboards/tasks/tune.yml
@@ -1,6 +1,6 @@
---
- name: Set open files limit in sysctl.conf
- sysctl:
+ ansible.posix.sysctl:
name: fs.file-max
value: 65536
state: present
diff --git a/roles/linux/dashboards/templates/opensearch_dashboards.yml b/roles/linux/dashboards/templates/opensearch_dashboards.yml
index ebcf8ff..b7b06a5 100644
--- a/roles/linux/dashboards/templates/opensearch_dashboards.yml
+++ b/roles/linux/dashboards/templates/opensearch_dashboards.yml
@@ -11,3 +11,15 @@ opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
# Use this setting if you are running dashboards without https
opensearch_security.cookie.secure: false
+
+
+# OpenID settings
+{% if auth_type == 'oidc' %}
+opensearch_security.auth.type: openid
+opensearch_security.openid.base_redirect_url: "{{ oidc.dashboards_url }}"
+opensearch_security.openid.client_id: "{{ oidc.client_id }}"
+opensearch_security.openid.scope: "{{ oidc.scopes }}"
+opensearch_security.openid.client_secret: "{{ oidc.client_secret }}"
+opensearch_security.openid.connect_url: "{{ oidc.connect_url }}"
+opensearch_security.openid.verify_hostnames: true
+{% endif %}
\ No newline at end of file
diff --git a/roles/linux/opensearch/defaults/main.yml b/roles/linux/opensearch/defaults/main.yml
index d35701e..c2ccd98 100644
--- a/roles/linux/opensearch/defaults/main.yml
+++ b/roles/linux/opensearch/defaults/main.yml
@@ -20,3 +20,6 @@ os_sec_plugin_tools_path: /usr/share/opensearch/plugins/opensearch-security/tool
os_api_port: 9200
systemctl_path: /etc/systemd/system
+
+# Auth type: 'internal' or 'oidc' (OpenID). Default: internal
+auth_type: internal
diff --git a/roles/linux/opensearch/handlers/main.yml b/roles/linux/opensearch/handlers/main.yml
index caa95fb..f8e58c4 100644
--- a/roles/linux/opensearch/handlers/main.yml
+++ b/roles/linux/opensearch/handlers/main.yml
@@ -1,10 +1,10 @@
---
# handlers file for opensearch
- name: reload systemd configuration
- become: yes
- command: systemctl daemon-reload
+ become: true
+ ansible.builtin.command: systemctl daemon-reload
# Restart service and ensure it is enabled
- name: restart opensearch
- systemd: name=opensearch state=restarted enabled=yes
+ ansible.builtin.systemd: name=opensearch state=restarted enabled=yes
diff --git a/roles/linux/opensearch/tasks/etchosts.yml b/roles/linux/opensearch/tasks/etchosts.yml
index b9b42b2..e16fa88 100644
--- a/roles/linux/opensearch/tasks/etchosts.yml
+++ b/roles/linux/opensearch/tasks/etchosts.yml
@@ -1,13 +1,13 @@
---
- name: Hosts | populate inventory into hosts file
- blockinfile:
+ ansible.builtin.blockinfile:
dest: /etc/hosts
block: |-
{% for item in groups['os-cluster'] %}
{{ hostvars[item]['ip'] }} {{ item }}.{{ domain_name }} {{ item }}
{% endfor %}
state: present
- create: yes
- backup: yes
+ create: true
+ backup: true
marker: "# Ansible inventory hosts {mark}"
when: populate_inventory_to_hosts_file
diff --git a/roles/linux/opensearch/tasks/main.yml b/roles/linux/opensearch/tasks/main.yml
index 3fe556e..01f18d1 100644
--- a/roles/linux/opensearch/tasks/main.yml
+++ b/roles/linux/opensearch/tasks/main.yml
@@ -1,63 +1,80 @@
---
-- hostname:
+- name: Set hostname
+ ansible.builtin.hostname:
name: "{{ inventory_hostname }}"
-# Disabling for Amazon Linux 2 as selinux is disabled by default.
+# Disabling for Amazon Linux 2, Ubuntu and Debian as selinux is disabled by default.
