From b8a10f2e8680792ca4c56eb2f650df0699d51eee Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 28 May 2021 14:49:43 -0400 Subject: [PATCH 1/4] Support multiple elastic system users --- salt/common/tools/sbin/so-common | 3 +- salt/common/tools/sbin/so-user | 51 ++++++++++++++++++++++++++++---- 2 files changed, 47 insertions(+), 7 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index b48f84b90..a89f93eea 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -252,6 +252,7 @@ lookup_salt_value() { key=$1 group=$2 kind=$3 + output=${4:-newline_values_only} if [ -z "$kind" ]; then kind=pillar @@ -261,7 +262,7 @@ lookup_salt_value() { group=${group}: fi - salt-call --no-color ${kind}.get ${group}${key} --out=newline_values_only + salt-call --no-color ${kind}.get ${group}${key} --out=${output} } lookup_pillar() { diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 1ff637d23..d8d8fe34a 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -136,17 +136,56 @@ function createElasticTmpFile() { echo "$tmpFile" } +function syncElasticSystemUser() { + json=$1 + userid=$2 + usersFile=$3 + + user=$(echo "$json" | jq -r ".local.users.$userid.user") + pass=$(echo "$json" | jq -r ".local.users.$userid.pass") + + [[ -z "$user" || -z "$pass" ]] && fail "Elastic auth credentials for system user '$userid' are missing" + hash=$(hashPassword "$pass") + + echo "${user}:${hash}" >> "$usersFile" +} + +function syncElasticSystemRole() { + json=$1 + userid=$2 + role=$3 + rolesFile=$4 + + user=$(echo "$json" | jq -r ".local.users.$userid.user") + + [[ -z "$user" ]] && fail "Elastic auth credentials for system user '$userid' are missing" + + echo "${role}:${user}" >> "$rolesFile" +} + function syncElastic() { usersFileTmp=$(createElasticTmpFile "${elasticUsersFile}") rolesFileTmp=$(createElasticTmpFile "${elasticRolesFile}") - sysUser=$(lookup_pillar "auth:user" "elasticsearch") - sysPass=$(lookup_pillar "auth:pass" "elasticsearch") - [[ -z "$sysUser" || -z "$sysPass" ]] && fail "Elastic auth credentials for system user are missing" - sysHash=$(hashPassword "$sysPass") + authPillarJson=$(lookup_salt_value "auth" "elasticsearch" "pillar" "json") + + syncElasticSystemUser "$authPillarJson" "so_elastic_user" "$usersFileTmp" + syncElasticSystemRole "$authPillarJson" "so_elastic_user" "superuser" "$rolesFileTmp" + + syncElasticSystemUser "$authPillarJson" "so_kibana_user" "$usersFileTmp" + syncElasticSystemRole "$authPillarJson" "so_kibana_user" "kibana_system" "$rolesFileTmp" + + syncElasticSystemUser "$authPillarJson" "so_logstash_user" "$usersFileTmp" + syncElasticSystemRole "$authPillarJson" "so_logstash_user" "logstash_system" "$rolesFileTmp" + + syncElasticSystemUser "$authPillarJson" "so_beats_user" "$usersFileTmp" + syncElasticSystemRole "$authPillarJson" "so_beats_user" "beats_system" "$rolesFileTmp" + + syncElasticSystemUser "$authPillarJson" "so_monitor_user" "$usersFileTmp" + syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_collector" "$rolesFileTmp" + syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_agent" "$rolesFileTmp" # Generate the new users file - echo "${sysUser}:${sysHash}" >> "$usersFileTmp" echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \ "from identity_credential_identifiers ici, identity_credentials ic " \ "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \ @@ -159,7 +198,7 @@ function syncElastic() { [[ $? != 0 ]] && fail "Unable to create users file: $elasticUsersFile" # Generate the new users_roles file - echo "superuser:${sysUser}" >> "$rolesFileTmp" + echo "select 'superuser:' || ici.identifier " \ "from identity_credential_identifiers ici, identity_credentials ic " \ "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \ From 47b56e78b38377bb0284abbf983a1b999ada8afe Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 28 May 2021 20:07:51 -0400 Subject: [PATCH 2/4] Fix missing endif --- salt/common/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 33c1f28df..88b5c790b 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -8,7 +8,7 @@ {% if grains.role in ES_INCLUDED_NODES %} include: - elasticsearch.auth -{% %} +{% endif %} # Remove variables.txt from /tmp - This is temp rmvariablesfile: From a42a406f532fc26cc58ab0c38c24f25f22eb8275 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sat, 29 May 2021 07:52:08 -0400 Subject: [PATCH 3/4] Remove extra users file mounts; disable