From e2d5102a0e70f8f209b46e385031978fc9328390 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 24 May 2021 10:13:29 -0400 Subject: [PATCH 01/17] changes for script to auth to elastic --- salt/common/init.sls | 9 ++++++++ salt/common/tools/sbin/so-elastic-clear | 6 ++--- .../tools/sbin/so-elasticsearch-indices-list | 2 +- .../tools/sbin/so-elasticsearch-indices-rw | 4 ++-- .../sbin/so-elasticsearch-pipeline-stats | 4 ++-- .../tools/sbin/so-elasticsearch-pipeline-view | 4 ++-- .../sbin/so-elasticsearch-pipelines-list | 4 ++-- .../tools/sbin/so-elasticsearch-shards-list | 2 +- .../sbin/so-elasticsearch-template-remove | 2 +- .../tools/sbin/so-elasticsearch-template-view | 4 ++-- .../sbin/so-elasticsearch-templates-list | 4 ++-- salt/common/tools/sbin/so-index-list | 2 +- salt/common/tools/sbin/soup | 4 ++-- salt/firewall/portgroups.yaml | 3 +++ salt/utility/bin/crossthestreams | 6 ++--- salt/utility/bin/eval | 4 ++-- salt/utility/init.sls | 23 +++++++++++++++---- 17 files changed, 57 insertions(+), 30 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 33a8b9984..948adee99 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -2,6 +2,8 @@ {% if sls in allowed_states %} {% set role = grains.id.split('_') | last %} +{% set ELASTICUSER = salt['pillar.get']('elasticsearch:auth:user', '' ) %} +{% set ELASTICPASS = salt['pillar.get']('elasticsearch:auth:pass', '' ) %} # Remove variables.txt from /tmp - This is temp rmvariablesfile: @@ -178,6 +180,13 @@ utilsyncscripts: - file_mode: 755 - template: jinja - source: salt://common/tools/sbin + - defaults: + ELASTICCURL: "curl" +{% if salt['pillar.get']('elasticsearch:auth_enabled', False) %} + - context: + ELASTICCURL: "curl --user {{ELASTICUSER}}:{{ELASTICPASS}}" +{% endif %} + {% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %} # Add sensor cleanup diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear index 4c7271272..56b5c3d2c 100755 --- a/salt/common/tools/sbin/so-elastic-clear +++ b/salt/common/tools/sbin/so-elastic-clear @@ -50,7 +50,7 @@ done if [ $SKIP -ne 1 ]; then # List indices echo - curl -k -L https://{{ NODEIP }}:9200/_cat/indices?v + {{ ELASTICCURL }} -k -L https://{{ NODEIP }}:9200/_cat/indices?v echo # Inform user we are about to delete all data echo @@ -89,10 +89,10 @@ fi # Delete data echo "Deleting data..." -INDXS=$(curl -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') +INDXS=$({{ ELASTICCURL }} -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') for INDX in ${INDXS} do - curl -XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1 + {{ ELASTICCURL }} -XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1 done #Start Logstash/Filebeat diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-list b/salt/common/tools/sbin/so-elasticsearch-indices-list index c9df67a25..b5cd1b359 100755 --- a/salt/common/tools/sbin/so-elasticsearch-indices-list +++ b/salt/common/tools/sbin/so-elasticsearch-indices-list @@ -18,4 +18,4 @@ . /usr/sbin/so-common -curl -s -k -L https://{{ NODEIP }}:9200/_cat/indices?pretty +{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/indices?pretty diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-rw b/salt/common/tools/sbin/so-elasticsearch-indices-rw index 6b123bd0d..f5296f2b8 100755 --- a/salt/common/tools/sbin/so-elasticsearch-indices-rw +++ b/salt/common/tools/sbin/so-elasticsearch-indices-rw @@ -21,5 +21,5 @@ THEHIVEESPORT=9400 echo "Removing read only attributes for indices..." echo -curl -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi; -curl -XPUT -H "Content-Type: application/json" -L http://$IP:9400/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi; +{{ ELASTICCURL }} -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi; +{{ ELASTICCURL }} -XPUT -H "Content-Type: application/json" -L http://$IP:9400/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi; diff --git a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats index 146196917..2f9edb6c1 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats +++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats @@ -19,7 +19,7 @@ . /usr/sbin/so-common if [ "$1" == "" ]; then - curl -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines" + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines" else - curl -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\"" + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\"" fi diff --git a/salt/common/tools/sbin/so-elasticsearch-pipeline-view b/salt/common/tools/sbin/so-elasticsearch-pipeline-view