- name: Disable the selinux
- selinux:
+ ansible.posix.selinux:
state: disabled
- when: (ansible_distribution != "Ubuntu") and (ansible_distribution != "Amazon")
+ when:
+ - ansible_distribution != "Ubuntu"
+ - ansible_distribution != "Amazon"
+ - ansible_distribution != "Debian"
- name: Populate the nodes to /etc/hosts
- import_tasks: etchosts.yml
+ ansible.builtin.import_tasks: etchosts.yml
- name: Tune the system settings
- import_tasks: tune.yml
+ ansible.builtin.import_tasks: tune.yml
-- name: include opensearch installation
- include: opensearch.yml
+- name: Include opensearch installation
+ ansible.builtin.import_tasks: opensearch.yml
-- name: include security plugin for opensearch
- include: security.yml
+- name: Include security plugin for opensearch
+ ansible.builtin.import_tasks: security.yml
# After the cluster forms successfully for the first time,
# remove the cluster.initial_master_nodes setting from each nodes' configuration.
- name: Remove `cluster.initial_master_nodes` setting from configuration
- command: sed -i '/cluster.initial_master_nodes/d' "{{os_conf_dir}}/opensearch.yml"
+ ansible.builtin.command: sed -i '/cluster.initial_master_nodes/d' "{{ os_conf_dir }}/opensearch.yml"
- name: Make sure opensearch is started
- service:
+ ansible.builtin.service:
name: opensearch
state: started
- enabled: yes
+ enabled: true
- name: Get all the installed ES plugins
- command: "{{ os_plugin_bin_path }} list"
+ ansible.builtin.command: "{{ os_plugin_bin_path }} list"
register: list_plugins
- name: Show all the installed ES plugins
- debug:
+ ansible.builtin.debug:
msg: "{{ list_plugins.stdout }}"
- name: Wait for opensearch to startup
- wait_for: host={{ hostvars[inventory_hostname]['ip'] }} port={{os_api_port}} delay=5 connect_timeout=1
+ ansible.builtin.wait_for:
+ host: "{{ hostvars[inventory_hostname]['ip'] }}"
+ port: "{{ os_api_port }}"
+ delay: 5
+ connect_timeout: 1
+ timeout: 120
- name: Check the opensearch status
- command: curl https://{{ inventory_hostname }}:9200/_cluster/health?pretty -u 'admin:{{ admin_password }}' -k
+ ansible.builtin.uri:
+ url: "https://{{ inventory_hostname }}:9200/_cluster/health?pretty"
+ user: admin
+ password: "{{ admin_password }}"
+ validate_certs: false
register: os_status
- name: Show the opensearch status
debug:
- msg: "{{ os_status.stdout }}"
- failed_when: "'number_of_nodes' not in os_status.stdout"
+ msg: "{{ os_status.json }}"
+ failed_when: "'number_of_nodes' not in os_status.json"
- name: Verify the roles of opensearch cluster nodes
- command: curl https://{{ inventory_hostname }}:9200/_cat/nodes?v -u 'admin:{{ admin_password }}' -k
+ ansible.builtin.uri:
+ url: "https://{{ inventory_hostname }}:9200/_cat/nodes?v"
+ user: admin
+ password: "{{ admin_password }}"
+ validate_certs: false
register: os_roles
run_once: true
- name: Show the roles of opensearch cluster nodes
debug:
- msg: "{{ os_roles.stdout }}"
+ msg: "{{ os_roles }}"
run_once: true
diff --git a/roles/linux/opensearch/tasks/opensearch.yml b/roles/linux/opensearch/tasks/opensearch.yml
index d54fbfd..6a44f23 100644
--- a/roles/linux/opensearch/tasks/opensearch.yml
+++ b/roles/linux/opensearch/tasks/opensearch.yml
@@ -1,52 +1,54 @@
---
- name: OpenSearch Install | Download opensearch {{ os_version }}
- get_url:
+ ansible.builtin.get_url:
url: "{{ os_download_url }}/{{ os_version }}/opensearch-{{ os_version }}-linux-x64.tar.gz"
dest: "/tmp/opensearch.tar.gz"
register: download
- name: OpenSearch Install | Create opensearch user
- user:
+ ansible.builtin.user:
name: "{{ os_user }}"
state: present
- shell: /bin/bash
- when: download.changed
+ shell: /bin/false
+ create_home: true
+ home: "{{ os_home }}"
+ when: download.changed or iac_enable
- name: OpenSearch Install | Create home directory
- file:
+ ansible.builtin.file:
path: "{{ os_home }}"
state: directory
owner: "{{ os_user }}"
group: "{{ os_user }}"
- when: download.changed
+ when: download.changed or iac_enable
