diff --git a/pillar/top.sls b/pillar/top.sls index 8bd67c174..ff4cb5787 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -22,6 +22,9 @@ base: '*_manager or *_managersearch': - match: compound - data.* +{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} + - elasticsearch.auth +{% endif %} - secrets - global - minions.{{ grains.id }} @@ -38,6 +41,9 @@ base: - secrets - healthcheck.eval - elasticsearch.eval +{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} + - elasticsearch.auth +{% endif %} - global - minions.{{ grains.id }} @@ -91,5 +97,8 @@ base: - zeeklogs - secrets - elasticsearch.eval +{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} + - elasticsearch.auth +{% endif %} - global - minions.{{ grains.id }} diff --git a/salt/common/init.sls b/salt/common/init.sls index 33c1f28df..09a0db934 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -3,12 +3,6 @@ {% set role = grains.id.split('_') | last %} {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} -{% set ES_INCLUDED_NODES = ['so-standalone'] %} - -{% if grains.role in ES_INCLUDED_NODES %} -include: - - elasticsearch.auth -{% %} # Remove variables.txt from /tmp - This is temp rmvariablesfile: @@ -174,6 +168,13 @@ alwaysupdated: Etc/UTC: timezone.system +elastic_curl_config: + file.managed: + - name: /opt/so/conf/elasticsearch/curl.config + - source: salt://elasticsearch/curl.config + - mode: 600 + - show_changes: False + # Sync some Utilities utilsyncscripts: file.recurse: @@ -185,10 +186,6 @@ utilsyncscripts: - source: salt://common/tools/sbin - defaults: ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} -{% if grains.role in ES_INCLUDED_NODES %} - - require: - - file: elastic_auth_pillar -{% endif %} {% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %} # Add sensor cleanup diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index fb2927e99..4d5ce4921 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -37,8 +37,6 @@ {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} -# used in this state to control who can run the so-users script -{% set ES_INCLUDED_NODES = ['so-standalone'] %} vm.max_map_count: sysctl.present: @@ -173,33 +171,15 @@ eslogdir: - group: 939 - makedirs: True -{% if grains.role in ES_INCLUDED_NODES %} -# Must run before elasticsearch docker container is started! -syncesusers: - cmd.run: - - name: so-user sync - - creates: - - /opt/so/saltstack/local/salt/elasticsearch/files/users - - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles -{% endif %} - auth_users: file.managed: - name: /opt/so/conf/elasticsearch/users - source: salt://elasticsearch/files/users - - require: -{% if grains.role in ES_INCLUDED_NODES %} - - cmd: syncesusers -{% endif %} auth_users_roles: file.managed: - name: /opt/so/conf/elasticsearch/users_roles - source: salt://elasticsearch/files/users_roles -{% if grains.role in ES_INCLUDED_NODES %} - - require: - - cmd: syncesusers -{% endif %} so-elasticsearch: docker_container.running: @@ -289,13 +269,6 @@ so-elasticsearch-templates: - template: jinja {% endif %} -elastic_curl_config: - file.managed: - - name: /opt/so/conf/elasticsearch/curl.config - - mode: 600 - - contents: user = "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user') }}:{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass') }}" - - show_changes: False - {% endif %} {# if grains['role'] != 'so-helix' #} {% else %} diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 91be3136f..7ef489496 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -105,6 +105,22 @@ strelka_yara_update: - name: '/usr/sbin/so-yara-update >> /nsm/strelka/log/yara-update.log 2>&1' - hour: '7' - minute: '1' + +elastic_curl_config_distributed: + file.managed: + - name: /opt/so/saltstack/local/salt/elasticsearch/curl.config + - mode: 600 + - contents: user = "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user') }}:{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass') }}" + - show_changes: False + +# Must run before elasticsearch docker container is started! +syncesusers: + cmd.run: + - name: so-user sync + - creates: + - /opt/so/saltstack/local/salt/elasticsearch/files/users + - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles + {% else %} {{sls}}_state_not_allowed: diff --git a/salt/top.sls b/salt/top.sls index f3f2958ae..a063c4279 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -238,7 +238,6 @@ base: {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch - - elasticsearch.auth {%- endif %} {%- if LOGSTASH %} - logstash @@ -261,7 +260,7 @@ base: - filebeat {%- endif %} {%- if CURATOR %} - - curator + - curator0 {%- endif %} {%- if ELASTALERT %} - elastalert diff --git a/setup/so-setup b/setup/so-setup index 4c364ded6..6d2f6ac27 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -752,6 +752,7 @@ echo "1" > /root/accept_changes set_progress_str 60 "$(print_salt_state_apply 'manager')" salt-call state.apply -l info manager >> $setup_log 2>&1 + bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth fi set_progress_str 61 "$(print_salt_state_apply 'firewall')"