index 04901e122..9f799c07f 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipeline-view +++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-view @@ -19,7 +19,7 @@ . /usr/sbin/so-common if [ "$1" == "" ]; then - curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq . + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq . else - curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq . + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq . fi diff --git a/salt/common/tools/sbin/so-elasticsearch-pipelines-list b/salt/common/tools/sbin/so-elasticsearch-pipelines-list index 565f90071..f6ef516ef 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipelines-list +++ b/salt/common/tools/sbin/so-elasticsearch-pipelines-list @@ -17,7 +17,7 @@ {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys' + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys' else - curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq fi diff --git a/salt/common/tools/sbin/so-elasticsearch-shards-list b/salt/common/tools/sbin/so-elasticsearch-shards-list index 9d28ed95b..a240f993f 100755 --- a/salt/common/tools/sbin/so-elasticsearch-shards-list +++ b/salt/common/tools/sbin/so-elasticsearch-shards-list @@ -18,4 +18,4 @@ . /usr/sbin/so-common -curl -s -k -L https://{{ NODEIP }}:9200/_cat/shards?pretty +{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/shards?pretty diff --git a/salt/common/tools/sbin/so-elasticsearch-template-remove b/salt/common/tools/sbin/so-elasticsearch-template-remove index f7c3e6812..fe19a9d03 100755 --- a/salt/common/tools/sbin/so-elasticsearch-template-remove +++ b/salt/common/tools/sbin/so-elasticsearch-template-remove @@ -18,4 +18,4 @@ . /usr/sbin/so-common -curl -s -k -L -XDELETE https://{{ NODEIP }}:9200/_template/$1 +{{ ELASTICCURL }} -s -k -L -XDELETE https://{{ NODEIP }}:9200/_template/$1 diff --git a/salt/common/tools/sbin/so-elasticsearch-template-view b/salt/common/tools/sbin/so-elasticsearch-template-view index c9f3ec199..1083cb762 100755 --- a/salt/common/tools/sbin/so-elasticsearch-template-view +++ b/salt/common/tools/sbin/so-elasticsearch-template-view @@ -19,7 +19,7 @@ . /usr/sbin/so-common if [ "$1" == "" ]; then - curl -s -k -L https://{{ NODEIP }}:9200/_template/* | jq . + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/* | jq . else - curl -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq . + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq . fi diff --git a/salt/common/tools/sbin/so-elasticsearch-templates-list b/salt/common/tools/sbin/so-elasticsearch-templates-list index 494ca5770..6a7c4d039 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates-list +++ b/salt/common/tools/sbin/so-elasticsearch-templates-list @@ -17,7 +17,7 @@ {%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - curl -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys' + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys' else - curl -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq fi diff --git a/salt/common/tools/sbin/so-index-list b/salt/common/tools/sbin/so-index-list index cf9232150..e24599f0e 100755 --- a/salt/common/tools/sbin/so-index-list +++ b/salt/common/tools/sbin/so-index-list @@ -15,4 +15,4 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -curl -X GET -k -L "https://localhost:9200/_cat/indices?v&s=index" +{{ ELASTICCURL }} -X GET -k -L "https://localhost:9200/_cat/indices?v&s=index" diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 620737c16..14e2148d0 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -326,7 +326,7 @@ rc1_to_rc2() { local NAME=$(echo $p | awk '{print $1}') local IP=$(echo $p | awk '{print $2}') echo "Removing the old cross cluster config for $NAME" - curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_cluster/settings -d '{"persistent":{"cluster":{"remote":{"'$NAME'":{"skip_unavailable":null,"seeds":null}}}}}' + {{ ELASTICCURL }} -XPUT -H 'Content-Type: application/json' http://localhost:9200/_cluster/settings -d '{"persistent":{"cluster":{"remote":{"'$NAME'":{"skip_unavailable":null,"seeds":null}}}}}' done Date: Mon, 24 May 2021 15:14:05 -0400 Subject: [PATCH 02/17] use elastic map file --- salt/common/init.sls | 9 ++------- .../tools/sbin/so-elasticsearch-templates-load | 4 ++-- .../files/bin/so-curator-closed-delete-delete | 6 +++--- salt/curator/init.sls | 5 ++++- salt/elasticsearch/auth.map.jinja | 7 +++++++ .../files/so-elasticsearch-pipelines | 6 +++--- salt/utility/init.sls | 15 +++------------ 7 files changed, 24 insertions(+), 