- name: OpenSearch Install | Extract the tar file
- command: chdir=/tmp/ tar -xvzf opensearch.tar.gz -C "{{ os_home }}" --strip-components=1
- when: download.changed
+ ansible.builtin.command: chdir=/tmp/ tar -xvzf opensearch.tar.gz -C "{{ os_home }}" --strip-components=1
+ when: download.changed or iac_enable
- name: OpenSearch Install | Copy Configuration File
- blockinfile:
+ ansible.builtin.blockinfile:
block: "{{ lookup('template', 'templates/opensearch-{{ cluster_type }}.yml') }}"
dest: "{{ os_conf_dir }}/opensearch.yml"
- backup: yes
+ backup: true
state: present
- create: yes
+ create: true
marker: "## {mark} opensearch main configuration ##"
owner: "{{ os_user }}"
group: "{{ os_user }}"
mode: 0600
- name: OpenSearch Install | Copy jvm.options File for Instance
- template:
+ ansible.builtin.template:
src: jvm.options
- dest: "{{os_conf_dir}}/jvm.options"
+ dest: "{{ os_conf_dir }}/jvm.options"
owner: "{{ os_user }}"
group: "{{ os_user }}"
mode: 0600
- force: yes
+ force: true
- name: OpenSearch Install | create systemd service
- template:
+ ansible.builtin.template:
src: opensearch.service
dest: "{{ systemctl_path }}/opensearch.service"
diff --git a/roles/linux/opensearch/tasks/security.yml b/roles/linux/opensearch/tasks/security.yml
index 9aca582..d9d26f8 100644
--- a/roles/linux/opensearch/tasks/security.yml
+++ b/roles/linux/opensearch/tasks/security.yml
@@ -2,6 +2,15 @@
## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer
## Using searchguard offline TLS tool to create node & root certificates
+- name: Security Plugin configuration | Force remove local temporary directory for certificates generation
+ local_action:
+ module: file
+ path: /tmp/opensearch-nodecerts
+ state: absent
+ run_once: true
+ become: false
+ when: iac_enable
+
- name: Security Plugin configuration | Create local temporary directory for certificates generation
local_action:
module: file
@@ -51,8 +60,60 @@
when: configuration.changed
become: false
-- name: Security Plugin configuration | Copy the node & admin certificates to opensearch nodes
- copy:
+- name: Security Plugin configuration | IaC enabled - Check certificate
+ when: iac_enable
+ block:
+ - name: Security Plugin configuration | Check cert exists
+ ansible.builtin.stat:
+ path: "{{ item }}"
+ get_attributes: false
+ get_checksum: false
+ get_mime: false
+ register: cert_stat_result
+ with_items:
+ - "{{ os_conf_dir }}/root-ca.pem"
+ - "{{ os_conf_dir }}/root-ca.key"
+ - "{{ os_conf_dir }}/{{ inventory_hostname }}.key"
+ - "{{ os_conf_dir }}/{{ inventory_hostname }}.pem"
+ - "{{ os_conf_dir }}/{{ inventory_hostname }}_http.key"
+ - "{{ os_conf_dir }}/{{ inventory_hostname }}_http.pem"
+ - "{{ os_conf_dir }}/admin.key"
+ - "{{ os_conf_dir }}/admin.pem"
+
+ - name: Security Plugin configuration | Set fact. The initial value "Don't update certs"
+ ansible.builtin.set_fact:
+ force_update_cert: false
+
+ - name: Security Plugin configuration | Set fact. Update certificates if at least one certificate is not found
+ ansible.builtin.set_fact:
+ force_update_cert: true
+ with_items: "{{ cert_stat_result.results }}"
+ when: item.stat.exists == False
+
+ - name: Security Plugin configuration | Show the force_update_cert setting
+ ansible.builtin.debug:
+ msg: "force_update_cert: {{ force_update_cert }}"
+
+ - name: Security Plugin configuration | Count force_update_cert nodes
+ ansible.builtin.set_fact:
+ force_update_cert_nodes_count: "{{ hostvars | dict2items | selectattr('value.force_update_cert', 'defined') | rejectattr('value.force_update_cert', 'equalto', false) | map(attribute='value.force_update_cert') | list | length }}"
+
+ - name: Security Plugin configuration | Show the force_update_cert_nodes_count setting
+ ansible.builtin.debug:
+ msg: "force_update_cert_nodes_count: {{ force_update_cert_nodes_count }}"
+
+ - name: Security Plugin configuration | Do need to update certificates
+ ansible.builtin.debug:
+ msg: "Need to update certificates..."
