Auth enhancements

2025-12-07 17:52:46 +01:00 · 2021-09-02 09:44:57 -04:00
parent 84ecc3cba7
commit 10126bb7ef
9 changed files with 269 additions and 39 deletions
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -35,6 +35,7 @@
 {% endif %}

 {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %}
+{% set ROLES = salt['pillar.get']('elasticsearch:roles', {}) %}
 {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %}


@@ -119,6 +120,13 @@ estemplatedir:
    - group: 939
    - makedirs: True

+esrolesdir:
+  file.directory:
+    - name: /opt/so/conf/elasticsearch/roles
+    - user: 930
+    - group: 939
+    - makedirs: True
+
 esingestconf:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/ingest
@@ -157,6 +165,15 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
    - group: 939
 {% endfor %}

+esroles:
+  file.recurse:
+    - source: salt://elasticsearch/roles/
+    - name: /opt/so/conf/elasticsearch/roles/
+    - clean: True
+    - template: jinja
+    - user: 930
+    - group: 939
+
 nsmesdir:
  file.directory:
    - name: /nsm/elasticsearch
@@ -193,7 +210,7 @@ auth_users_inode:
  require:
    - file: auth_users
  cmd.run:
-    - name: cat /opt/so/conf/elasticsearch/users.tmp > /opt/so/conf/elasticsearch/users && chown 930:930 /opt/so/conf/elasticsearch/users && chmod 600 /opt/so/conf/elasticsearch/users
+    - name: cat /opt/so/conf/elasticsearch/users.tmp > /opt/so/conf/elasticsearch/users && chown 930:939 /opt/so/conf/elasticsearch/users && chmod 660 /opt/so/conf/elasticsearch/users
    - onchanges:
      - file: /opt/so/conf/elasticsearch/users.tmp

@@ -201,7 +218,7 @@ auth_users_roles_inode:
  require:
    - file: auth_users_roles
  cmd.run:
-    - name: cat /opt/so/conf/elasticsearch/users_roles.tmp > /opt/so/conf/elasticsearch/users_roles && chown 930:930 /opt/so/conf/elasticsearch/users_roles && chmod 600 /opt/so/conf/elasticsearch/users_roles
+    - name: cat /opt/so/conf/elasticsearch/users_roles.tmp > /opt/so/conf/elasticsearch/users_roles && chown 930:939 /opt/so/conf/elasticsearch/users_roles && chmod 660 /opt/so/conf/elasticsearch/users_roles
    - onchanges:
      - file: /opt/so/conf/elasticsearch/users_roles.tmp

@@ -283,7 +300,7 @@ so-elasticsearch-pipelines:
      - file: esyml
      - file: so-elasticsearch-pipelines-file

-{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-import'] and TEMPLATES %}
+{% if TEMPLATES %}
 so-elasticsearch-templates:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-templates-load
@@ -291,6 +308,12 @@ so-elasticsearch-templates:
    - template: jinja
 {% endif %}

+so-elasticsearch-roles-load:
+  cmd.run:
+    - name: /usr/sbin/so-elasticsearch-roles-load
+    - cwd: /opt/so
+    - template: jinja
+
 {% endif %} {# if grains['role'] != 'so-helix' #}

 {% else %}
--- a/salt/elasticsearch/roles/analyst.json
+++ b/salt/elasticsearch/roles/analyst.json
@@ -0,0 +1,45 @@
+{
+  "elasticsearch": {
+    "cluster": [
+      "cancel_task",
+      "create_snapshot",
+      "monitor",
+      "monitor_data_frame_transforms",
+      "monitor_ml",
+      "monitor_rollup",
+      "monitor_snapshot",
+      "monitor_text_structure",
+      "monitor_transform",
+      "monitor_watcher",
+      "read_ccr",
+      "read_ilm",
+      "read_pipeline",
+      "read_slm"
+    ],
+    "indices": [
+      {
+        "names": [
+          "so-*"
+        ],
+        "privileges": [
+          "read",
+          "read_cross_cluster",
+          "monitor",
+          "view_index_metadata"
+        ]
+      }
+    ],
+    "run_as": []
+  },
+  "kibana": [
+    {
+      "spaces": [
+        "*"
+      ],
+      "base": [
+        "read"
+      ],
+      "feature": {}
+    }
+  ]
+}