Make logstash_writer user password hashing idempotent (#249)

widhalmt · afeefghannam89 · web-flow · commit c3eab1573603 · 2023-09-04T18:14:11.000+02:00
Using randomly created hashes for our hash algorithm will break idempotency. Besides, it will lead to the `logstash_writer` user template being recreated with every run. I'm not sure if changing the contents every time can't have any more side effects we can circumvent by just using a fixed hash. fixes #247 fixes #251 fixes #244 --------- Co-authored-by: Afeef Ghannam <afeef.ghannam@netways.de> Co-authored-by: Afeef Ghannam <39904920+afeefghannam89@users.noreply.github.com>
diff --git a/.github/workflows/test_full_stack.yml b/.github/workflows/test_full_stack.yml
@@ -31,7 +31,7 @@ jobs:
 
     strategy:
       fail-fast: false
-      max-parallel: 4
+      max-parallel: 2
       matrix:
         distro:
           - rockylinux8
diff --git a/.github/workflows/test_roles_pr.yml b/.github/workflows/test_roles_pr.yml
@@ -47,11 +47,11 @@ jobs:
 
     strategy:
       fail-fast: false
-      max-parallel: 4
+      max-parallel: 2
       matrix:
         distro:
-          - ubuntu2204
           - rockylinux8
+          - ubuntu2204
         scenario:
           - elasticstack_default
         release:
diff --git a/README.md b/README.md
@@ -69,6 +69,8 @@ Make sure all hosts that should be configured are part of your playbook. (See be
 
 You will want to have reliable DNS resolution or enter all hosts of the stack into your systems hosts files.
 
+The variable `elasticstack_no_log` can be set to `false` if you want to see the output of all tasks. It defaults to `true` because some tasks could reveal passwords in production.
+
 ### Versioning
 