+ when: force_update_cert_nodes_count | int > 0
+
+- name: Security Plugin configuration | IaC disabled - Count force_update_cert nodes
+ ansible.builtin.set_fact:
+ force_update_cert_nodes_count: 0
+ when: not iac_enable
+
+- name: Security Plugin configuration | Copy the node & admin certificates to opensearch nodes if at least one certificate is not found on at least one server
+ ansible.builtin.copy:
src: "/tmp/opensearch-nodecerts/config/{{ item }}"
dest: "{{ os_conf_dir }}"
mode: 0600
@@ -65,82 +126,173 @@
- "{{ inventory_hostname }}_http.pem"
- admin.key
- admin.pem
- when: configuration.changed
+ when: (configuration.changed and not iac_enable) or (iac_enable and force_update_cert_nodes_count | int > 0)
- name: Security Plugin configuration | Copy the security configuration file 1 to cluster
- blockinfile:
+ ansible.builtin.blockinfile:
block: "{{ lookup('template', 'templates/security_conf.yml') }}"
dest: "{{ os_conf_dir }}/opensearch.yml"
- backup: yes
+ backup: true
insertafter: EOF
marker: "## {mark} OpenSearch Security common configuration ##"
- when: configuration.changed
+ when: configuration.changed or iac_enable
- name: Security Plugin configuration | Copy the security configuration file 2 to cluster
- blockinfile:
+ ansible.builtin.blockinfile:
block: "{{ lookup('file', '/tmp/opensearch-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}"
dest: "{{ os_conf_dir }}/opensearch.yml"
- backup: yes
+ backup: true
insertafter: EOF
marker: "## {mark} opensearch Security Node & Admin certificates configuration ##"
- when: configuration.changed
+ when: configuration.changed or iac_enable
+
+- name: Security Plugin configuration | Create security plugin configuration folder
+ ansible.builtin.file:
+ dest: "{{ os_sec_plugin_conf_path }}"
+ owner: "{{ os_user }}"
+ group: "{{ os_user }}"
+ mode: 0700
+ state: directory
+ when: configuration.changed or iac_enable
+
+- name: Security Plugin configuration | Copy the security configuration file 3 to cluster
+ ansible.builtin.template:
+ src: security_plugin_conf.yml
+ dest: "{{ os_sec_plugin_conf_path }}/config.yml"
+ backup: true
+ owner: "{{ os_user }}"
+ group: "{{ os_user }}"
+ mode: 0600
+ force: true
+ when: auth_type == 'oidc'
- name: Security Plugin configuration | Prepare the opensearch security configuration file
- command: sed -i 's/searchguard/plugins.security/g' {{ os_conf_dir }}/opensearch.yml
- when: configuration.changed
+ ansible.builtin.command: sed -i 's/searchguard/plugins.security/g' {{ os_conf_dir }}/opensearch.yml
+ when: configuration.changed or iac_enable
- name: Security Plugin configuration | Set the file ownerships
- file:
+ ansible.builtin.file:
dest: "{{ os_home }}"
owner: "{{ os_user }}"
group: "{{ os_user }}"
- recurse: yes
+ recurse: true
- name: Security Plugin configuration | Set the folder permission
- file:
+ ansible.builtin.file:
dest: "{{ os_conf_dir }}"
owner: "{{ os_user }}"
group: "{{ os_user }}"
mode: 0700
- name: Security Plugin configuration | Restart opensearch with security configuration
- systemd:
+ ansible.builtin.systemd:
name: opensearch
state: restarted
- enabled: yes
+ enabled: true
-- name: Pause for 3 seconds to provide sometime for OpenSearch start
- pause:
- seconds: 3
+- name: Wait for opensearch to startup
+ ansible.builtin.wait_for:
+ host: "{{ hostvars[inventory_hostname]['ip'] }}"
+ port: "{{ os_api_port }}"
+ delay: 5
+ connect_timeout: 1
+ timeout: 120
- name: Security Plugin configuration | Copy the opensearch security internal users template
- template:
+ ansible.builtin.template:
src: internal_users.yml
dest: "{{ os_sec_plugin_conf_path }}/internal_users.yml"
mode: 0644
run_once: true
- when: configuration.changed
+ when: configuration.changed or iac_enable
+
+- name: Security Plugin configuration | Copy custom configuration files to cluster
+ ansible.builtin.template:
+ src: "{{ item }}"
+ dest: "{{ os_sec_plugin_conf_path }}/"
+ owner: "{{ os_user }}"
+ group: "{{ os_user }}"
+ backup: true
+ mode: 0640
+ force: true
+ with_items: "{{ custom_security_plugin_configs }}"
+ when: copy_custom_security_configs
- name: Security Plugin configuration | Set the Admin user password
- shell: >
+ ansible.builtin.shell: >
sed -i '/hash: / s,{{ admin_password }},'$(bash {{ os_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)','
{{ os_sec_plugin_conf_path }}/internal_users.yml
environment:
JAVA_HOME: "{{ os_home }}/jdk"
run_once: true
- when: configuration.changed
+ when: configuration.changed or iac_enable
- name: Security Plugin configuration | Set the kibanaserver user pasword
- shell: >
+ ansible.builtin.shell: >
sed -i '/hash: / s,{{ kibanaserver_password }},'$(bash {{ os_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)','
{{ os_sec_plugin_conf_path }}/internal_users.yml
environment:
JAVA_HOME: "{{ os_home }}/jdk"
run_once: true
- when: configuration.changed
+ when: configuration.changed or iac_enable
+
+- name: Security Plugin configuration | Check that the files/internal_users.yml exists
+ ansible.builtin.stat:
+ path: files/internal_users.yml
+ register: custom_users_result
+ delegate_to: localhost
+ run_once: true
+ become: false
+
+- name: Security Plugin configuration | Check for a custom configuration for internal users and hash passwords for them
+ when: custom_users_result.stat.exists
+ block:
+
+ - name: Security Plugin configuration | Load custom internal users configuration
+ ansible.builtin.include_vars:
+ file: files/internal_users.yml
+ name: custom_users
+ run_once: true
-- name: Security Plugin configuration | Initialize the opensearch security index in opensearch
- shell: >
+ # In the internal_users file.yml each user is described by the block:
+ # username:
+ # hash: "{{ username_password }}"In addition to the user description blocks, there is a _meta block
+ # ...
+ # In addition to the user description blocks, there is a _meta block
+ # In this task, all usernames are selected from the file (excluding the _meta block), for which hashed
+ # passwords will be written next
+ - name: Security Plugin configuration | Filter service keys from the list of users
+ ansible.builtin.set_fact:
+ custom_users_filtered: '{{ custom_users | dict2items | rejectattr("key", "equalto", "_meta") | list | items2dict }}'
+
+ # Hashed passwords are written for all users found in the previous task. Passwords are searched in variables
+ # set by the user when starting the role (admin_password, kibanaserver_password, etc.).
