Skip to content

Add elasticsearch_role and elasticsearch_user module #308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Feb 12, 2024
Merged

Add elasticsearch_role and elasticsearch_user module #308

merged 8 commits into from
Feb 12, 2024

Conversation

tbauriedel
Copy link
Member

@tbauriedel tbauriedel commented Jan 31, 2024
edited
Loading

First draft for a elasticsearch_role module.

With that module you can create, update and delete access roles inside elasticsearch.
Uses the elasticsearch API.

Example Usage:

    - name: Create role
      netways.elasticstack.elasticsearch_role:
        name: new-role
        cluster:
          - manage_own_api_key
          - delegate_pki
        indicies:
          - names:
              - foobar321
              - barfoo123
            privileges:
              - read
              - write
        state: present
        host: https://localhost:9200
        auth_user: elastic
        auth_pass: changeMe123!
        verify_certs: false
        ca_certs: /etc/elasticsearch/certs/http_ca.crt

@tbauriedel tbauriedel added the feature New feature or request label Jan 31, 2024
@tbauriedel tbauriedel added this to the 1.0.0 milestone Jan 31, 2024
@tbauriedel tbauriedel requested a review from a team January 31, 2024 20:06
@tbauriedel tbauriedel self-assigned this Jan 31, 2024
@tbauriedel tbauriedel changed the title Add elasticsearch_role module Add elasticsearch_role and elasticsearch_user module Feb 1, 2024
@tbauriedel
Copy link
Member Author

tbauriedel commented Feb 1, 2024
edited
Loading

Example usage for the elasticsearch_user module:

With that module you can create, update and delete access users inside elasticsearch.
Uses the elasticsearch API.

- name: Create elasticsearch user 'new-user'
      netways.elasticstack.elasticsearch_user:
        name: new-user1
        fullname: New User
        password: changeMe123!
        email: [email protected]
        roles:
          - new-role1
          - logstash-writer
        enabled: true
        state: present
        host: https://localhost:9200
        auth_user: elastic
        auth_pass: changeMe321!
        verify_certs: false

@tbauriedel tbauriedel marked this pull request as ready for review February 1, 2024 13:52
@tbauriedel
Copy link
Member Author

@widhalmt since that modules where requested from your side, could you please have a look at it? Maybe test them also.

@widhalmt
Copy link
Member

widhalmt commented Feb 1, 2024

I have local testing environments and I will put this change through a few tests. I'm the wrong person to review the code of the module (yet) but I can do integration tests and check everything around the module.

@lcndsmr
Copy link
Member

lcndsmr commented Feb 1, 2024

Genuine question: why would we need a module which calls upon a role? I have never seen this before, is this commonly done?

@tbauriedel
Copy link
Member Author

Inspiration for the two modules comes from here, for example.
Roles and users are repeatedly created in the collection via several tasks so that the needed component has a user in Elastic.
In order to be able to do this cleanly and not always require several tasks with requests, etc., these modules were requested.

With them you can easily create, update and delete them.

Sure, you could do this in your Kibana. But we have some known customers which do this all within the collection (or want to)

The whole thing has turned into a discussion of principles, as the idea of creating an internal Elastic user within the Logstash role is somewhat at odds with the idea of separating roles. However, this will be addressed later and assumed as a requirement.

@lcndsmr
Copy link
Member

lcndsmr commented Feb 1, 2024

OH NOW I GET IT I misunderstood "role" as ansible-role.
No objections then.
I will have a closer look at the code later!

lcndsmr
lcndsmr requested changes Feb 5, 2024
View reviewed changes
@tbauriedel tbauriedel requested a review from lcndsmr February 5, 2024 15:52
lcndsmr
lcndsmr reviewed Feb 7, 2024
View reviewed changes
@tbauriedel tbauriedel requested a review from lcndsmr February 7, 2024 11:56
lcndsmr
lcndsmr requested changes Feb 7, 2024
View reviewed changes
Copy link
Member

@lcndsmr lcndsmr left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks amazing, but it has to be tested now, and I don't know how to withdraw approval :D

@tbauriedel tbauriedel requested a review from widhalmt February 7, 2024 13:07
@tbauriedel
Copy link
Member Author

I have already implemented a workflow to test the modules.

@lcndsmr I guess you can remove the change request now. I have requested Thomas for review. As long as he dont approve it, it should be finde. Auto-merging is also not enabled for this PR.

@widhalmt would you please give us a last "okay it works"? :)

lcndsmr
lcndsmr previously approved these changes Feb 7, 2024
View reviewed changes
widhalmt
widhalmt requested changes Feb 12, 2024
View reviewed changes
Copy link
Member

@widhalmt widhalmt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found a few minor issues and had one extra question. Those aside: THANK YOU.

@widhalmt widhalmt enabled auto-merge February 12, 2024 12:41
@tbauriedel tbauriedel requested a review from widhalmt February 12, 2024 14:31
widhalmt
widhalmt approved these changes Feb 12, 2024
View reviewed changes
Copy link
Member

@widhalmt widhalmt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the initial code. And the reaction to my picky requests. Approved.

@widhalmt widhalmt added this pull request to the merge queue Feb 12, 2024
@tbauriedel tbauriedel removed this pull request from the merge queue due to a manual request Feb 12, 2024
@tbauriedel tbauriedel added this pull request to the merge queue Feb 12, 2024
@widhalmt widhalmt modified the milestones: 1.0.0, 0.1.0 Feb 12, 2024
Merged via the queue into main with commit 99f5ded Feb 12, 2024
@tbauriedel tbauriedel deleted the feature/role_module branch February 12, 2024 15:03
This was referenced May 27, 2024
Closed
Open
ivareri pushed a commit to ivareri/ansible-collection-elasticstack that referenced this pull request Jun 17, 2025
@tbauriedel
Add elasticsearch_role and elasticsearch_user module (NETWAYS#308)
188f5c6 
First draft for a elasticsearch_role module.

With that module you can create, update and delete access roles inside
elasticsearch.
Uses the elasticsearch API.

Example Usage:
```
    - name: Create role
      netways.elasticstack.elasticsearch_role:
        name: new-role
        cluster:
          - manage_own_api_key
          - delegate_pki
        indicies:
          - names:
              - foobar321
              - barfoo123
            privileges:
              - read
              - write
        state: present
        host: https://localhost:9200
        auth_user: elastic
        auth_pass: changeMe123!
        verify_certs: false
        ca_certs: /etc/elasticsearch/certs/http_ca.crt

```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@widhalmt widhalmt widhalmt approved these changes

@lcndsmr lcndsmr lcndsmr left review comments

Assignees

@tbauriedel tbauriedel

Labels
feature New feature or request
Projects
None yet
Milestone
0.1.0
Development

Successfully merging this pull request may close these issues.
3 participants
@tbauriedel @widhalmt @lcndsmr