 *elasticstack_version*: Version number of tools to install. Only set if you don't want the latest. (default: none).
diff --git a/docs/role-logstash.md b/docs/role-logstash.md
@@ -67,6 +67,9 @@ Aside from `logstash.yml` we can manage Logstashs pipelines.
 * *logstash_security*: Enable X-Security (No default set, but will be activated when in full stack mode)
 * *logstash_user*: Name of the user to connect to Elasticsearch (Default: `logstash_writer`)
 * *logstash_password_hash*: Generate and use a hash from your `logstash_password` (default: `true`)
+* *logstash_password_hash_algorithm*: Password hashing algorithms. Value must be same as `xpack.security.authc.password_hashing.algorithm` (default: `bcrypt`)
+* *logstash_password_salt_length*: base64 encoded Salt character lenght. This value must be integer and must be compatible to the selected password hashing algorithms (default: `22`)
+**logstash_password_hash_salt_seed*: A seed to generate random but idempotent salt on the elasticstack ca host. The salt will be used to create idempotent logstash hashed user password (default: `SeedChangeMe`)
 * *logstash_password*: Password of Elasticsearch user. It must be at least 6 characters long (default: `password`)
 * *logstash_user_indices*: Indices the user has access to (default: `'"ecs-logstash*", "logstash*", "logs*"'`)
 * *logstash_reset_writer_role*: Reset user and role with every run: (default: `true`)
diff --git a/molecule/beats_default/converge.yml b/molecule/beats_default/converge.yml
@@ -12,6 +12,7 @@
     elasticsearch_jna_workaround: true
     elasticsearch_disable_systemcallfilterchecks: true
     elasticstack_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}"
+    elasticstack_no_log: false
   tasks:
     - name: Include Elastics repos role
       ansible.builtin.include_role:
diff --git a/molecule/beats_peculiar/converge.yml b/molecule/beats_peculiar/converge.yml
@@ -21,6 +21,7 @@
     elasticsearch_jna_workaround: true
     elasticsearch_disable_systemcallfilterchecks: true
     elasticstack_full_stack: false
+    elasticstack_no_log: false
     beats_filebeat_mysql_slowlog_input: true
     beats_auditbeat: true
     beats_auditbeat_output: logstash
diff --git a/molecule/elasticsearch_cluster-oss/converge.yml b/molecule/elasticsearch_cluster-oss/converge.yml
@@ -11,6 +11,7 @@
     elasticsearch_disable_systemcallfilterchecks: true
     elasticstack_release: 7
     elasticsearch_heap: "1"
+    elasticstack_no_log: false
   tasks:
     - name: Include Elastics repos role
       ansible.builtin.include_role:
diff --git a/molecule/elasticsearch_no-security/converge.yml b/molecule/elasticsearch_no-security/converge.yml
@@ -12,6 +12,7 @@
     elasticsearch_disable_systemcallfilterchecks: true
     elasticsearch_heap: "1"
     elasticstack_release: 7
+    elasticstack_no_log: false
   tasks:
     - name: Include Elastics repos role
       ansible.builtin.include_role:
diff --git a/molecule/elasticsearch_roles_calculation/converge.yml b/molecule/elasticsearch_roles_calculation/converge.yml
@@ -14,6 +14,7 @@
       - data
     elasticsearch_heap: 1
     elasticsearch_check_calculation: true
+    elasticstack_no_log: false
   tasks:
     - name: Include Elastics repos role
       ansible.builtin.include_role:
diff --git a/molecule/elasticstack_default/converge.yml b/molecule/elasticstack_default/converge.yml
@@ -13,10 +13,10 @@
     elasticsearch_jna_workaround: true
     elasticsearch_disable_systemcallfilterchecks: true
     elasticstack_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}"
-    elasticsearch_heap: "2"
+    elasticsearch_heap: "1"
     elasticstack_full_stack: true
+    elasticstack_no_log: false
     logstash_pipeline_unsafe_shutdown: true
-    logstash_password_hash: false
     beats_filebeat_syslog_udp: true
     beats_filebeat_syslog_tcp: true
     beats_filebeat_modules:
diff --git a/molecule/kibana_default/converge.yml b/molecule/kibana_default/converge.yml
@@ -8,6 +8,7 @@
   vars:
     elasticstack_full_stack: false
     elasticstack_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}"
+    elasticstack_no_log: false
   collections:
     - netways.elasticstack
   tasks:
diff --git a/molecule/logstash_full_stack-oss/converge.yml b/molecule/logstash_full_stack-oss/converge.yml
@@ -23,6 +23,7 @@
     beats_filebeat_syslog_tcp: true
     logstash_beats_tls: false
     elasticstack_release: 7
+    elasticstack_no_log: false
   tasks:
     - name: "Include Elastics repos role"
       ansible.builtin.include_role:
diff --git a/molecule/logstash_pipelines/converge.yml b/molecule/logstash_pipelines/converge.yml
@@ -32,6 +32,7 @@
     logstash_pipeline_unsafe_shutdown: true
     elasticstack_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}"
     elasticstack_full_stack: false
+    elasticstack_no_log: false
   tasks:
     - name: "Include Elastics repos role"
       ansible.builtin.include_role:
diff --git a/molecule/logstash_specific_version/converge.yml b/molecule/logstash_specific_version/converge.yml
@@ -15,6 +15,7 @@
     logstash_pipeline_unsafe_shutdown: true
     elasticstack_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}"
     elasticstack_full_stack: false
+    elasticstack_no_log: false
   tasks:
 
     - name: Set Filebeat version for 7.x
diff --git a/molecule/repos_default/converge.yml b/molecule/repos_default/converge.yml
@@ -7,6 +7,7 @@
     elasticstack_rpm_workaround: true
     elasticstack_full_stack: false
     elasticstack_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}"
+    elasticstack_no_log: false
   tasks:
     - name: Include Elastic Repos
       ansible.builtin.include_role:
diff --git a/molecule/repos_oss/converge.yml b/molecule/repos_oss/converge.yml
@@ -9,6 +9,7 @@
     elasticstack_variant: oss
     elasticstack_rpm_workaround: true
     elasticstack_release: 7
+    elasticstack_no_log: false
   tasks:
     - name: "Include Elastic Repos"
       ansible.builtin.include_role:
diff --git a/requirements-test.txt b/requirements-test.txt
@@ -3,3 +3,4 @@ ansible-lint
 molecule
 molecule-plugins[docker]
 pytest
+passlib
diff --git a/roles/beats/defaults/main.yml b/roles/beats/defaults/main.yml
@@ -68,6 +68,7 @@ elasticstack_ca_dir: /opt/es-ca
 elasticstack_ca_pass: PleaseChangeMe
 elasticstack_initial_passwords: /usr/share/elasticsearch/initial_passwords
 elasticstack_elasticsearch_http_port: 9200
+elasticstack_no_log: true
 beats_cert_validity_period: 1095
 beats_cert_expiration_buffer: "+30d"
 beats_cert_will_expire_soon: false
diff --git a/roles/beats/tasks/beats-security.yml b/roles/beats/tasks/beats-security.yml
@@ -235,5 +235,5 @@
     awk {' print $4 '}
   register: beats_writer_password
   changed_when: false
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   delegate_to: "{{ elasticstack_ca }}"
diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml
@@ -54,3 +54,4 @@ elasticstack_release: 8
 elasticstack_full_stack: true
 elasticstack_variant: elastic
 elasticstack_elasticsearch_http_port: 9200
+elasticstack_no_log: true
diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml
@@ -240,7 +240,7 @@
     add -x 'bootstrap.password'
   when: "'bootstrap.password' not in elasticsearch_keystore.stdout_lines"
   changed_when: true
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   notify:
     - Restart Elasticsearch
   ignore_errors: "{{ ansible_check_mode }}"
@@ -255,7 +255,7 @@
     - elasticsearch_http_security
   register: elasticsearch_http_ssl_keystore_secure_password
   ignore_errors: "{{ ansible_check_mode }}"
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   changed_when: false
 
