From 51b4c314732e2cb7433bd19eba3822c064ed7d7a Mon Sep 17 00:00:00 2001 From: Riccardo Bonuccelli Date: Mon, 5 May 2025 15:35:03 +0200 Subject: [PATCH 1/3] remove searchguard tool Signed-off-by: Riccardo Bonuccelli --- inventory.ini | 18 +++ roles/linux/opensearch/defaults/main.yml | 1 + roles/linux/opensearch/tasks/certificate.yml | 123 ++++++++++++++++++ roles/linux/opensearch/tasks/main.yml | 14 +- roles/linux/opensearch/tasks/security.yml | 53 +------- .../opensearch/templates/security_conf.yml | 14 ++ .../linux/opensearch/templates/tlsconfig.yml | 47 ------- vars_file.yml | 94 +++++++++++++ 8 files changed, 263 insertions(+), 101 deletions(-) create mode 100644 inventory.ini create mode 100644 roles/linux/opensearch/tasks/certificate.yml delete mode 100644 roles/linux/opensearch/templates/tlsconfig.yml create mode 100644 vars_file.yml diff --git a/inventory.ini b/inventory.ini new file mode 100644 index 0000000..9fd2888 --- /dev/null +++ b/inventory.ini @@ -0,0 +1,18 @@ +worker-node2 ansible_host=10.20.1.187 ansible_user=root ip=10.20.1.187 roles=data,master +remote-node ansible_host=10.20.1.17 ansible_user=root ip=10.20.1.17 roles=data,master +control-node ansible_host=10.20.1.15 ansible_user=root ip=10.20.1.15 roles=data,master + +# List all the nodes in the os cluster +[os-cluster] +worker-node2 +remote-node +control-node + +# List all the Master eligible nodes under this group +[master] +worker-node2 +remote-node +control-node + +[dashboards] +worker-node2 diff --git a/roles/linux/opensearch/defaults/main.yml b/roles/linux/opensearch/defaults/main.yml index 9681cd3..de7559c 100644 --- a/roles/linux/opensearch/defaults/main.yml +++ b/roles/linux/opensearch/defaults/main.yml @@ -23,3 +23,4 @@ systemctl_path: /etc/systemd/system # Auth type: 'internal' or 'oidc' (OpenID). Default: internal auth_type: internal +opensearch_nodecerts_path: /tmp/opensearch-nodecerts diff --git a/roles/linux/opensearch/tasks/certificate.yml b/roles/linux/opensearch/tasks/certificate.yml new file mode 100644 index 0000000..f38dc9b --- /dev/null +++ b/roles/linux/opensearch/tasks/certificate.yml @@ -0,0 +1,123 @@ +--- + - name: Security Plugin configuration | Generate root CA private key (4096 bits, RSA) + community.crypto.openssl_privatekey: + path: /tmp/opensearch-nodecerts/config/root-ca.key + format: pkcs8 + cipher: auto + delegate_to: localhost + run_once: true + + - name: Security Plugin configuration | Create certificate signing request (CSR) for CA certificate + community.crypto.openssl_csr_pipe: + privatekey_path: /tmp/opensearch-nodecerts/config/root-ca.key + common_name: "opensearch_root_ca.{{ domain_name }}" + use_common_name_for_san: false + basic_constraints: + - 'CA:TRUE' + basic_constraints_critical: true + key_usage: + - keyCertSign + key_usage_critical: true + register: ca_csr + delegate_to: localhost + + - name: Security Plugin configuration | Create self-signed CA certificate from CSR + community.crypto.x509_certificate: + path: /tmp/opensearch-nodecerts/config/root-ca.pem + csr_content: "{{ ca_csr.csr }}" + privatekey_path: /tmp/opensearch-nodecerts/config/root-ca.key + provider: selfsigned + delegate_to: localhost + + - name: Security Plugin configuration | Create Node private key (4096 bits, RSA) + community.crypto.openssl_privatekey: + path: "/tmp/opensearch-nodecerts/config/{{ item }}.key" + format: pkcs8 + cipher: auto + loop: "{{ groups['os-cluster'] }}" + delegate_to: localhost + run_once: true + + - name: Security Plugin configuration | Create HTTP Node private key (4096 bits, RSA) + community.crypto.openssl_privatekey: + path: "/tmp/opensearch-nodecerts/config/{{ item }}_http.key" + format: pkcs8 + cipher: auto + loop: "{{ groups['os-cluster'] }}" + delegate_to: localhost + run_once: true + + - name: Security Plugin configuration | Create Admin private key (4096 