+ - name: Security Plugin configuration | Set passwords for all users from custom config
+ ansible.builtin.shell: >
+ sed -i '/hash: / s,{{ lookup('vars', item + '_password') }},'$(bash {{ os_sec_plugin_tools_path }}/hash.sh -p {{ lookup('vars', item + '_password') }} | tail -1)','
+ {{ os_sec_plugin_conf_path }}/internal_users.yml
+ environment:
+ JAVA_HOME: "{{ os_home }}/jdk"
+ run_once: true
+ when: configuration.changed or copy_custom_security_configs
+ with_items: "{{ custom_users_filtered }}"
+
+- name: Security Plugin configuration | Initialize the opensearch security index in opensearch with custom configs
+ ansible.builtin.shell: >
+ bash {{ os_sec_plugin_tools_path }}/securityadmin.sh
+ -cacert {{ os_conf_dir }}/root-ca.pem
+ -cert {{ os_conf_dir }}/admin.pem
+ -key {{ os_conf_dir }}/admin.key
+ -cd {{ os_sec_plugin_conf_path }}
+ -nhnv -icl
+ -h {{ hostvars[inventory_hostname]['ip'] }}
+ environment:
+ JAVA_HOME: "{{ os_home }}/jdk"
+ run_once: true
+ when: configuration.changed and copy_custom_security_configs
+
+- name: Security Plugin configuration | Initialize the opensearch security index in opensearch with default configs
+ ansible.builtin.shell: >
bash {{ os_sec_plugin_tools_path }}/securityadmin.sh
-cacert {{ os_conf_dir }}/root-ca.pem
-cert {{ os_conf_dir }}/admin.pem
@@ -151,7 +303,7 @@
environment:
JAVA_HOME: "{{ os_home }}/jdk"
run_once: true
- when: configuration.changed
+ when: configuration.changed and not copy_custom_security_configs
- name: Security Plugin configuration | Cleanup local temporary directory
local_action:
diff --git a/roles/linux/opensearch/tasks/tune.yml b/roles/linux/opensearch/tasks/tune.yml
index 672abda..ae47fd6 100644
--- a/roles/linux/opensearch/tasks/tune.yml
+++ b/roles/linux/opensearch/tasks/tune.yml
@@ -1,12 +1,12 @@
---
- name: Set vm.max_map_count in sysctl.conf
- sysctl:
+ ansible.posix.sysctl:
name: vm.max_map_count
value: 262144
state: present
- name: Set open files limit in sysctl.conf
- sysctl:
+ ansible.posix.sysctl:
name: fs.file-max
value: 65536
state: present
diff --git a/roles/linux/opensearch/templates/security_plugin_conf.yml b/roles/linux/opensearch/templates/security_plugin_conf.yml
new file mode 100644
index 0000000..249058c
--- /dev/null
+++ b/roles/linux/opensearch/templates/security_plugin_conf.yml
@@ -0,0 +1,287 @@
+---
+
+# This is the main OpenSearch Security configuration file where authentication
+# and authorization is defined.
+#
+# You need to configure at least one authentication domain in the authc of this file.
+# An authentication domain is responsible for extracting the user credentials from
+# the request and for validating them against an authentication backend like Active Directory for example.
+#
+# If more than one authentication domain is configured the first one which succeeds wins.
+# If all authentication domains fail then the request is unauthenticated.
+# In this case an exception is thrown and/or the HTTP status is set to 401.
+#
+# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
+# the roles from a given backend for the authenticated user.
+#
+# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both.
+# http_enabled: true
+# transport_enabled: true
+#
+# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to
+# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated.
+# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "anonymous"
+# and one role named "anonymous_backendrole".
+# If you enable anonymous authentication all HTTP authenticators will not challenge.
+#
+#
+# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
+# first and the challenging one last.
+# Because it's not possible to challenge a client with two different authentication methods (for example
+# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
+# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.
+#
+# Default value of the challenge flag is true.
+#
+#
+# HTTP
+# basic (challenging)
+# proxy (not challenging, needs xff)
+# kerberos (challenging)
+# clientcert (not challenging, needs https)
+# jwt (not challenging)
+# host (not challenging) #DEPRECATED, will be removed in a future version.