 - name: Set xpack.security.http.ssl.keystore.secure_password # noqa: risky-shell-pipe
@@ -265,7 +265,7 @@
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     add -f -x 'xpack.security.http.ssl.keystore.secure_password'
   changed_when: true
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   when:
     - elasticsearch_http_ssl_keystore_secure_password.stdout is undefined or elasticsearch_tls_key_passphrase != elasticsearch_http_ssl_keystore_secure_password.stdout
     - elasticsearch_http_security
@@ -278,7 +278,7 @@
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     remove 'xpack.security.http.ssl.keystore.secure_password'
   changed_when: true
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   when:
     - "'xpack.security.http.ssl.keystore.secure_password' in elasticsearch_keystore.stdout_lines"
     - not elasticsearch_http_security
@@ -295,7 +295,7 @@
     - elasticsearch_http_security
   register: elasticsearch_http_ssl_truststore_secure_password
   ignore_errors: "{{ ansible_check_mode }}"
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   changed_when: false
 
 - name: Set xpack.security.http.ssl.truststore.secure_password # noqa: risky-shell-pipe
@@ -305,7 +305,7 @@
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     add -f -x 'xpack.security.http.ssl.truststore.secure_password'
   changed_when: true
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   when:
     - elasticsearch_http_ssl_truststore_secure_password.stdout is undefined or elasticsearch_tls_key_passphrase != elasticsearch_http_ssl_truststore_secure_password.stdout
     - elasticsearch_http_security
@@ -318,7 +318,7 @@
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     remove 'xpack.security.http.ssl.truststore.secure_password'
   changed_when: true
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   when:
     - "'xpack.security.http.ssl.truststore.secure_password' in elasticsearch_keystore.stdout_lines"
     - not elasticsearch_http_security
@@ -335,7 +335,7 @@
     - elasticsearch_security
   register: elasticsearch_transport_ssl_keystore_secure_password
   ignore_errors: "{{ ansible_check_mode }}"
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   changed_when: false
 
 - name: Set xpack.security.transport.ssl.keystore.secure_password # noqa: risky-shell-pipe
@@ -345,7 +345,7 @@
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     add -f -x 'xpack.security.transport.ssl.keystore.secure_password'
   changed_when: true
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   when:
     - elasticsearch_transport_ssl_keystore_secure_password.stdout is undefined or elasticsearch_tls_key_passphrase != elasticsearch_transport_ssl_keystore_secure_password.stdout
     - elasticsearch_security
@@ -358,7 +358,7 @@
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     remove 'xpack.security.transport.ssl.keystore.secure_password'
   changed_when: true
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   when:
     - "'xpack.security.transport.ssl.keystore.secure_password' in elasticsearch_keystore.stdout_lines"
     - not elasticsearch_security
@@ -375,7 +375,7 @@
     - elasticsearch_security
   register: elasticsearch_transport_ssl_truststore_secure_password
   ignore_errors: "{{ ansible_check_mode }}"
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   changed_when: false
 
