From ac47ada043857a50fdc426610ce265250cd33e36 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 9 May 2022 20:02:48 +0200 Subject: [PATCH] Disable the security plugin by default. --- README.md | 48 +++++++++++++++++++++++++++++++++++++ defaults/main.yml | 17 +++++++++++++ tasks/main.yml | 18 ++++++++++++++ templates/opensearch.yml.j2 | 6 ++++- 4 files changed, 88 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ed7efa8..b3edfdc 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,54 @@ Role Variables The most important variables are listed below: ``` yaml +opensearch_install: true +opensearch_enabled: true +opensearch_major_version: 1 +opensearch_minor_version: 3 +opensearch_patch_version: 2 +opensearch_version: '{{ opensearch_major_version }}.{{ opensearch_minor_version }}.{{ opensearch_patch_version }}' +opensearch_versioned: 'opensearch-{{ opensearch_version }}' +opensearch_filename: '{{ opensearch_versioned }}-linux-x64.tar.gz' +opensearch_download_url: 'https://artifacts.opensearch.org/releases/bundle/opensearch/{{ opensearch_version }}/{{ opensearch_filename }}' +opensearch_cli_tools_file: 'opensearch-cli-1.1.0-linux-x64.zip' +opensearch_cli_tools_url: 'https://artifacts.opensearch.org/opensearch-clients/opensearch-cli/{{ opensearch_cli_tools_file }}' +opensearch_user: opensearch +opensearch_base_install_dir: /opt/opensearch +opensearch_config_dir: '{{ opensearch_base_install_dir }}/config' +opensearch_bin_dir: '{{ opensearch_base_install_dir }}/bin' +opensearch_cluster_name: 'Opensearch Cluster' +opensearch_http_port: 9200 +opensearch_transport_min_port: 9300 +opensearch_transport_max_port: 9400 +opensearch_data_dirs: + - /var/lib/opensearch +opensearch_log_dir: /var/log/opensearch +opensearch_bind_ip: 0.0.0.0 +opensearch_single_node: true +opensearch_discovery_host_list: '["127.0.0.1", "[::1]"]' +opensearch_define_majority_of_nodes: true +opensearch_majority_of_nodes: 1 +opensearch_bootstrap_known_masters: + - '{{ ansible_fqdn }}' +opensearch_real_cluster: false +opensearch_recover_after_nodes: 3 +opensearch_max_local_storage_nodes: 1 +opensearch_destructive_requires_name: true +opensearch_define_heap_size: false +opensearch_heap_size: 2g +opensearch_additional_java_opts: '-server -Djava.awt.headless=true -Dfile.encoding=UTF-8' +opensearch_java_io_tmpdir: '/var/tmp' +opensearch_additional_conf: + - {name: 'search.max_buckets', value: '65535'} +opensearch_max_open_files: 65535 +opensearch_max_processes: 8192 +opensearch_cluster_routing_allocation_disk_threshold_enabled: 'true' +opensearch_cluster_routing_allocation_disk_watermark_low: '85%' +opensearch_cluster_routing_allocation_disk_watermark_high: '90%' +# Compatibility with kernels <= 3.5. Set to False if you are using a newer kernel +opensearch_disable_bootstrap_syscall_filter: true +opensearch_security_enabled: false + ``` Dependencies diff --git a/defaults/main.yml b/defaults/main.yml index 856e905..0764e9a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,6 +13,8 @@ opensearch_cli_tools_url: 'https://artifacts.opensearch.org/opensearch-clients/o opensearch_user: opensearch opensearch_base_install_dir: /opt/opensearch opensearch_config_dir: '{{ opensearch_base_install_dir }}/config' +opensearch_plugins_dir: '{{ opensearch_base_install_dir }}/plugins' +opensearch_disabled_plugins_dir: '{{ opensearch_base_install_dir }}/disabled-plugins' opensearch_bin_dir: '{{ opensearch_base_install_dir }}/bin' opensearch_cluster_name: 'Opensearch Cluster' @@ -47,6 +49,21 @@ opensearch_cluster_routing_allocation_disk_watermark_low: '85%' opensearch_cluster_routing_allocation_disk_watermark_high: '90%' # Compatibility with kernels <= 3.5. Set to False if you are using a newer kernel opensearch_disable_bootstrap_syscall_filter: true +opensearch_security_enabled: false +opensearch_default_plugins: + - opensearch-alerting + - opensearch-anomaly-detection + - opensearch-asynchronous-search + - opensearch-cross-cluster-replication + - opensearch-index-management + - opensearch-job-scheduler + - opensearch-knn + - opensearch-ml + - opensearch-observability + - opensearch-performance-analyzer + - opensearch-reports-scheduler + - opensearch-security + - opensearch-sql # Only name and value are mandatory. The others have defaults # systemctl_custom_options: diff --git a/tasks/main.yml b/tasks/main.yml index 46e0c1f..722fc57 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -64,6 +64,24 @@ tags: ['opensearch'] +- name: Opensearch plugins + block: + - name: Create the opensearch 'disabled_plugins' directory + file: + dest: '{{ opensearch_disabled_plugins_dir }}' + state: directory + owner: root + group: root + mode: 0755 + + - name: Manage the security plugin + command: mv {{ opensearch_plugins_dir }}/opensearch-security {{ opensearch_disabled_plugins_dir }}/opensearch-security + args: + creates: '{{ opensearch_disabled_plugins_dir }}/opensearch-security' + when: not opensearch_security_enabled + + tags: ['opensearch', 'opensearch_plugins'] + - name: Opensearch configuration block: - name: Install the opensearch JVM options diff --git a/templates/opensearch.yml.j2 b/templates/opensearch.yml.j2 index a55f0aa..c7a5e0b 100644 --- a/templates/opensearch.yml.j2 +++ b/templates/opensearch.yml.j2 @@ -20,21 +20,25 @@ cluster.name: {{ opensearch_cluster_name }} # Use a descriptive name for the node: # node.name: {{ ansible_fqdn }} - +# +{% if not opensearch_single_node %} cluster.initial_master_nodes: {% for n in opensearch_bootstrap_known_masters %} - {{ n }} {% endfor %} + # # Add custom attributes to the node: # # node.rack: r1 +{% endif %} # # ----------------------------------- Paths ------------------------------------ # # Path to directory where to store the data (separate multiple locations by comma): # path.data: {% for data_dir in opensearch_data_dirs %}{{ data_dir }}{% if not loop.last %},{% endif %}{% endfor %} + # # Path to log files: #