Shield

README.md

@@ -9,6 +9,7 @@ This is an [Ansible](http://www.ansibleworks.com/) playbook for [Elasticsearch](
 - Support for installing custom JARs in the Elasticsearch classpath (e.g. custom Lucene Similarity JAR)
 - Support for installing the [Sematext SPM](http://www.sematext.com/spm/) monitor
 - Support for installing the [Marvel](http://www.elasticsearch.org/guide/en/marvel/current/) plugin
+- Support for installing the [Shield](http://www.elasticsearch.org/guide/en/marvel/current/) plugin
 
 ## Installing
 
@@ -65,7 +66,7 @@ spm_client_token=<your SPM token here>
 ```
 
 ### Edit your vars/my-vars.yml
-See `vars/sample.yml` and `vars/vagrant.yml` for example variable files. These are the files where you specify Elasticsearch settings and apply certain features such as plugins, custom JARs or monitoring. The best way to enable configurations is to look at `templates/elasticsearch.yml.j2` and see which variables you want to defile in your `vars/my-vars.yml`. See below for configurations regarding EC2, plugins and custom JARs.
+See `vars/sample.yml` and `vars/vagrant.yml` for example variable files. These are the files where you specify Elasticsearch settings and apply certain features such as plugins, custom JARs or monitoring. The best way to enable configurations is to look at `templates/elasticsearch.yml.j2` and see which variables you want to define in your `vars/my-vars.yml`. See below for configurations regarding EC2, plugins and custom JARs.
 
 ### Edit your my-playbook-main.yml
 Example `my-playbook-main.yml`:
@@ -186,6 +187,37 @@ The following variables provide configuration for the plugin. More options may b
 - elasticsearch_plugin_marvel_agent_interval
 - elasticsearch_plugin_marvel_agent_exporter_es_index_timeformat
 
+
+### Configuring Shield
+The following variables need to be defined in your playbook or inventory:
+
+- elasticsearch_plugin_shield_enabled
+
+The following variables provide configuration for the plugin. More options may be available in the future (see [https://www.elastic.co/guide/en/shield/current/reference.html](https://www.elastic.co/guide/en/shield/current/reference.html)):
+- elasticsearch_plugin_shield_ssl_keystore_path
+- elasticsearch_plugin_shield_ssl_keystore_password
+- elasticsearch_plugin_shield_ssl_keystore_key_password
+- elasticsearch_plugin_shield_ssl_hostname_verification
+- elasticsearch_plugin_shield_transport_ssl
+- elasticsearch_plugin_shield_http_ssl
+- elasticsearch_plugin_shield_audit_enabled
+- elasticsearch_plugin_shield_realms
+- elasticsearch_plugin_shield_realms_esusers
+  + order: 0
+  + enabled: "false"
+
+- elasticsearch_plugin_shield_realms_active_directory
+  + order: 1
+  + domain_name: example.com
+  + unmapped_groups_as_roles: "true"
+  + url: ldap://ad.microsoft.com
+  + enabled: "true"
+
+- elasticsearch_esusers
+  + - {username:demouser, password: mypass, role: myrole}
+
+ - elasticsearch_shield_files: path to folder with Shield configuration files which will be copied into /etc/elasticsearch/shield
+
 ## Disable Java installation
 
 If you prefer to skip the built-in installation of the Oracle JRE, use the `elasticsearch_install_java` flag:
@@ -247,3 +279,5 @@ MIT
 # Author Information
 
 George Stathis - gstathis [at] traackr.com
+Mats Olsen molsen [at] comperiosearch.com
+Christoffer Vig cvig [at] comperiosearch.com

Vagrantfile

@@ -1,12 +1,16 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
-
+$script = <<SCRIPT
+cd /vagrant
+ansible-playbook -i vagrant-inventory.ini vagrant-main.yml -vv
+SCRIPT
 # Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
 VAGRANTFILE_API_VERSION = "2"
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   # Every Vagrant virtual environment requires a box to build off of.
   config.vm.box = "ubuntu/trusty64"
+  config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
   config.vm.provider "virtualbox" do |v|
     v.memory = 2048
     v.cpus = 2
@@ -22,13 +26,15 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   # the path on the guest to mount the folder. And the optional third