+# host based authentication is configurable in roles_mapping
+
+# Authc
+# internal
+# noop
+# ldap
+
+# Authz
+# ldap
+# noop
+
+
+
+_meta:
+ type: "config"
+ config_version: 2
+
+config:
+ dynamic:
+ # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
+ # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
+ # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
+ #filtered_alias_mode: warn
+ #do_not_fail_on_forbidden: false
+ #kibana:
+ # Kibana multitenancy
+ #multitenancy_enabled: true
+ #server_username: kibanaserver
+ #index: '.kibana'
+# OpenID settings
+{% if auth_type == 'oidc' %}
+ http:
+ anonymous_auth_enabled: false
+ xff:
+ enabled: false
+ internalProxies: ".*"
+ remoteIpHeader: "x-forwarded-for"
+ authc:
+ # In order for Dashboards to access OpenSearch, you must first use
+ # authentication_backend.type: internal
+ basic_internal_auth_domain:
+ description: "Authenticate via HTTP Basic against internal users database"
+ http_enabled: true
+ transport_enabled: false
+ order: 0
+ http_authenticator:
+ type: basic
+ challenge: false
+ authentication_backend:
+ type: internal
+ openid_auth_domain:
+ description: "Authenticate via OpenID"
+ http_enabled: true
+ transport_enabled: true
+ order: 1
+ http_authenticator:
+ type: openid
+ challenge: false
+ config:
+ enable_ssl: false
+ verify_hostnames: false
+ subject_key: {{ oidc.subject_key}}
+ roles_key: {{ oidc.roles_key}}
+ openid_connect_url: {{ oidc.connect_url}}
+ kibana_url: {{ oidc.dashboards_url}}
+ authentication_backend:
+ type: noop
+ authz: {}
+{% else %}
+ http:
+ anonymous_auth_enabled: false
+ xff:
+ enabled: false
+ internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
+ #internalProxies: '.*' # trust all internal proxies, regex pattern
+ #remoteIpHeader: 'x-forwarded-for'
+ ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
+ ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
+ ###### and here https://tools.ietf.org/html/rfc7239
+ ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
+ authc:
+ kerberos_auth_domain:
+ http_enabled: false
+ transport_enabled: false
+ order: 6
+ http_authenticator:
+ type: kerberos
+ challenge: true
+ config:
+ # If true a lot of kerberos/security related debugging output will be logged to standard out
+ krb_debug: false
+ # If true then the realm will be stripped from the user name
+ strip_realm_from_principal: true
+ authentication_backend:
+ type: noop
+ basic_internal_auth_domain:
+ description: "Authenticate via HTTP Basic against internal users database"
+ http_enabled: true
+ transport_enabled: true
+ order: 4
+ http_authenticator:
+ type: basic
+ challenge: true
+ authentication_backend:
+ type: intern
+ proxy_auth_domain:
+ description: "Authenticate via proxy"
+ http_enabled: false
+ transport_enabled: false
+ order: 3
+ http_authenticator:
+ type: proxy
+ challenge: false
+ config:
+ user_header: "x-proxy-user"
+ roles_header: "x-proxy-roles"
+ authentication_backend:
+ type: noop
+ jwt_auth_domain:
+ description: "Authenticate via Json Web Token"
+ http_enabled: false
+ transport_enabled: false
+ order: 0
+ http_authenticator:
+ type: jwt
+ challenge: false
+ config:
+ signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
+ jwt_header: "Authorization"
+ jwt_url_parameter: null
+ roles_key: null
+ subject_key: null
+ authentication_backend:
+ type: noop
+ clientcert_auth_domain:
+ description: "Authenticate via SSL client certificates"
+ http_enabled: false
+ transport_enabled: false
+ order: 2
+ http_authenticator:
+ type: clientcert
+ config:
+ username_attribute: cn #optional, if omitted DN becomes username
+ challenge: false
+ authentication_backend:
+ type: noop
+ ldap:
+ description: "Authenticate via LDAP or Active Directory"
+ http_enabled: false