28 deletions(-) create mode 100644 salt/elasticsearch/auth.map.jinja diff --git a/salt/common/init.sls b/salt/common/init.sls index 948adee99..389b0b8a3 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -2,8 +2,7 @@ {% if sls in allowed_states %} {% set role = grains.id.split('_') | last %} -{% set ELASTICUSER = salt['pillar.get']('elasticsearch:auth:user', '' ) %} -{% set ELASTICPASS = salt['pillar.get']('elasticsearch:auth:pass', '' ) %} +{% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} # Remove variables.txt from /tmp - This is temp rmvariablesfile: @@ -181,11 +180,7 @@ utilsyncscripts: - template: jinja - source: salt://common/tools/sbin - defaults: - ELASTICCURL: "curl" -{% if salt['pillar.get']('elasticsearch:auth_enabled', False) %} - - context: - ELASTICCURL: "curl --user {{ELASTICUSER}}:{{ELASTICPASS}}" -{% endif %} + ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} {% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %} diff --git a/salt/common/tools/sbin/so-elasticsearch-templates-load b/salt/common/tools/sbin/so-elasticsearch-templates-load index 42a836854..30ab66b48 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates-load +++ b/salt/common/tools/sbin/so-elasticsearch-templates-load @@ -30,7 +30,7 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - curl -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -51,7 +51,7 @@ cd ${ELASTICSEARCH_TEMPLATES} echo "Loading templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; curl -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done +for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done echo cd - >/dev/null diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index 9cc94833c..7dd7b82e7 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -34,7 +34,7 @@ overlimit() { closedindices() { - INDICES=$(curl -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed 2> /dev/null) + INDICES=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed 2> /dev/null) [ $? -eq 1 ] && return false echo ${INDICES} | grep -q -E "(logstash-|so-)" } @@ -49,10 +49,10 @@ while overlimit && closedindices; do # First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed. # Then, sort by date by telling sort to use hyphen as delimiter and then sort on the third field. # Finally, select the first entry in that sorted list. - OLDEST_INDEX=$(curl -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1) + OLDEST_INDEX=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1) # Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it. - curl -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} + {{ ELASTICCURL }} -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} # Finally, write a log entry that says we deleted it. echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT ({{LOG_SIZE_LIMIT}} GB) - Index ${OLDEST_INDEX} deleted ..." >> ${LOG} diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 245b700d0..966b0b857 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -5,6 +5,7 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% if grains['role'] in ['so-eval', 'so-node', 'so-managersearch', 'so-heavynode', 'so-standalone'] %} + {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} # Curator # Create the group curatorgroup: @@ -66,6 +67,8 @@ curcloseddeldel: - group: 939 - mode: 755 - template: jinja + - defaults: + ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} curclose: file.managed: @@ -147,4 +150,4 @@ append_so-curator_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/elasticsearch/auth.map.jinja b/salt/elasticsearch/auth.map.jinja new file mode 100644 index 000000000..af13729ef --- /dev/null +++ b/salt/elasticsearch/auth.map.jinja @@ -0,0 +1,7 @@ +{% set ELASTICAUTH = salt['pillar.filter_by']({ + True: { + 'user': salt['pillar.get']('elasticsearch:auth:user'), + 'pass': salt['pillar.get']('elasticsearch:auth:pass'), + 'elasticcurl':'curl --user {{ELASTICAUTH.user}}:{{ELASTICAUTH.pass}}'}, + False: {'elasticcurl': 'curl'}, +}, pillar='elasticsearch:auth:enabled') %} diff --git a/salt/elasticsearch/files/so-elasticsearch-pipelines b/salt/elasticsearch/files/so-elasticsearch-pipelines index fca50b7d4..5d103963e 100755 --- a/salt/elasticsearch/files/so-elasticsearch-pipelines +++ b/salt/elasticsearch/files/so-elasticsearch-pipelines @@ -27,7 +27,7 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - curl ${ELASTICSEARCH_AUTH} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -47,9 +47,9 @@ fi cd ${ELASTICSEARCH_INGEST_PIPELINES} echo "Loading