Add elasticsearch_user module

Tobias Bauriedel · Tobias Bauriedel · commit 765c12f70bad · 2024-02-01T14:46:22.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 .cache
 *.swp
-__pycache__*
+__pycache__*
+.vscode
diff --git a/README.md b/README.md
@@ -8,14 +8,19 @@ Every role is documented with all variables, please refer to the documentation f
 
 **Please note**: If you are already using this collection before version `1.0.0`, please note that we had to rename a significant amount of variables due to naming schema changes made by Ansible. Please review the variables you have set in your playbooks and variable files.
 
-## Roles Documentation
+## Roles documentation
 
 * [Beats](docs/role-beats.md)
 * [Elasticsearch](docs/role-elasticsearch.md)
 * [Kibana](docs/role-kibana.md)
 * [Logstash](docs/role-logstash.md)
 * [Repos](docs/role-repos.md)
 
+## Modules documentation
+
+* [elasticsearch_role](docs/module-elasticsearch_role.md)
+* [elasticsearch_user](docs/module-elasticsearch_user.md)
+
 ## Installation
 
 You can easily install the collection with the `ansible-galaxy` command.
diff --git a/docs/module-elasticsearch_role.md b/docs/module-elasticsearch_role.md
@@ -0,0 +1,49 @@
+Ansible module: elasticsearch_role
+===
+
+This module creates, updates and deletes roles from your Elasticsearch.
+
+Requirements
+---
+
+As this module uses the Elasticsearch API you will need to install the `elasticsearch` Python3 library.
+```
+pip3 install elasticsearch
+```
+
+Module arguments
+---
+
+* *name*: Name of your role (**Required**)
+* *cluster*: List of clusters
+* *indicies*: List of indicies
+  * *names*: List of names (**Required**)
+  * *privileges*: List of privileges (**Required**)
+* *state*: State of the role (Default: `present`)
+* *host*: API endpoint (**Required**)
+* *auth_user*: User to authenticate on the Elasticsearch API (**Required**)
+* *auth_pass*: Password for the given user (**Required**)
+* *verify_certs*: Verify certificates (Default: True)
+* *ca_certs*: Verify HTTPS connection by using ca certificate. Path to ca needs to be given
+
+Example usage
+---
+```
+    - name: Create elasticsearch role 'new-role'
+      netways.elasticstack.elasticsearch_role:
+        name: new-role
+        cluster:
+          - manage_own_api_key
+          - delegate_pki
+        indicies:
+          - names:
+              - default01
+            privileges:
+              - read
+              - write
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: changeMe123!
+        verify_certs: false
+```
diff --git a/docs/module-elasticsearch_user.md b/docs/module-elasticsearch_user.md
@@ -0,0 +1,48 @@
+Ansible module: elasticsearch_user
+===
+
+This module creates, updates and deletes users from your Elasticsearch.
+
+Requirements
+---
+
+As this module uses the Elasticsearch API you will need to install the `elasticsearch` Python3 library.
+```
+pip3 install elasticsearch
+```
+
+Module arguments
+---
+
+* *name*: Name of your user (**Required**)
+* *fullname*: Fullname of your user
+* *password*: Password for your user (**Required**)
+* *email*: Email for your user
+* *roles*: List of roles (**Required**)
+* *enabled*: Define wheter this user should be enabled (Default: `true`)
+* *state*: State of the role. `absent` to delete the user (Default: `present`)
+* *host*: API endpoint (**Required**)
+* *auth_user*: User to authenticate on the Elasticsearch API (**Required**)
+* *auth_pass*: Password for the given user (**Required**)
+* *verify_certs*: Verify certificates (Default: True)
+* *ca_certs*: Verify HTTPS connection by using ca certificate. Path to ca needs to be given
+
+Example usage
+---
+```
+    - name: Create elasticsearch user 'new-user'
+      netways.elasticstack.elasticsearch_user:
+        name: new-user
+        fullname: New User
+        password: changeMe321!
+        email: new@user.de
+        roles:
+          - new-role
+          - logstash-writer
+        enabled: true
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: changeMe123!
+        verify_certs: false
+```
diff --git a/molecule/elasticsearch_test_modules/converge.yml b/molecule/elasticsearch_test_modules/converge.yml
@@ -29,16 +29,15 @@
       register: elasticstack_password
       changed_when: false
 