bits, RSA) + community.crypto.openssl_privatekey: + path: /tmp/opensearch-nodecerts/config/admin.key + format: pkcs8 + cipher: auto + delegate_to: localhost + run_once: true + #openssl pkcs8 -in /etc/opensearch/cert/admin.key.pem -topk8 -out /etc/opensearch/cert/new_admin.key.pem -v1 PBE-SHA1-3DES + + - name: Security Plugin configuration | Create Node certificate signing request (CSR) + community.crypto.openssl_csr: + path: "/tmp/opensearch-nodecerts/config/{{ item }}.csr" + privatekey_path: "/tmp/opensearch-nodecerts/config/{{ item }}.key" + common_name: "{{ item }}.{{ domain_name }}" + organization_name: "{{ domain_name }}" + organizational_unit_name: "Os" + subject_alt_name: "DNS:{{ item }}" + loop: "{{ groups['os-cluster'] }}" + delegate_to: localhost + run_once: true + + - name: Security Plugin configuration | Create Node HTTP certificate signing request (CSR) + community.crypto.openssl_csr: + path: "/tmp/opensearch-nodecerts/config/{{ item }}_http.csr" + privatekey_path: "/tmp/opensearch-nodecerts/config/{{ item }}_http.key" + common_name: "{{ item }}.{{ domain_name }}" + organization_name: "{{ domain_name }}" + organizational_unit_name: "Os" + subject_alt_name: "DNS:{{ item }}" + loop: "{{ groups['os-cluster'] }}" + delegate_to: localhost + run_once: true + + - name: Security Plugin configuration | Create Admin signing request (CSR) + community.crypto.openssl_csr: + path: /tmp/opensearch-nodecerts/config/admin.csr + privatekey_path: /tmp/opensearch-nodecerts/config/admin.key + common_name: "admin.{{ domain_name }}" + organization_name: "{{ domain_name }}" + organizational_unit_name: "Os" + delegate_to: localhost + run_once: true + + - name: Security Plugin configuration | Create self-signed Node certificate from CSR + community.crypto.x509_certificate: + path: "/tmp/opensearch-nodecerts/config/{{ item }}.pem" + csr_path: "/tmp/opensearch-nodecerts/config/{{ item }}.csr" + ownca_path: "/tmp/opensearch-nodecerts/config/root-ca.pem" + ownca_privatekey_path: "/tmp/opensearch-nodecerts/config/root-ca.key" + provider: ownca + loop: "{{ groups['os-cluster'] }}" + delegate_to: localhost + run_once: true + + - name: Security Plugin configuration | Create self-signed HTTP Node certificate from CSR + community.crypto.x509_certificate: + path: "/tmp/opensearch-nodecerts/config/{{ item }}_http.pem" + csr_path: "/tmp/opensearch-nodecerts/config/{{ item }}_http.csr" + ownca_path: "/tmp/opensearch-nodecerts/config/root-ca.pem" + ownca_privatekey_path: "/tmp/opensearch-nodecerts/config/root-ca.key" + provider: ownca + loop: "{{ groups['os-cluster'] }}" + delegate_to: localhost + run_once: true + + - name: Security Plugin configuration | Create self-signed Admin certificate from CSR + community.crypto.x509_certificate: + path: "/tmp/opensearch-nodecerts/config/admin.pem" + csr_path: "/tmp/opensearch-nodecerts/config/admin.csr" + ownca_path: "/tmp/opensearch-nodecerts/config/root-ca.pem" + ownca_privatekey_path: "/tmp/opensearch-nodecerts/config/root-ca.key" + provider: ownca + delegate_to: localhost + run_once: true \ No newline at end of file diff --git a/roles/linux/opensearch/tasks/main.yml b/roles/linux/opensearch/tasks/main.yml index 01f18d1..e2145aa 100644 --- a/roles/linux/opensearch/tasks/main.yml +++ b/roles/linux/opensearch/tasks/main.yml @@ -5,13 +5,13 @@ name: "{{ inventory_hostname }}" # Disabling for Amazon Linux 2, Ubuntu and Debian as selinux is disabled by default. -- name: Disable the selinux - ansible.posix.selinux: - state: disabled - when: - - ansible_distribution != "Ubuntu" - - ansible_distribution != "Amazon" - - ansible_distribution != "Debian" +#- name: Disable the selinux +# ansible.posix.selinux: +# state: disabled +# when: +# - ansible_distribution != "Ubuntu" +# - ansible_distribution != "Amazon" +# - ansible_distribution != "Debian" - name: Populate