elastic anon access when auth enabled --- salt/elasticsearch/files/elasticsearch.yml | 2 ++ salt/elasticsearch/init.sls | 2 -- salt/kibana/etc/kibana.yml | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index fed45bf79..de6b99000 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -30,11 +30,13 @@ xpack.security.http.ssl.client_authentication: none xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt +{% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %} xpack.security.authc: anonymous: username: anonymous_user roles: superuser authz_exception: true +{% endif %} node.name: {{ grains.host }} script.max_compilations_rate: 1000/1m {%- if TRUECLUSTER is sameas true %} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index fb2927e99..b75833952 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -234,8 +234,6 @@ so-elasticsearch: - binds: - /opt/so/conf/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro - - /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro - - /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro diff --git a/salt/kibana/etc/kibana.yml b/salt/kibana/etc/kibana.yml index 856f87909..501d93c8a 100644 --- a/salt/kibana/etc/kibana.yml +++ b/salt/kibana/etc/kibana.yml @@ -14,7 +14,9 @@ elasticsearch.requestTimeout: 90000 logging.dest: /var/log/kibana/kibana.log telemetry.enabled: false security.showInsecureClusterWarning: false +{% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %} xpack.security.authc.providers: anonymous.anonymous1: order: 0 credentials: "elasticsearch_anonymous_user" +{% endif %} \ No newline at end of file From ed8c85df2ba86a18166d21d1803d95db23a076f0 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 1 Jun 2021 10:26:33 -0400 Subject: [PATCH 4/4] Only sync web users if teh sqlite db exists --- salt/common/tools/sbin/so-user | 48 ++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index d8d8fe34a..cc3a0756c 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -185,29 +185,33 @@ function syncElastic() { syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_collector" "$rolesFileTmp" syncElasticSystemRole "$authPillarJson" "so_monitor_user" "remote_monitoring_agent" "$rolesFileTmp" - # Generate the new users file - echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \ - "from identity_credential_identifiers ici, identity_credentials ic " \ - "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \ - "order by ici.identifier;" | \ - sqlite3 "$databasePath" | \ - jq -r '.user + ":" + .data.hashed_password' \ - >> "$usersFileTmp" - [[ $? != 0 ]] && fail "Unable to read credential hashes from database" - mv -f "$usersFileTmp" "$elasticUsersFile" - [[ $? != 0 ]] && fail "Unable to create users file: $elasticUsersFile" + if [[ -f "$databasePath" ]]; then + # Generate the new users file + echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \ + "from identity_credential_identifiers ici, identity_credentials ic " \ + "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \ + "order by ici.identifier;" | \ + sqlite3 "$databasePath" | \ + jq -r '.user + ":" + .data.hashed_password' \ + >> "$usersFileTmp" + [[ $? != 0 ]] && fail "Unable to read credential hashes from database" + mv -f "$usersFileTmp" "$elasticUsersFile" + [[ $? != 0 ]] && fail "Unable to create users file: $elasticUsersFile" - # Generate the new users_roles file - - echo "select 'superuser:' || ici.identifier " \ - "from identity_credential_identifiers ici, identity_credentials ic " \ - "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \ - "order by ici.identifier;" | \ - sqlite3 "$databasePath" \ - >> "$rolesFileTmp" - [[ $? != 0 ]] && fail "Unable to read credential IDs from database" - mv -f "$rolesFileTmp" "$elasticRolesFile" - [[ $? != 0 ]] && fail "Unable to create users file: $elasticRolesFile" + # Generate the new users_roles file + + echo "select 'superuser:' || ici.identifier " \ + "from identity_credential_identifiers ici, identity_credentials ic " \ + "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \ + "order by ici.identifier;" | \ + sqlite3 "$databasePath" \ + >> "$rolesFileTmp" + [[ $? != 0 ]] && fail "Unable to read credential IDs from database" + mv -f "$rolesFileTmp" "$elasticRolesFile" + [[ $? != 0 ]] && fail "Unable to create users file: $elasticRolesFile" + else + info "Database file does not exist yet, skipping users export" + fi } function syncAll() {