pipelines..." -for i in *; do echo $i; RESPONSE=$(curl ${ELASTICSEARCH_AUTH} -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done +for i in *; do echo $i; RESPONSE=$({{ ELASTICCURL }} -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done echo cd - >/dev/null -exit $RETURN_CODE \ No newline at end of file +exit $RETURN_CODE diff --git a/salt/utility/init.sls b/salt/utility/init.sls index 5558139de..0b4f0f2c3 100644 --- a/salt/utility/init.sls +++ b/salt/utility/init.sls @@ -1,8 +1,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - {% set ELASTICUSER = salt['pillar.get']('elasticsearch:auth:user', '' ) %} - {% set ELASTICPASS = salt['pillar.get']('elasticsearch:auth:pass', '' ) %} + {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} # This state is for checking things {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %} @@ -15,11 +14,7 @@ crossclusterson: - source: salt://utility/bin/crossthestreams - template: jinja - defaults: - ELASTICCURL: "curl" - {% if salt['pillar.get']('elasticsearch:auth_enabled', False) %} - - context: - ELASTICCURL: "curl --user {{ELASTICUSER}}:{{ELASTICPASS}}" - {% endif %} + ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} {% endif %} {% if grains['role'] in ['so-eval', 'so-import'] %} @@ -31,11 +26,7 @@ fixsearch: - source: salt://utility/bin/eval - template: jinja - defaults: - ELASTICCURL: "curl" - {% if salt['pillar.get']('elasticsearch:auth_enabled', False) %} - - context: - ELASTICCURL: "curl --user {{ELASTICUSER}}:{{ELASTICPASS}}" - {% endif %} + ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} {% endif %} {% else %} From ba3a51387caeb293c2fbbc134931a18e70b885d8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 24 May 2021 15:31:46 -0400 Subject: [PATCH 03/17] set default to False --- salt/elasticsearch/auth.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/auth.map.jinja b/salt/elasticsearch/auth.map.jinja index af13729ef..f216ef3c2 100644 --- a/salt/elasticsearch/auth.map.jinja +++ b/salt/elasticsearch/auth.map.jinja @@ -4,4 +4,4 @@ 'pass': salt['pillar.get']('elasticsearch:auth:pass'), 'elasticcurl':'curl --user {{ELASTICAUTH.user}}:{{ELASTICAUTH.pass}}'}, False: {'elasticcurl': 'curl'}, -}, pillar='elasticsearch:auth:enabled') %} +}, pillar='elasticsearch:auth:enabled', default=False) %} From 87609ba5d1afab1179e6e15105f4ade629d8d34a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 24 May 2021 15:44:01 -0400 Subject: [PATCH 04/17] fix elasticcurl if auth is enabled --- salt/elasticsearch/auth.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/auth.map.jinja b/salt/elasticsearch/auth.map.jinja index f216ef3c2..147b0157b 100644 --- a/salt/elasticsearch/auth.map.jinja +++ b/salt/elasticsearch/auth.map.jinja @@ -2,6 +2,6 @@ True: { 'user': salt['pillar.get']('elasticsearch:auth:user'), 'pass': salt['pillar.get']('elasticsearch:auth:pass'), - 'elasticcurl':'curl --user {{ELASTICAUTH.user}}:{{ELASTICAUTH.pass}}'}, + 'elasticcurl':'curl --user ' ~ salt['pillar.get']('elasticsearch:auth:user') ~ ':' ~ salt['pillar.get']('elasticsearch:auth:pass') }, False: {'elasticcurl': 'curl'}, }, pillar='elasticsearch:auth:enabled', default=False) %} From 2deb703272761598aba2557f05c132244c4989c3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 24 May 2021 16:30:55 -0400 Subject: [PATCH 05/17] map users_roles and users conf into docker container --- salt/elasticsearch/init.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index df297986a..7e0e700e9 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -35,6 +35,7 @@ {% endif %} {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} +{% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} vm.max_map_count: sysctl.present: @@ -213,6 +214,10 @@ so-elasticsearch: - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro + {% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} + - /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro + - /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro + {% endif %} - watch: - file: cacertz - file: esyml From bd301880ade0360deef8cf9362a9a598533a63aa Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 24 May 2021 16:32:30 -0400 Subject: [PATCH 06/17] define the default --- salt/elasticsearch/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 7e0e700e9..0a3ea0719 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -237,6 +237,8 @@ so-elasticsearch-pipelines-file: - group: 939 - mode: 754 - template: jinja + - defaults: + ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} so-elasticsearch-pipelines: cmd.run: From 5a1e8d9fe96d2d553490d41a882f0e6b4949873e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 25 May 2021 08:50:55 -0400 Subject: [PATCH 07/17] update kibana scripts for elastic auth --- salt/common/tools/sbin/so-common | 3 ++- salt/common/tools/sbin/so-kibana-space-defaults | 8 ++++---- salt/kibana/bin/so-kibana-config-load | 6 +++--- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 22c7543ea..21948e67d 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -486,12 +486,13 @@ wait_for_web_response() { url=$1 expected=$2 maxAttempts=${3:-300} + curlcmd=${4:-curl} logfile=/root/wait_for_web_response.log attempt=0 while [[ $attempt -lt $maxAttempts ]]; do attempt=$((attempt+1)) echo "Waiting for value '$expected' at '$url' ($attempt/$maxAttempts)" - result=$(curl -ks -L $url) + result=$($curlcmd -ks -L $url) exitcode=$? echo "--------------------------------------------------" >> $logfile diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults index edf356d45..48225e2f4 100755 --- a/salt/common/tools/sbin/so-kibana-space-defaults +++ b/salt/common/tools/sbin/so-kibana-space-defaults @@ -1,13 +1,13 @@ . /usr/sbin/so-common -wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" +wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}" ## This hackery will be removed if using Elastic Auth ## # Let's snag a cookie from Kibana -THECOOKIE=$(curl -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') +THECOOKIE=$({{ ELASTICCURL }} -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') # Disable certain Features from showing up in the Kibana UI echo echo "Setting up default Space:" -curl -b "sid=$THECOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet"]} ' >> /opt/so/log/kibana/misc.log -echo \ No newline at end of file +{{ ELASTICCURL }} -b "sid=$THECOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet"]} ' >> /opt/so/log/kibana/misc.log +echo diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index f07377018..d0e6f1edb 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -16,11 +16,11 @@ cp /opt/so/conf/kibana/saved_objects.ndjson.template /opt/so/conf/kibana/saved_o # SOCtopus and Manager sed -i "s/PLACEHOLDER/{{ MANAGER }}/g" /opt/so/conf/kibana/saved_objects.ndjson -wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" +wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}"" ## This hackery will be removed if using Elastic Auth ## # Let's snag a cookie from Kibana -THECOOKIE=$(curl -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') +THECOOKIE=$({{ ELASTICCURL }} -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') # Load saved objects -curl -b "sid=$THECOOKIE" -L -X POST "localhost:5601/api/saved_objects/_import?overwrite=true" -H "kbn-xsrf: true" --form file=@/opt/so/conf/kibana/saved_objects.ndjson >> /opt/so/log/kibana/misc.log \ No newline at end of file +{{ ELASTICCURL }} -b "sid=$THECOOKIE" -L -X POST "localhost:5601/api/saved_objects/_import?overwrite=true" -H "kbn-xsrf: true" --form file=@/opt/so/conf/kibana/saved_objects.ndjson >> /opt/so/log/kibana/misc.log From 8d9d5a267ac7c3f34bd0e482f5a107c06161cc64 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 25 May 2021 11:52:58 -0400 Subject: [PATCH 08/17] generate elasticsearch.auth pillar if it doesnt exist --- pillar/top.sls | 5 ++++- salt/elasticsearch/auth.sls | 9 +++++++++ salt/elasticsearch/files/curl.config | 1 + salt/elasticsearch/init.sls | 8 ++++++++ 4 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 salt/elasticsearch/auth.sls create mode 100644 salt/elasticsearch/files/curl.config diff --git a/pillar/top.sls b/pillar/top.sls index a795e03c1..80e02902e 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -46,6 +46,9 @@ base: - logstash.manager - logstash.search - elasticsearch.search +{% if salt['file.exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} + - elasticsearch.auth +{% endif %} - data.* - zeeklogs - secrets @@ -89,4 +92,4 @@ base: - secrets - elasticsearch.eval - global - - minions.{{ grains.id }} \ No newline at end of file + - minions.