+ transport_enabled: false
+ order: 5
+ http_authenticator:
+ type: basic
+ challenge: false
+ authentication_backend:
+ # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
+ type: ldap
+ config:
+ # enable ldaps
+ enable_ssl: false
+ # enable start tls, enable_ssl should be false
+ enable_start_tls: false
+ # send client certificate
+ enable_ssl_client_auth: false
+ # verify ldap hostname
+ verify_hostnames: true
+ hosts:
+ - localhost:8389
+ bind_dn: null
+ password: null
+ userbase: 'ou=people,dc=example,dc=com'
+ # Filter to search for users (currently in the whole subtree beneath userbase)
+ # {0} is substituted with the username
+ usersearch: '(sAMAccountName={0})'
+ # Use this attribute from the user as username (if not set then DN is used)
+ username_attribute: null
+ authz:
+ roles_from_myldap:
+ description: "Authorize via LDAP or Active Directory"
+ http_enabled: false
+ transport_enabled: false
+ authorization_backend:
+ # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
+ type: ldap
+ config:
+ # enable ldaps
+ enable_ssl: false
+ # enable start tls, enable_ssl should be false
+ enable_start_tls: false
+ # send client certificate
+ enable_ssl_client_auth: false
+ # verify ldap hostname
+ verify_hostnames: true
+ hosts:
+ - localhost:8389
+ bind_dn: null
+ password: null
+ rolebase: 'ou=groups,dc=example,dc=com'
+ # Filter to search for roles (currently in the whole subtree beneath rolebase)
+ # {0} is substituted with the DN of the user
+ # {1} is substituted with the username
+ # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
+ rolesearch: '(member={0})'
+ # Specify the name of the attribute which value should be substituted with {2} above
+ userroleattribute: null
+ # Roles as an attribute of the user entry
+ userrolename: disabled
+ #userrolename: memberOf
+ # The attribute in a role entry containing the name of that role, Default is "name".
+ # Can also be "dn" to use the full DN as rolename.
+ rolename: cn
+ # Resolve nested roles transitive (roles which are members of other roles and so on ...)
+ resolve_nested_roles: true
+ userbase: 'ou=people,dc=example,dc=com'
+ # Filter to search for users (currently in the whole subtree beneath userbase)
+ # {0} is substituted with the username
+ usersearch: '(uid={0})'
+ # Skip users matching a user name, a wildcard or a regex pattern
+ #skip_users:
+ # - 'cn=Michael Jackson,ou*people,o=TEST'
+ # - '/\S*/'
+ roles_from_another_ldap:
+ description: "Authorize via another Active Directory"
+ http_enabled: false
+ transport_enabled: false
+ authorization_backend:
+ type: ldap
+ #config goes here ...
+ # auth_failure_listeners:
+ # ip_rate_limiting:
+ # type: ip
+ # allowed_tries: 10
+ # time_window_seconds: 3600
+ # block_expiry_seconds: 600
+ # max_blocked_clients: 100000
+ # max_tracked_clients: 100000
+ # internal_authentication_backend_limiting:
+ # type: username
+ # authentication_backend: intern
+ # allowed_tries: 10
+ # time_window_seconds: 3600
+ # block_expiry_seconds: 600
+ # max_blocked_clients: 100000
+{% endif %}
diff --git a/roles/linux/opensearch/templates/tlsconfig.yml b/roles/linux/opensearch/templates/tlsconfig.yml
index 2125ed6..5b7408f 100644
--- a/roles/linux/opensearch/templates/tlsconfig.yml
+++ b/roles/linux/opensearch/templates/tlsconfig.yml
@@ -2,13 +2,13 @@ ca:
root:
dn: CN=root.ca.{{ domain_name }},OU=CA,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
keysize: 2048
- validityDays: 730
+ validityDays: {{ cert_valid_days }}
pkPassword: none
file: root-ca.pem
### Default values and global settings
defaults:
- validityDays: 730
+ validityDays: {{ cert_valid_days }}
pkPassword: none
# Set this to true in order to generate config and certificates for
# the HTTP interface of nodes