mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-07 11:58:21 +02:00
Mike Reeves
614f32c5e0
The old flow had two writers for each per-minion Telegraf password
(so-minion wrote the minion pillar; postgres.auth regenerated any
missing aggregate entries). They drifted on first-boot and there was
no trigger to create DB roles when a new minion joined.
Split responsibilities:
- pillar/postgres/auth.sls (manager-scoped) keeps only the so_postgres
admin cred.
- pillar/telegraf/creds.sls (grid-wide) holds a {minion_id: {user,
pass}} map, shadowed per-install by the local-pillar copy.
- salt/manager/tools/sbin/so-telegraf-cred is the single writer:
flock, atomic YAML write, PyYAML safe_dump so passwords never
round-trip through so-yaml.py's type coercion. Idempotent add, quiet
remove.
- so-minion's add/remove hooks now shell out to so-telegraf-cred
instead of editing pillar files directly.
- postgres.telegraf_users iterates the new pillar key and CREATE/ALTERs
roles from it; telegraf.conf reads its own entry via grains.id.
- orch.deploy_newnode runs postgres.telegraf_users on the manager and
refreshes the new minion's pillar before the new node highstates,
so the DB role is in place the first time telegraf tries to connect.
- soup's post_to_3.1.0 backfills the creds pillar from accepted salt
keys (idempotent) and runs postgres.telegraf_users once to reconcile
the DB.
58 lines
1.7 KiB
Plaintext
58 lines
1.7 KiB
Plaintext
{% set MANAGER = salt['pillar.get']('setup:manager') %}
|
|
{% set NEWNODE = salt['pillar.get']('setup:newnode') %}
|
|
|
|
# tell the minion to populate the mine with data from mine_functions which is populated during setup
|
|
# this only needs to happen on non managers since they handle this during setup
|
|
# and they need to wait for ca creation to update the mine
|
|
{{NEWNODE}}_update_mine:
|
|
salt.function:
|
|
- name: mine.update
|
|
- tgt: {{ NEWNODE }}
|
|
- retry:
|
|
attempts: 36
|
|
interval: 5
|
|
|
|
# we need to prepare the manager for a new searchnode or heavynode
|
|
{% if NEWNODE.split('_')|last in ['searchnode', 'heavynode'] %}
|
|
manager_run_es_soc:
|
|
salt.state:
|
|
- tgt: {{ MANAGER }}
|
|
- sls:
|
|
- elasticsearch
|
|
- soc
|
|
- queue: True
|
|
- require:
|
|
- salt: {{NEWNODE}}_update_mine
|
|
{% endif %}
|
|
|
|
# so-minion has already added the new minion's entry to telegraf/creds.sls
|
|
# via so-telegraf-cred before this orch fires. Reconcile the Postgres role
|
|
# on the manager so the new minion can authenticate on its first highstate,
|
|
# then refresh the minion's pillar so its telegraf.conf renders with the
|
|
# freshly-written cred.
|
|
manager_create_postgres_telegraf_role:
|
|
salt.state:
|
|
- tgt: {{ MANAGER }}
|
|
- sls:
|
|
- postgres.telegraf_users
|
|
- queue: True
|
|
- require:
|
|
- salt: {{NEWNODE}}_update_mine
|
|
|
|
{{NEWNODE}}_refresh_pillar:
|
|
salt.function:
|
|
- name: saltutil.refresh_pillar
|
|
- tgt: {{ NEWNODE }}
|
|
- kwarg:
|
|
wait: True
|
|
- require:
|
|
- salt: manager_create_postgres_telegraf_role
|
|
|
|
{{NEWNODE}}_run_highstate:
|
|
salt.state:
|
|
- tgt: {{ NEWNODE }}
|
|
- highstate: True
|
|
- queue: True
|
|
- require:
|
|
- salt: {{NEWNODE}}_refresh_pillar
|