   # argument is a set of non-required options.
   # config.vm.synced_folder "../data", "/vagrant_data"
-  config.vm.synced_folder '.', '/vagrant'
+  config.vm.synced_folder '.', '/vagrant', mount_options: ["dmode=777,fmode=666"]
 
-  config.vm.provision :ansible do |ansible|
-    ansible.inventory_path = "vagrant-inventory.ini"
-    ansible.playbook = "vagrant-main.yml"
-    ansible.extra_vars = { user: "vagrant" }
-    ansible.limit = 'all'
-    # ansible.verbose = 'vvvv'
-  end
-end
+  config.vm.provision :shell,
+    :keep_color => true,
+    :path => "setup.sh"
+
+
+  config.vm.provision :shell,
+   :keep_color => true,
+   :inline =>  $script
+
+end

defaults/main.yml

@@ -7,7 +7,7 @@ elasticsearch_download_url: https://download.elasticsearch.org/elasticsearch/ela
 elasticsearch_version: 1.7.3
 elasticsearch_apt_repos:
   - 'ppa:webupd8team/java'
-elasticsearch_apt_java_package: oracle-java7-installer
+elasticsearch_apt_java_package: oracle-java8-installer
 elasticsearch_apt_dependencies:
   - htop
   - ntp
@@ -29,3 +29,6 @@ elasticsearch_service_state: started
 # Non-Elasticsearch Defaults
 apt_cache_valid_time: 300 # seconds between "apt-get update" calls.
 elasticsearch_install_java: "true"
+#uncomment to enable shield
+#elasticsearch_plugin_shield_enabled: "true"
+

setup.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+export PYTHONUNBUFFERED=1
+export ANSIBLE_FORCE_COLOR=1
+
+if [ $(dpkg-query -W -f='${Status}' ansible 2>/dev/null | grep -c "ok installed") -eq 0 ];
+then
+    echo "Add APT repositories"
+    export DEBIAN_FRONTEND=noninteractive
+    apt-get install -qq software-properties-common &> /dev/null || exit 1
+    apt-add-repository ppa:ansible/ansible &> /dev/null || exit 1
+
+    apt-get update -qq
+
+    echo "Installing Ansible"
+    apt-get install -qq ansible &> /dev/null || exit 1
+    echo "Ansible installed"
+fi
+

tasks/esusers.yml

@@ -0,0 +1,12 @@
+- name: Delete user from esuser realm if it exists
+  action: >
+    shell bin/shield/esusers userdel {{ item.username }}
+    chdir={{ elasticsearch_home_dir }}
+  ignore_errors: yes
+  with_items: elasticsearch_esusers
+- name: Add user to esuser realm
+  action: >
+    shell bin/shield/esusers useradd "{{ item.username }}" -p "{{ item.password }}" -r "{{ item.role }}"
+    chdir={{ elasticsearch_home_dir }}
+  ignore_errors: no
+  with_items: elasticsearch_esusers

tasks/main.yml

@@ -27,5 +27,9 @@
 - include: marvel.yml
   when: (elasticsearch_plugin_marvel_version is defined)
 
+# Setup Shield
+- include: shield.yml
+  when: (elasticsearch_shield_enabled is defined and elasticsearch_shield_enabled == "true")
+
 # Always run post-run tasks
 - include: post-run.yml

tasks/shield.yml

@@ -0,0 +1,9 @@
+- name: shield | esusers
+  include: esusers.yml
+  when: (elasticsearch_esusers is defined)
+
+- name: shield | config files
+  copy: src={{elasticsearch_shield_files}} dest=/etc/elasticsearch/shield/
+  tags: shield_config_files
+  when: (elasticsearch_shield_files is defined)
+  notify: Restart Elasticsearch

templates/elasticsearch.yml.j2

@@ -220,6 +220,7 @@ path.logs: {{ elasticsearch_log_dir }}
 path.plugins: {{ elasticsearch_plugin_dir }}
 {% endif %}
 
+
 #################################### Plugin ###################################
 