 - name: Set xpack.security.transport.ssl.truststore.secure_password # noqa: risky-shell-pipe
@@ -385,7 +385,7 @@
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     add -f -x 'xpack.security.transport.ssl.truststore.secure_password'
   changed_when: true
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   when:
     - elasticsearch_transport_ssl_truststore_secure_password.stdout is undefined or elasticsearch_tls_key_passphrase != elasticsearch_transport_ssl_truststore_secure_password.stdout
     - elasticsearch_security
@@ -398,7 +398,7 @@
     /usr/share/elasticsearch/bin/elasticsearch-keystore
     remove 'xpack.security.transport.ssl.truststore.secure_password'
   changed_when: true
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   when:
     - "'xpack.security.transport.ssl.truststore.secure_password' in elasticsearch_keystore.stdout_lines"
     - not elasticsearch_security
@@ -422,7 +422,7 @@
         --silent
       args:
         creates: "{{ elasticstack_ca_dir }}/elastic-stack-ca.p12"
-      no_log: true
+      no_log: "{{ elasticstack_no_log }}"
 
     - name: Create node certificates on elasticstack_ca host
       ansible.builtin.command: >
@@ -436,7 +436,7 @@
         --pass {{ elasticsearch_tls_key_passphrase }}
         --out {{ elasticstack_ca_dir }}/{{ hostvars[item].ansible_hostname }}.p12
       loop: "{{ groups['elasticsearch'] }}"
-      no_log: true
+      no_log: "{{ elasticstack_no_log }}"
       args:
         creates: "{{ elasticstack_ca_dir }}/{{ hostvars[item].ansible_hostname }}.p12"
 
@@ -447,7 +447,7 @@
         -password pass:{{ elasticsearch_tls_key_passphrase }}
       args:
         creates: "{{ elasticstack_ca_dir }}/ca.crt"
-      no_log: true
+      no_log: "{{ elasticstack_no_log }}"
 
 - name: Fetch ca certificate from ca host to Ansible controller
   ansible.builtin.fetch:
@@ -524,7 +524,6 @@
 - name: Wait for all instances to start
   ansible.builtin.include_tasks: wait_for_instance.yml
   loop: "{{ groups['elasticsearch'] }}"
-  tags: notest
 
 - name: Force all notified handlers to run at this point, not waiting for normal sync points
   ansible.builtin.meta: flush_handlers
@@ -537,7 +536,6 @@
   ansible.builtin.include_tasks: wait_for_instance.yml
   loop: "{{ groups['elasticsearch'] }}"
   tags:
-    - notest
     - certificates
     - renew_ca
     - renew_es_cert
@@ -553,6 +551,15 @@
     elasticsearch_http_protocol: "https"
   when: elasticsearch_http_security
 
+# Free up some space to let elsticsearch allocate replica in GitHub Action
+- name: Remove cache # noqa: risky-shell-pipe
+  ansible.builtin.shell: >
+    if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+    rm -rf /var/cache/*
+  failed_when: false
+  changed_when: false
+  when: ansible_virtualization_type == "container"
+
 - name: Check for cluster status with bootstrap password # noqa: risky-shell-pipe
   ansible.builtin.shell: >
     if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
@@ -562,7 +569,7 @@
     cut -d\" -f4
   register: elasticsearch_cluster_status_bootstrap
   changed_when: false
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   when:
     - not elasticsearch_passwords_file.stat.exists | bool
     - groups['elasticsearch'] | length > 1
@@ -577,7 +584,7 @@
     awk {' print $4 '}
   register: elasticstack_password
   changed_when: false
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   delegate_to: "{{ elasticstack_ca }}"
   when: elasticsearch_passwords_file.stat.exists | bool
 
@@ -590,7 +597,7 @@
     cut -d\" -f4
   register: elasticsearch_cluster_status
   changed_when: false
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   when:
     - elasticsearch_passwords_file.stat.exists | bool
     - groups['elasticsearch'] | length > 1
@@ -616,7 +623,7 @@
     /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -b >
     {{ elasticstack_initial_passwords }}
   when: inventory_hostname == elasticstack_ca
-  no_log: true
+  no_log: "{{ elasticstack_no_log }}"
   args:
     creates: "{{ elasticstack_initial_passwords }}"
 
diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml
diff --git a/roles/kibana/defaults/main.yml b/roles/kibana/defaults/main.yml
diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml
diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml
diff --git a/roles/logstash/defaults/main.yml b/roles/logstash/defaults/main.yml
diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml
diff --git a/roles/logstash/templates/logstash.yml.j2 b/roles/logstash/templates/logstash.yml.j2
diff --git a/roles/logstash/templates/logstash_writer_user.j2 b/roles/logstash/templates/logstash_writer_user.j2
diff --git a/roles/repos/defaults/main.yml b/roles/repos/defaults/main.yml