{{ grains.id }} diff --git a/salt/elasticsearch/auth.sls b/salt/elasticsearch/auth.sls new file mode 100644 index 000000000..a51abca1c --- /dev/null +++ b/salt/elasticsearch/auth.sls @@ -0,0 +1,9 @@ +elastic_auth_pillar: + file.managed: + - name: /opt/so/saltstack/local/pillar/elasticsearch/auth.sls + - contents: | + elasticsearch: + auth: + enabled: False + user: so_elastic + pass: {{ salt['random.get_str'](20) }} diff --git a/salt/elasticsearch/files/curl.config b/salt/elasticsearch/files/curl.config new file mode 100644 index 000000000..e4633df6c --- /dev/null +++ b/salt/elasticsearch/files/curl.config @@ -0,0 +1 @@ +user = "salt['pillar.get']('elasticsearch:auth:user'):salt['pillar.get']('elasticsearch:auth:pass')" diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 0a3ea0719..f0eee6d44 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -256,6 +256,14 @@ so-elasticsearch-templates: - template: jinja {% endif %} +elastic_curl_config: + file.managed: + - name: /opt/so/conf/elasticsearch/curl.config + - mode: 600 + # since we are generating a random password, and we don't want that to happen everytime + # a highstate runs, we only manage the file if it doesn't exist + - unless: ls /opt/so/conf/elasticsearch/curl.config + {% endif %} {# if grains['role'] != 'so-helix' #} {% else %} From 6da0b57ce1960858da182cc49c4a4d4eaa6ca706 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 25 May 2021 11:55:22 -0400 Subject: [PATCH 09/17] fix file.file_exists --- pillar/top.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pillar/top.sls b/pillar/top.sls index 80e02902e..8bd67c174 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -46,7 +46,7 @@ base: - logstash.manager - logstash.search - elasticsearch.search -{% if salt['file.exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} +{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth {% endif %} - data.* From 58ec31d6c7c3cb9cacd76e907aaf59736814cabc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 25 May 2021 12:02:41 -0400 Subject: [PATCH 10/17] pass ELASTICAUTH to script --- salt/kibana/init.sls | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 75b96b72a..61498cfeb 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -4,6 +4,7 @@ {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} +{% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} # Add ES Group kibanasearchgroup: @@ -63,6 +64,8 @@ kibanabin: - source: salt://kibana/bin/so-kibana-config-load - mode: 755 - template: jinja + - defaults: + ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} # Start the kibana docker so-kibana: @@ -113,4 +116,4 @@ so-kibana-config-load: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} From 35cc7b27e9f66716621ae9c33a0a9045acba934c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 25 May 2021 13:12:30 -0400 Subject: [PATCH 11/17] remove extra quote --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index d0e6f1edb..58535a886 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -16,7 +16,7 @@ cp /opt/so/conf/kibana/saved_objects.ndjson.template /opt/so/conf/kibana/saved_o # SOCtopus and Manager sed -i "s/PLACEHOLDER/{{ MANAGER }}/g" /opt/so/conf/kibana/saved_objects.ndjson -wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}"" +wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}" ## This hackery will be removed if using Elastic Auth ## # Let's snag a cookie from Kibana From 747dc77c92032d0a569e80706d65d3731ef49b77 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 25 May 2021 13:23:26 -0400 Subject: [PATCH 12/17] comment out the hackery --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 58535a886..8f80b5c3d 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -16,7 +16,7 @@ cp /opt/so/conf/kibana/saved_objects.ndjson.template /opt/so/conf/kibana/saved_o # SOCtopus and Manager sed -i "s/PLACEHOLDER/{{ MANAGER }}/g" /opt/so/conf/kibana/saved_objects.ndjson -wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}" +#wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}" ## This hackery will be removed if using Elastic Auth ## # Let's snag a cookie from Kibana From e261c197f3aacc639ca4583e343a1a6daafc6dab Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 25 May 2021 13:46:18 -0400 Subject: [PATCH 13/17] add elasticsearch.auth state to statnalone node --- salt/elasticsearch/auth.sls | 3 +++ salt/elasticsearch/init.sls | 3 --- salt/top.sls | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/elasticsearch/auth.sls b/salt/elasticsearch/auth.sls index a51abca1c..e8ab1e378 100644 --- a/salt/elasticsearch/auth.sls +++ b/salt/elasticsearch/auth.sls @@ -7,3 +7,6 @@ elastic_auth_pillar: enabled: False user: so_elastic pass: {{ salt['random.get_str'](20) }} + # since we are generating a random password, and we don't want that to happen everytime + # a highstate runs, we only manage the file if it doesn't exist + - unless: ls /opt/so/saltstack/local/pillar/elasticsearch/auth.sls diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index f0eee6d44..7005a66c5 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -260,9 +260,6 @@ elastic_curl_config: file.managed: - name: /opt/so/conf/elasticsearch/curl.config - mode: 600 - # since we are generating a random password, and we don't want that to happen everytime - # a highstate runs, we only manage the file if it doesn't exist - - unless: ls /opt/so/conf/elasticsearch/curl.config {% endif %} {# if grains['role'] != 'so-helix' #} diff --git a/salt/top.sls b/salt/top.sls index 8a12aaa26..f3f2958ae 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -238,6 +238,7 @@ base: {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch + - elasticsearch.auth {%- endif %} {%- if LOGSTASH %} - logstash From c3b2e1e8b22d65d05f5a0e87a615ef28af1530c8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 25 May 2021 16:16:57 -0400 Subject: [PATCH 14/17] dont show changes --- salt/elasticsearch/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 7005a66c5..65a3d2bca 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -260,6 +260,7 @@ elastic_curl_config: file.managed: - name: /opt/so/conf/elasticsearch/curl.config - mode: 600 + - show_changes: False {% endif %} {# if grains['role'] != 'so-helix' #} From 4d991d3773f655ae510f7075f33bc3eee03dca7e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 26 May 2021 14:52:10 -0400 Subject: [PATCH 15/17] propogate users and users_roles --- salt/elasticsearch/init.sls | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 65a3d2bca..017c135d2 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -37,6 +37,8 @@ {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} +{% set ES_INCLUDED_NODES = ['so-standalone'] %} + vm.max_map_count: sysctl.present: - value: 262144 @@ -170,6 +172,35 @@ eslogdir: - group: 939 - makedirs: True +{% if grains.role in ES_INCLUDED_NODES %} +# Must run before elasticsearch docker container is started! +syncesusers: + cmd.run: + - name: so-user sync + - creates: + - /opt/so/saltstack/local/salt/elasticsearch/files/users + - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles +{% endif %} + +auth_users: + file.managed: + - name: /opt/so/conf/elasticsearch/users + - source: salt://elasticsearch/files/users + - require: +{% if grains.role in ES_INCLUDED_NODES %} + - cmd: syncesusers +{% endif %} + +auth_users_roles: + file.managed: + - name: /opt/so/conf/elasticsearch/users_roles + - source: salt://elasticsearch/files/users_roles +{% if grains.role in ES_INCLUDED_NODES %} + - require: + - cmd: syncesusers +{% endif %} + + so-elasticsearch: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} From 7263e35a89273af973aefeb5cf91d87aa28da042 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 26 May 2021 14:52:59 -0400 Subject: [PATCH 16/17] happy little comment --- salt/elasticsearch/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 017c135d2..84de1fd0b 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -37,6 +37,7 @@ {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} +# used in this state to control who can run the so-users script {% set ES_INCLUDED_NODES = ['so-standalone'] %} vm.max_map_count: From dc8520df42c9b31ff6fc46f0329b45649def9342 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 26 May 2021 18:04:30 -0400 Subject: [PATCH 17/17] user curl.config for curl and elasticscripts --- salt/elasticsearch/auth.map.jinja | 2 +- salt/elasticsearch/init.sls | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/auth.map.jinja b/salt/elasticsearch/auth.map.jinja index 147b0157b..c6f099025 100644 --- a/salt/elasticsearch/auth.map.jinja +++ b/salt/elasticsearch/auth.map.jinja @@ -2,6 +2,6 @@ True: { 'user': salt['pillar.get']('elasticsearch:auth:user'), 'pass': salt['pillar.get']('elasticsearch:auth:pass'), - 'elasticcurl':'curl --user ' ~ salt['pillar.get']('elasticsearch:auth:user') ~ ':' ~ salt['pillar.get']('elasticsearch:auth:pass') }, + 'elasticcurl':'curl -K /opt/so/conf/elasticsearch/curl.config' }, False: {'elasticcurl': 'curl'}, }, pillar='elasticsearch:auth:enabled', default=False) %} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 84de1fd0b..9c0372684 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -292,6 +292,7 @@ elastic_curl_config: file.managed: - name: /opt/so/conf/elasticsearch/curl.config - mode: 600 + - contents: user = "{{ salt['pillar.get']('elasticsearch:auth:user') }}:{{ salt['pillar.get']('elasticsearch:auth:pass') }}" - show_changes: False {% endif %} {# if grains['role'] != 'so-helix' #}