the nodes to /etc/hosts ansible.builtin.import_tasks: etchosts.yml diff --git a/roles/linux/opensearch/tasks/security.yml b/roles/linux/opensearch/tasks/security.yml index 765dc1d..4d85907 100644 --- a/roles/linux/opensearch/tasks/security.yml +++ b/roles/linux/opensearch/tasks/security.yml @@ -20,45 +20,17 @@ register: configuration become: false -- name: Security Plugin configuration | Download certificates generation tool - local_action: - module: get_url - url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.tar.gz - dest: /tmp/opensearch-nodecerts/search-guard-tlstool.tar.gz - run_once: true - when: configuration.changed - become: false - -- name: Security Plugin configuration | Extract the certificates generation tool - local_action: command chdir=/tmp/opensearch-nodecerts tar -xvf search-guard-tlstool.tar.gz - run_once: true - when: configuration.changed - become: false - -- name: Security Plugin configuration | Make the executable file +- name: Security Plugin configuration | Create local temporary directory for certificates generation local_action: module: file - dest: /tmp/opensearch-nodecerts/tools/sgtlstool.sh - mode: a+x - run_once: true - when: configuration.changed - become: false - -- name: Security Plugin configuration | Prepare the certificates generation template file - local_action: - module: template - src: tlsconfig.yml - dest: /tmp/opensearch-nodecerts/config/tlsconfig.yml + path: /tmp/opensearch-nodecerts/config + state: directory run_once: true - when: configuration.changed + register: configuration become: false -- name: Security Plugin configuration | Generate the node & admin certificates in local - local_action: - module: command /tmp/opensearch-nodecerts/tools/sgtlstool.sh -c /tmp/opensearch-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opensearch-nodecerts/config/ - run_once: true - when: configuration.changed - become: false +- name: Create CRT + ansible.builtin.import_tasks: certificate.yml - name: Security Plugin configuration | IaC enabled - Check certificate when: iac_enable @@ -137,15 +109,6 @@ marker: "## {mark} OpenSearch Security common configuration ##" when: configuration.changed or iac_enable -- name: Security Plugin configuration | Copy the security configuration file 2 to cluster - ansible.builtin.blockinfile: - block: "{{ lookup('file', '/tmp/opensearch-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" - dest: "{{ os_conf_dir }}/opensearch.yml" - backup: true - insertafter: EOF - marker: "## {mark} opensearch Security Node & Admin certificates configuration ##" - when: configuration.changed or iac_enable - - name: Security Plugin configuration | Create security plugin configuration folder ansible.builtin.file: dest: "{{ os_sec_plugin_conf_path }}" @@ -166,10 +129,6 @@ force: true when: auth_type == 'oidc' or copy_custom_security_configs -- name: Security Plugin configuration | Prepare the opensearch security configuration file - ansible.builtin.command: sed -i 's/searchguard/plugins.security/g' {{ os_conf_dir }}/opensearch.yml - when: configuration.changed or iac_enable - - name: Security Plugin configuration | Set the file ownerships ansible.builtin.file: dest: "{{ os_home }}" diff --git a/roles/linux/opensearch/templates/security_conf.yml b/roles/linux/opensearch/templates/security_conf.yml index e890b43..5e12ed1 100644 --- a/roles/linux/opensearch/templates/security_conf.yml +++ b/roles/linux/opensearch/templates/security_conf.yml @@ -4,3 +4,17 @@ plugins.security.audit.type: internal_opensearch plugins.security.enable_snapshot_restore_privilege: true plugins.security.check_snapshot_restore_write_privileges: true plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] + +plugins.security.ssl.transport.pemcert_filepath: "{{ inventory_hostname }}.pem" +plugins.security.ssl.transport.pemkey_filepath: "{{ inventory_hostname }}.key" +plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false +plugins.security.ssl.http.enabled: true +plugins.security.ssl.http.pemcert_filepath: "{{ inventory_hostname }}_http.pem" +plugins.security.ssl.http.pemkey_filepath: "{{ inventory_hostname }}_http.key" +plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem +plugins.security.nodes_dn: +- CN=*.