From 716c98ec61beff9a8e3ef89d705ee46ca095b116 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 10 Jan 2022 14:39:00 -0500 Subject: [PATCH] requires and ordering for socusersroles state --- salt/elasticsearch/files/curl.config.template | 2 +- salt/manager/init.sls | 20 ++---------- salt/manager/sync_es_users.sls | 31 +++++++++++++++++++ salt/soc/init.sls | 13 +++----- 4 files changed, 39 insertions(+), 27 deletions(-) create mode 100644 salt/manager/sync_es_users.sls diff --git a/salt/elasticsearch/files/curl.config.template b/salt/elasticsearch/files/curl.config.template index 514eeaf65..9c057cabf 100644 --- a/salt/elasticsearch/files/curl.config.template +++ b/salt/elasticsearch/files/curl.config.template @@ -1 +1 @@ -user = "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user') }}:{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass') }}" +user = "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', 'NO_USER_SET') }}:{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', 'NO_PW_SET') }}" diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 3604f3cf6..c913383b0 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -21,10 +21,9 @@ {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} include: - - elasticsearch.auth - - kibana.secrets - salt.minion - - kratos + - kibana.secrets + - manager.sync_es_users - manager.elasticsearch socore_own_saltstack: @@ -111,21 +110,6 @@ strelka_yara_update: - hour: '7' - minute: '1' -# Must run before elasticsearch docker container is started! -syncesusers: - cmd.run: - - name: so-user sync - - env: - - SKIP_STATE_APPLY: 'true' - - creates: - - /opt/so/saltstack/local/salt/elasticsearch/files/users - - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles - - /opt/so/conf/soc/soc_users_roles - - show_changes: False - - require: - - docker_container: so-kratos - - http: wait_for_kratos - {% else %} {{sls}}_state_not_allowed: diff --git a/salt/manager/sync_es_users.sls b/salt/manager/sync_es_users.sls new file mode 100644 index 000000000..4546fc52f --- /dev/null +++ b/salt/manager/sync_es_users.sls @@ -0,0 +1,31 @@ +include: + - elasticsearch.auth + - kratos + +so-user.lock: + file.missing: + - name: /var/tmp/so-user.lock + +# Must run before elasticsearch docker container is started! +sync_es_users: + cmd.run: + - name: so-user sync + - env: + - SKIP_STATE_APPLY: 'true' + - creates: + - /opt/so/saltstack/local/salt/elasticsearch/files/users + - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles + - /opt/so/conf/soc/soc_users_roles + - show_changes: False + - require: + - docker_container: so-kratos + - http: wait_for_kratos + - file: so-user.lock # require so-user.lock file to be missing + +# we dont want this added too early in setup, so we add the onlyif to verify 'startup_states: highstate' +# is in the minion config. That line is added before the final highstate during setup +sosyncusers: + cron.present: + - user: root + - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log' + - onlyif: "grep 'startup_states: highstate' /etc/salt/minion" diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 856f929bd..bfb6ea4d9 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -5,6 +5,9 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} +include: + - manager.sync_es_users + socdir: file.directory: - name: /opt/so/conf/soc @@ -84,14 +87,8 @@ soccustomroles: socusersroles: file.exists: - name: /opt/so/conf/soc/soc_users_roles - -# we dont want this added too early in setup, so we add the onlyif to verify 'startup_states: highstate' -# is in the minion config. That line is added before the final highstate during setup -sosyncusers: - cron.present: - - user: root - - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log' - - onlyif: "grep 'startup_states: highstate' /etc/salt/minion" + - require: + - sls: manager.sync_es_users so-soc: docker_container.running: