mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-06 03:17:53 +02:00
Mike Reeves
614f32c5e0
The old flow had two writers for each per-minion Telegraf password
(so-minion wrote the minion pillar; postgres.auth regenerated any
missing aggregate entries). They drifted on first-boot and there was
no trigger to create DB roles when a new minion joined.
Split responsibilities:
- pillar/postgres/auth.sls (manager-scoped) keeps only the so_postgres
admin cred.
- pillar/telegraf/creds.sls (grid-wide) holds a {minion_id: {user,
pass}} map, shadowed per-install by the local-pillar copy.
- salt/manager/tools/sbin/so-telegraf-cred is the single writer:
flock, atomic YAML write, PyYAML safe_dump so passwords never
round-trip through so-yaml.py's type coercion. Idempotent add, quiet
remove.
- so-minion's add/remove hooks now shell out to so-telegraf-cred
instead of editing pillar files directly.
- postgres.telegraf_users iterates the new pillar key and CREATE/ALTERs
roles from it; telegraf.conf reads its own entry via grains.id.
- orch.deploy_newnode runs postgres.telegraf_users on the manager and
refreshes the new minion's pillar before the new node highstates,
so the DB role is in place the first time telegraf tries to connect.
- soup's post_to_3.1.0 backfills the creds pillar from accepted salt
keys (idempotent) and runs postgres.telegraf_users once to reconcile
the DB.
38 lines
1.4 KiB
Plaintext
38 lines
1.4 KiB
Plaintext
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
|
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
|
# https://securityonion.net/license; you may not use this file except in compliance with the
|
|
# Elastic License 2.0.
|
|
|
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
|
{% if sls in allowed_states %}
|
|
|
|
{% set DIGITS = "1234567890" %}
|
|
{% set LOWERCASE = "qwertyuiopasdfghjklzxcvbnm" %}
|
|
{% set UPPERCASE = "QWERTYUIOPASDFGHJKLZXCVBNM" %}
|
|
{% set SYMBOLS = "~!@#^&*()-_=+[]|;:,.<>?" %}
|
|
{% set CHARS = DIGITS~LOWERCASE~UPPERCASE~SYMBOLS %}
|
|
{% set so_postgres_user_pass = salt['pillar.get']('postgres:auth:users:so_postgres_user:pass', salt['random.get_str'](72, chars=CHARS)) %}
|
|
|
|
# Admin cred only. Per-minion Telegraf creds live in telegraf/creds.sls,
|
|
# managed by /usr/sbin/so-telegraf-cred (called from so-minion).
|
|
postgres_auth_pillar:
|
|
file.managed:
|
|
- name: /opt/so/saltstack/local/pillar/postgres/auth.sls
|
|
- mode: 640
|
|
- reload_pillar: True
|
|
- contents: |
|
|
postgres:
|
|
auth:
|
|
users:
|
|
so_postgres_user:
|
|
user: so_postgres
|
|
pass: "{{ so_postgres_user_pass }}"
|
|
- show_changes: False
|
|
{% else %}
|
|
|
|
{{sls}}_state_not_allowed:
|
|
test.fail_without_changes:
|
|
- name: {{sls}}_state_not_allowed
|
|
|
|
{% endif %}
|