{{ domain_name }},OU=Os,O={{ domain_name }} +plugins.security.authcz.admin_dn: +- CN=admin.{{ domain_name }},OU=Os,O={{ domain_name }} \ No newline at end of file diff --git a/roles/linux/opensearch/templates/tlsconfig.yml b/roles/linux/opensearch/templates/tlsconfig.yml deleted file mode 100644 index 5b7408f..0000000 --- a/roles/linux/opensearch/templates/tlsconfig.yml +++ /dev/null @@ -1,47 +0,0 @@ -ca: - root: - dn: CN=root.ca.{{ domain_name }},OU=CA,O={{ domain_name }}\, Inc.,DC={{ domain_name }} - keysize: 2048 - validityDays: {{ cert_valid_days }} - pkPassword: none - file: root-ca.pem - -### Default values and global settings -defaults: - validityDays: {{ cert_valid_days }} - pkPassword: none - # Set this to true in order to generate config and certificates for - # the HTTP interface of nodes - httpsEnabled: true - reuseTransportCertificatesForHttp: false - verifyHostnames: false - resolveHostnames: false - - -### -### Nodes -### -# -# Specify the nodes of your ES cluster here -# -nodes: -{% for item in groups['os-cluster'] %} - - name: {{ item }} - dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} - dns: {{ item }}.{{ domain_name }} - ip: {{ hostvars[item]['ip'] }} -{% endfor %} - -### -### Clients -### -# -# Specify the clients that shall access your ES cluster with certificate authentication here -# -# At least one client must be an admin user (i.e., a super-user). Admin users can -# be specified with the attribute admin: true -# -clients: - - name: admin - dn: CN=admin.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} - admin: true diff --git a/vars_file.yml b/vars_file.yml new file mode 100644 index 0000000..2192165 --- /dev/null +++ b/vars_file.yml @@ -0,0 +1,94 @@ +## Common opensearch configuration parameters ## + +os_cluster_name: development-cluster + +# opensearch download +os_download_url: https://artifacts.opensearch.org/releases/bundle/opensearch + +# opensearch version +# 2.x Latest Version +os_version: "2.19.1" + +# opensearch dashboards version +# 2.x Latest Version +os_dashboards_version: "2.19.1" + +# Configure hostnames for opensearch nodes +# It is required to configure SSL +# Example es1.example.com, es2.example.com +domain_name: seacom.com + +# Java memory heap values(GB) for opensearch +# You can change it based on server specs +xms_value: 2 +xmx_value: 2 + +# Cluster type whether its single-node or multi-node +cluster_type: multi-node + +# opensearch user info +os_user: opensearch + +os_dashboards_user: opensearch-dashboards + +# Number of days that certificates are valid +cert_valid_days: 730 + +# Auth type: 'internal' or 'oidc' (OpenID). Default: internal +auth_type: internal + +# OIDC settings +oidc: + description: "Authenticate via IdP" + # OpenID server URI + connect_url: https://oidc.example.com/auth/realms//.well-known/openid-configuration + # The JWT token field that contains the user name + subject_key: preferred_username + # the JWT token field that contains a list of user roles + roles_key: roles + # Scopes + scopes: "openid profile email" + # The address of Dashboards to redirect the user to after successful authentication + dashboards_url: http(s)://.example.com + # IdP client ID + client_id: opensearch + # IdP client secret + client_secret: "00000000-0000-0000-0000-000000000000" + +# Overwrite demo configurations with your own +copy_custom_security_configs: false + +# To override demo configurations, you can use your own configuration