 # If a plugin listed here is not installed for current node, the node will not start.
@@ -664,7 +665,11 @@ http.cors.enabled: {{ elasticsearch_http_cors_enabled }}
 {% endif %}
 
 {% if elasticsearch_http_cors_allow_origin is defined %}
-http.cors.allow-origin: {{ elasticsearch_http_cors_allow_origin}}
+http.cors.allow-origin: {{ elasticsearch_http_cors_allow_origin }}
+{% endif %}
+
+{% if elasticsearch_http_cors_allow_credentials is defined%}
+http.cors.allow-credentials: {{ elasticsearch_http_cors_allow_credentials }}
 {% endif %}
 
 {% if elasticsearch_script_groovy_sandbox_enabled is defined %}
@@ -678,3 +683,66 @@ script.groovy.sandbox.enabled: {{ elasticsearch_script_groovy_sandbox_enabled }}
 cluster.routing.allocation.awareness.attributes: zone
 node.zone: {{ facter_ec2_placement_availability_zone }}
 {% endif %}
+
+
+
+{% if elasticsearch_plugin_shield_enabled is defined %}
+{% if elasticsearch_plugin_shield_enabled == "false"  %}
+
+shield.enabled: false
+
+{% else %}
+################################### Shield Settings #####################################
+
+{% if elasticsearch_plugin_shield_ssl_keystore_path is defined %}
+shield.ssl.keystore.path: {{ elasticsearch_plugin_shield_ssl_keystore_path }}
+{% endif %}
+
+{% if elasticsearch_plugin_shield_ssl_keystore_password is defined %}
+shield.ssl.keystore.password: {{ elasticsearch_plugin_shield_ssl_keystore_password }}
+{% endif %}
+
+{% if elasticsearch_plugin_shield_ssl_keystore_key_password is defined %}
+shield.ssl.keystore.key_password: {{ elasticsearch_plugin_shield_ssl_keystore_key_password }}
+{% endif %}
+
+{% if elasticsearch_plugin_shield_ssl_hostname_verification is defined %}
+shield.ssl.hostname_verification: {{ elasticsearch_plugin_shield_ssl_hostname_verification }}
+{% endif %}
+
+{% if elasticsearch_plugin_shield_transport_ssl is defined %}
+shield.transport.ssl: {{ elasticsearch_plugin_shield_transport_ssl }}
+{% endif %}
+
+{% if elasticsearch_plugin_shield_http_ssl is defined %}
+shield.http.ssl: {{ elasticsearch_plugin_shield_http_ssl }}
+{% endif %}
+
+{% if elasticsearch_plugin_shield_audit_enabled is defined %}
+shield.audit.enabled: {{elasticsearch_plugin_shield_audit_enabled}}
+{% endif %}
+
+{% if elasticsearch_plugin_shield_realms is defined %}
+shield.authc.realms:
+{% if elasticsearch_plugin_shield_realms_esusers is defined %}
+  esusers:
+    type: esusers
+    order: {{ elasticsearch_plugin_shield_realms_esusers.order }}
+    enabled: {{ elasticsearch_plugin_shield_realms_esusers.enabled }}
+{% endif %}
+
+{% if elasticsearch_plugin_shield_realms_active_directory is defined %}
+  active_directory:
+    type: active_directory
+    order: {{ elasticsearch_plugin_shield_realms_active_directory.order }}
+    enabled: {{ elasticsearch_plugin_shield_realms_active_directory.enabled }}
+    domain_name: {{ elasticsearch_plugin_shield_realms_active_directory.domain_name }}
+    unmapped_groups_as_roles: {{ elasticsearch_plugin_shield_realms_active_directory.unmapped_groups_as_roles }}
+    url: {{ elasticsearch_plugin_shield_realms_active_directory.url }}
+    #cache.ttl: 1m
+{% endif %}
+{% endif %}
+{% endif %}
+
+
+{% endif %}

vagrant-inventory.ini

@@ -6,7 +6,7 @@
 # Local Environment #
 #####################
 [vagrant]
-192.168.111.10 ansible_ssh_user=vagrant ansible_ssh_pass=vagrant
+192.168.111.10 ansible_ssh_user=vagrant ansible_ssh_pass=vagrant ansible_connection=local
 
 [vagrant:vars]
 # spm_client_token=<enter your token>

vars/vagrant.yml

@@ -6,7 +6,7 @@ elasticsearch_apt_java_package: oracle-java8-installer
 elasticsearch_java_home: /usr/lib/jvm/java-8-oracle
 elasticsearch_heap_size: 1g
 elasticsearch_max_open_files: 65535
-elasticsearch_timezone: "America/New_York"
+elasticsearch_timezone:  "America/New_York"
 elasticsearch_node_max_local_storage_nodes: 1
 elasticsearch_index_mapper_dynamic: "true"
 elasticsearch_memory_bootstrap_mlockall: "true"
@@ -16,8 +16,9 @@ elasticsearch_plugins:
   - { name: 'com.github.richardwilly98.elasticsearch/elasticsearch-river-mongodb/2.0.9', reinstall: false }
   - { name: 'facet-script', url: 'http://dl.bintray.com/content/imotov/elasticsearch-plugins/elasticsearch-facet-script-1.1.2.zip', reinstall: false }
   - { name: 'http-basic', url: 'https://github.com/Asquera/elasticsearch-http-basic/releases/download/v1.5.1/elasticsearch-http-basic-1.5.1.jar', download_only: true, reinstall: false }
+
 elasticsearch_thread_pools:
   - "threadpool.bulk.type: fixed"
   - "threadpool.bulk.size: 50"
   - "threadpool.bulk.queue_size: 1000"
-elasticsearch_service_startonboot: yes
+elasticsearch_service_startonboot: yes