-    - name: Create role
+    - name: Create elasticsearch role 'new-role'
       netways.elasticstack.elasticsearch_role:
-        name: new-role3
+        name: new-role1
         cluster:
           - manage_own_api_key
           - delegate_pki
         indicies:
           - names:
               - foobar321
-              - barfoo123
             privileges:
               - read
               - write
@@ -47,4 +46,21 @@
         auth_user: elastic
         auth_pass: "{{ elasticstack_password.stdout }}"
         verify_certs: false
-        ca_certs: /etc/elasticsearch/certs/http_ca.crt
+        #ca_certs: /etc/elasticsearch/certs/http_ca.crt
+
+    - name: Create elasticsearch user 'new-user'
+      netways.elasticstack.elasticsearch_user:
+        name: new-user1
+        fullname: New User
+        password: changeMe123!
+        email: new@user.de
+        roles:
+          - new-role1
+          - logstash-writer
+        enabled: true
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: "{{ elasticstack_password.stdout }}"
+        verify_certs: false
+        #ca_certs: /etc/elasticsearch/certs/http_ca.crt
diff --git a/plugins/module_utils/api.py b/plugins/module_utils/api.py
@@ -4,7 +4,9 @@
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or
 # https://www.gnu.org/licenses/gpl-3.0.txt)
 
-from asyncio.constants import SENDFILE_FALLBACK_READBUFFER_SIZE
+from difflib import restore
+from pickle import NONE
+from xml.sax.saxutils import prepare_input_source
 from elasticsearch import Elasticsearch
 import ssl
 
@@ -16,16 +18,13 @@ def new_client_basic_auth(host, auth_user, auth_pass, ca_certs, verify_certs) ->
 
 
 class Role():
-    def __init__(self, result, role_name, cluster, indicies, state, host, auth_user, auth_pass, verify_certs, ca_certs):
+    def __init__(self, result, role_name, cluster, indicies, state, host, auth_user, auth_pass, verify_certs, ca_certs): 
         self.role_name = role_name
         self.cluster = cluster
         self.indicies = indicies
         self.state = state
         self.result = result
 
-        if auth_user == "" or auth_pass == "":
-            result['stderr'] = "'basic_auth' for authentication defined but 'auth_user' or auth_pass' is empty"
-            return
         self.client = new_client_basic_auth(host=host, auth_user=auth_user, auth_pass=auth_pass, verify_certs=verify_certs, ca_certs=ca_certs)
 
         self.handle()
@@ -36,39 +35,118 @@ def return_result(self) -> dict:
   
 
     def handle(self):
+        all_roles = self.get_all()
+
         if self.state == 'absent':
-            res = self.delete()
-            if res['found'] == True:
-                self.result['changed'] = True
-                self.result['msg'] = self.role_name + " has been deleted."
-            return
+            if self.role_name in all_roles:
+                res = self.delete()
+                if res['found'] == True:
+                    self.result['changed'] = True
+                    self.result['msg'] = self.role_name + " has been deleted"
+                return
 
         elif self.state == 'present':
-            pre_role = self.get()
-            self.result['foo1'] = pre_role.raw
+            if self.role_name in all_roles.raw:
+                pre_role = self.get()
+            else:
+                pre_role = None
+
             res = self.put()
 
             if res.raw['role']['created'] == True:
                 self.result['changed'] = True
-                self.result['msg'] = self.role_name + " has been created."
+                self.result['msg'] = self.role_name + " has been created"
                 return
 