files. +# Place them in the "files" directory. Specify the path to the files +custom_security_plugin_configs: + - files/tenants.yml + - files/roles.yml + - files/roles_mapping.yml + - files/internal_users.yml + +# By default, if the /tmp/opensearch-nodecerts directory with certificates +# exists on the server from which the playbook is launched, it is assumed +# that the configuration has not changed and some settings are not copied +# to the target servers. +# +# Conversely, if the /tmp/opensearch-nodecerts directory does not exist on +# the server from which the playbook is launched, then new certificates and +# settings are generated and they are copied to the target servers. +# +# If you use this repository not only for the initial deployment of the +# cluster, but also for its automatic configuration via CI/CD, then new +# certificates will be generated every time the pipeline is launched, +# overwriting existing ones, which is not always necessary if the cluster is +# already in production. +# +# When iac_enable enabling, and all the cluster servers have all the necessary +# certificates, they will not be copied again. If at least on one server (for +# example, when adding a new server to the cluster) if there is not at least one +# certificate from the list, then all certificates on all cluster servers will +# be updated +# +# Also, if the option is enabled, the settings files will be updated with each +# execution (previously, the settings were updated only if the +# /tmp/opensearch-nodecerts directory was missing on the server from which the +# playbook was launched and new certificates were generated) +iac_enable: false From a32df4cb10bf8cb8cce1273ecdd1787ed7771420 Mon Sep 17 00:00:00 2001 From: Zelin Hao Date: Tue, 29 Apr 2025 18:36:58 -0700 Subject: [PATCH 2/3] Increment version to 2.19.2 (#181) Signed-off-by: Zelin Hao Signed-off-by: Riccardo Bonuccelli --- inventories/opensearch/group_vars/all/all.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventories/opensearch/group_vars/all/all.yml b/inventories/opensearch/group_vars/all/all.yml index 8a2607d..c0fe879 100644 --- a/inventories/opensearch/group_vars/all/all.yml +++ b/inventories/opensearch/group_vars/all/all.yml @@ -7,11 +7,11 @@ os_download_url: https://artifacts.opensearch.org/releases/bundle/opensearch # opensearch version # 2.x Latest Version -os_version: "2.19.1" +os_version: "2.19.2" # opensearch dashboards version # 2.x Latest Version -os_dashboards_version: "2.19.1" +os_dashboards_version: "2.19.2" # Configure hostnames for opensearch nodes # It is required to configure SSL From 357eb98ecfda2765e0374139739c66b466021533 Mon Sep 17 00:00:00 2001 From: Riccardo Bonuccelli Date: Mon, 5 May 2025 17:44:58 +0200 Subject: [PATCH 3/3] remove searchguard tool Signed-off-by: Riccardo Bonuccelli --- inventory.ini | 26 ++++++++------ vars_file.yml | 94 --------------------------------------------------- 2 files changed, 16 insertions(+), 104 deletions(-) delete mode 100644 vars_file.yml diff --git a/inventory.ini b/inventory.ini index 9fd2888..7b56ff2 100644 --- a/inventory.ini +++ b/inventory.ini @@ -1,18 +1,24 @@ -worker-node2 ansible_host=10.20.1.187 ansible_user=root ip=10.20.1.187 roles=data,master -remote-node ansible_host=10.20.1.17 ansible_user=root ip=10.20.1.17 roles=data,master -control-node ansible_host=10.20.1.15 ansible_user=root ip=10.20.1.15 roles=data,master +os1 ansible_host=10.0.1.1 ansible_user=root ip=10.0.1.1 roles=data,master +os2 ansible_host=10.0.1.2 ansible_user=root ip=10.0.1.2 roles=data,master +os3 ansible_host=10.0.1.3 ansible_user=root ip=10.0.1.3 roles=data,master +os4 ansible_host=10.0.1.4 ansible_user=root ip=10.0.1.4 roles=data,ingest +os5 ansible_host=10.0.1.5 ansible_user=root ip=10.0.1.5 roles=data,ingest + +dashboards1 ansible_host=10.0.1.6 ansible_user=root ip=10.0.1.6 # List all the nodes in the os cluster [os-cluster] -worker-node2 -remote-node -control-node +os1 +os2 +os3 +os4 +os5 # List all the Master eligible nodes under this group [master] -worker-node2 -remote-node -control-node +os1 +os2 +os3 [dashboards] -worker-node2 +dashboards1 \ No newline at end of file diff --git a/vars_file.yml b/vars_file.yml deleted file mode 100644 index 2192165..0000000 --- a/vars_file.yml +++ /dev/null @@ -1,94 +0,0 @@ -## Common opensearch configuration parameters ## - -os_cluster_name: development-cluster - -# opensearch download -os_download_url: https://artifacts.opensearch.org/releases/bundle/opensearch - -# opensearch version -# 2.x Latest Version -os_version: "2.19.1" - -# opensearch dashboards version -# 2.x Latest Version -os_dashboards_version: "2.19.1" - -# Configure hostnames for opensearch nodes -# It is required to configure SSL -# Example es1.example.com, es2.example.com -domain_name: seacom.com - -# Java memory heap values(GB) for opensearch -# You can change it based on server specs -xms_value: 2 -xmx_value: 2 - -# Cluster type whether its single-node or multi-node -cluster_type: multi-node - -# opensearch user info -os_user: opensearch - -os_dashboards_user: opensearch-dashboards - -# Number of days that certificates are valid -cert_valid_days: 730 - -# Auth type: 'internal' or 'oidc' (OpenID). Default: internal -auth_type: internal - -# OIDC settings -oidc: - description: "Authenticate via IdP" - # OpenID server URI - connect_url: https://oidc.example.com/auth/realms//.well-known/openid-configuration - # The JWT token field that contains the user name - subject_key: preferred_username - # the JWT token field that contains a list of user roles - roles_key: roles - # Scopes - scopes: "openid profile email" - # The address of Dashboards to redirect the user to after successful authentication - dashboards_url: http(s)://.example.com - # IdP client ID - client_id: opensearch - # IdP client secret - client_secret: "00000000-0000-0000-0000-000000000000" - -# Overwrite demo configurations with your own -copy_custom_security_configs: false - -# To override demo configurations, you can use your own configuration files. -# Place them in the "files" directory. Specify the path to the files -custom_security_plugin_configs: - - files/tenants.yml - - files/roles.yml - - files/roles_mapping.yml - - files/internal_users.yml - -# By default, if the /tmp/opensearch-nodecerts directory with certificates -# exists on the server from which the playbook is launched, it is assumed -# that the configuration has not changed and some settings are not copied -# to the target servers. -# -# Conversely, if the /tmp/opensearch-nodecerts directory does not exist on -# the server from which the playbook is launched, then new certificates and -# settings are generated and they are copied to the target servers. -# -# If you use this repository not only for the initial deployment of the -# cluster, but also for its automatic configuration via CI/CD, then new -# certificates will be generated every time the pipeline is launched, -# overwriting existing ones, which is not always necessary if the cluster is -# already in production. -# -# When iac_enable enabling, and all the cluster servers have all the necessary -# certificates, they will not be copied again. If at least on one server (for -# example, when adding a new server to the cluster) if there is not at least one -# certificate from the list, then all certificates on all cluster servers will -# be updated -# -# Also, if the option is enabled, the settings files will be updated with each -# execution (previously, the settings were updated only if the -# /tmp/opensearch-nodecerts directory was missing on the server from which the -# playbook was launched and new certificates were generated) -iac_enable: false