fix merge conflict

salt/common/tools/sbin/so-common

@@ -252,6 +252,7 @@ lookup_salt_value() {
 	key=$1
 	group=$2
 	kind=$3
+	output=${4:-newline_values_only}
 
 	if [ -z "$kind" ]; then
 		kind=pillar
@@ -261,7 +262,7 @@ lookup_salt_value() {
 		group=${group}:
 	fi
 
-	salt-call --no-color  ${kind}.get ${group}${key} --out=newline_values_only
+	salt-call --no-color  ${kind}.get ${group}${key} --out=${output}
 }
 
 lookup_pillar() {

salt/common/tools/sbin/so-user

@@ -136,17 +136,57 @@ function createElasticTmpFile() {
   echo "$tmpFile"
 }
 
+function syncElasticSystemUser() {
+  json=$1
+  userid=$2
+  usersFile=$3
+
+  user=$(echo "$json" | jq -r ".local.users.$userid.user")
+  pass=$(echo "$json" | jq -r ".local.users.$userid.pass")
+  
+  [[ -z "$user" || -z "$pass" ]] && fail "Elastic auth credentials for system user '$userid' are missing"
+  hash=$(hashPassword "$pass")
+
+  echo "${user}:${hash}" >> "$usersFile"
+}
+
+function syncElasticSystemRole() {
+  json=$1
+  userid=$2
+  role=$3
+  rolesFile=$4
+
+  user=$(echo "$json" | jq -r ".local.users.$userid.user")
+  
+  [[ -z "$user" ]] && fail "Elastic auth credentials for system user '$userid' are missing"
+
+  echo "${role}:${user}" >> "$rolesFile"
+}
+
 function syncElastic() {
   usersFileTmp=$(createElasticTmpFile "${elasticUsersFile}")
   rolesFileTmp=$(createElasticTmpFile "${elasticRolesFile}")
 
-  sysUser=$(lookup_pillar "auth:user" "elasticsearch")
+  authPillarJson=$(lookup_salt_value "auth" "elasticsearch" "pillar" "json")
-  sysPass=$(lookup_pillar "auth:pass" "elasticsearch")
-  [[ -z "$sysUser" || -z "$sysPass" ]] && fail "Elastic auth credentials for system user are missing"
-  sysHash=$(hashPassword "$sysPass")
 
+  syncElasticSystemUser "$authPillarJson" "so_elastic_user"  "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_elastic_user"  "superuser" "$rolesFileTmp"
+
+  syncElasticSystemUser "$authPillarJson" "so_kibana_user"   "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_kibana_user"   "kibana_system" "$rolesFileTmp"
+
+  syncElasticSystemUser "$authPillarJson" "so_logstash_user" "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_logstash_user" "logstash_system" "$rolesFileTmp"
+
+  syncElasticSystemUser "$authPillarJson" "so_beats_user"    "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_beats_user"    "beats_system" "$rolesFileTmp"
+
+  syncElasticSystemUser "$authPillarJson" "so_monitor_user"  "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_monitor_user"  "remote_monitoring_collector" "$rolesFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_monitor_user"  "remote_monitoring_agent" "$rolesFileTmp"
+
+  if [[ -f "$databasePath" ]]; then
     # Generate the new users file
-  echo "${sysUser}:${sysHash}" >> "$usersFileTmp"
     echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \
       "from identity_credential_identifiers ici, identity_credentials ic " \
       "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \
@@ -159,7 +199,7 @@ function syncElastic() {
     [[ $? != 0 ]] && fail "Unable to create users file: $elasticUsersFile"
 
     # Generate the new users_roles file
-  echo "superuser:${sysUser}" >> "$rolesFileTmp"
+    
     echo "select 'superuser:' || ici.identifier " \
       "from identity_credential_identifiers ici, identity_credentials ic " \
       "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \
@@ -169,6 +209,9 @@ function syncElastic() {
     [[ $? != 0 ]] && fail "Unable to read credential IDs from database"
     mv -f "$rolesFileTmp" "$elasticRolesFile"
     [[ $? != 0 ]] && fail "Unable to create users file: $elasticRolesFile"
+  else
+    info "Database file does not exist yet, skipping users export"
+  fi
 }
 
 function syncAll() {

salt/elasticsearch/files/elasticsearch.yml

@@ -30,11 +30,13 @@ xpack.security.http.ssl.client_authentication: none
 xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key
 xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt
 xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt
+{% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %}
 xpack.security.authc:
   anonymous:
     username: anonymous_user
     roles: superuser
     authz_exception: true
+{% endif %}
 node.name: {{ grains.host }}
 script.max_compilations_rate: 1000/1m
 {%- if TRUECLUSTER is sameas true %}

salt/elasticsearch/init.sls

@@ -214,8 +214,6 @@ so-elasticsearch:
     - binds:
       - /opt/so/conf/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
       - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
-      - /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro
-      - /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro
       - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
       - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
       - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro

salt/kibana/etc/kibana.yml

@@ -14,7 +14,9 @@ elasticsearch.requestTimeout: 90000
 logging.dest: /var/log/kibana/kibana.log
 telemetry.enabled: false
 security.showInsecureClusterWarning: false
+{% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %}
 xpack.security.authc.providers:
   anonymous.anonymous1:
     order: 0
     credentials: "elasticsearch_anonymous_user" 
+{% endif %}