-            self.result['foo2'] = self.get().raw
-            if pre_role.raw != self.get().raw:
-                self.result['changed'] = True
-                self.result['msg'] = self.role_name + " has been updated"
-                return
+            if pre_role != None:
+                if pre_role.raw != self.get().raw:
+                    self.result['changed'] = True
+                    self.result['msg'] = self.role_name + " has been updated"
+                    return
         
         return
         
 
+    def get_all(self):
+        return self.client.security.get_role()
+
+
     def get(self):
         return self.client.security.get_role(name=self.role_name)
 
 
-    def put(self):                
+    def put(self):
         return self.client.security.put_role(name=self.role_name, cluster=self.cluster, indices=self.indicies)
 
     
     def delete(self):
-        return self.client.security.delete_role(name=self.role_name)
+        return self.client.security.delete_role(name=self.role_name)
+
+
+class User():
+    def __init__(self, result, user_name, full_name, password, email, roles, enabled, state, host, auth_user, auth_pass, verify_certs, ca_certs):
+        self.user_name = user_name
+        self.full_name = full_name
+        self.password = password
+        self.email = email
+        self.roles = roles
+        self.enabled = enabled
+        self.state = state
+        self.result = result
+
+        self.client = new_client_basic_auth(host=host, auth_user=auth_user, auth_pass=auth_pass, ca_certs=ca_certs, verify_certs=verify_certs)
+
+        self.handle()
+
+    
+    def return_result(self) -> dict:
+        return self.result
+    
+
+    def handle(self):
+        all_users = self.get_all()
+
+        if self.state == 'absent':
+            if self.user_name in all_users:
+                res = self.delete()
+                if res['found'] == True:
+                    self.result['changed'] = True
+                    self.result['msg'] = self.user_name + " has been deleted"
+            return
+        
+        elif self.state == 'present':
+            if self.user_name in all_users.raw:
+                pre_user = self.get()
+            else:
+                pre_user = None
+
+            res = self.put()
+
+            if res.raw['created'] == True:
+                self.result['changed'] = True
+                self.result['msg'] = self.user_name + " has been created"
+                return
+            
+            if pre_user != None:
+                if pre_user.raw != self.get().raw:
+                    self.result['changed'] = True
+                    self.result['msg'] = self.user_name + " has beed updated"
+                    return
+
+        return
+
+
+    def get_all(self):
+        return self.client.security.get_user()
+
+
+    def get(self):
+        return self.client.security.get_user(username=self.user_name)
+
+    
+    def put(self):
+        return self.client.security.put_user(username=self.user_name, password=self.password, email=self.email, full_name=self.full_name, enabled=self.enabled, roles=self.roles)
+
+    
+    def delete(self):
+        return self.client.security.delete_user(username=self.user_name)
diff --git a/plugins/modules/elasticsearch_role.py b/plugins/modules/elasticsearch_role.py
@@ -1,5 +1,9 @@
 #!/usr/bin/python
 
+# Copyright (c) 2024, Tobias Bauriedel <tobias.bauriedel@netways.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 
@@ -41,10 +45,13 @@ def run_module():
 
     module = AnsibleModule(
         argument_spec=dict(
+            # User args
             name=dict(type=str, required=True),
             cluster=dict(type=list, required=False),
-            indicies=dict(type=list, required=False), # indicies.{n}.name, indicies.{n}.privileges
+            indicies=dict(type=list, required=False),
             state=dict(type=str, required=False, default='present'),
+
+            # Auth args
             host=dict(type=str, required=True),
             auth_user=dict(type=str, required=True),
             auth_pass=dict(type=str, required=True),
diff --git a/plugins/modules/elasticsearch_user.py b/plugins/modules/elasticsearch_user.py
diff --git a/requirements-test.txt b/requirements-test.txt

-Original file line number
+Diff line change
@@ @@ -1,3 +1,4 @@ @@
 .cache
 *.swp
 -__pycache__*
 +__pycache__*
 +.vscode