From 78164ea4fef71a8a973d2338f6002395dd74e2e7 Mon Sep 17 00:00:00 2001
From: Temur Maisuradze <temur@grena.ge>
Date: Thu, 19 Nov 2020 17:56:17 +0400
Subject: [PATCH] disable tenant and admin permitions for ODFE's users
---
group_vars/all/main.yml | 5 +++
roles/odfekibana/tasks/main.yml | 49 ++++++++++++++++--------
roles/odfekibana/templates/kibana.yml.j2 | 4 +-
roles/odfekibana/templates/role.json.j2 | 15 ++++++++
4 files changed, 55 insertions(+), 18 deletions(-)
create mode 100644 roles/odfekibana/templates/role.json.j2
diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index bda2eaa..d8f242a 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -89,6 +89,11 @@ soctools_users:
CN: "Bozidar Proevski"
password: "Pass001"
+# Minimum one user is required
+ODFE_ADMIN_USERS:
+ - arne.oslebo
+ - bozidar.proevski
+
odfees_img: "{{repo}}/odfees:{{version}}{{suffix}}"
odfekibana_img: "{{repo}}/odfekibana:{{version}}{{suffix}}"
# GENERATE 32-bit secure value
diff --git a/roles/odfekibana/tasks/main.yml b/roles/odfekibana/tasks/main.yml
index c085414..49924ee 100644
--- a/roles/odfekibana/tasks/main.yml
+++ b/roles/odfekibana/tasks/main.yml
@@ -123,22 +123,22 @@
tags:
- start
-- name: Copy tenant.json to container
- remote_user: kibana
- copy:
- src: "files/tenant.json"
- dest: /tmp/tenant.json
- tags:
- - start
-
-- name: change tenant to global
- shell: 'curl -X "POST" "https://{{dslproxy}}:5601/api/v1/multitenancy/tenant" \
- -b /tmp/cookie.txt -c /tmp/cookie.txt \
- -k --user admin:{{ odfees_adminpass }} \
- -H "kbn-xsrf: reporting" -H "Content-Type: application/json" \
- -d @/tmp/tenant.json'
- tags:
- - start
+#- name: Copy tenant.json to container
+# remote_user: kibana
+# copy:
+# src: "files/tenant.json"
+# dest: /tmp/tenant.json
+# tags:
+# - start
+#
+#- name: change tenant to global
+# shell: 'curl -X "POST" "https://{{dslproxy}}:5601/api/v1/multitenancy/tenant" \
+# -b /tmp/cookie.txt -c /tmp/cookie.txt \
+# -k --user admin:{{ odfees_adminpass }} \
+# -H "kbn-xsrf: reporting" -H "Content-Type: application/json" \
+# -d @/tmp/tenant.json'
+# tags:
+# - start
- name: Copy kibana_graphs.ndjson to container
remote_user: kibana
@@ -157,6 +157,23 @@
tags:
- start
+- name: Copy role modification json to container
+ remote_user: kibana
+ template:
+ src: "role.json.j2"
+ dest: /tmp/role.json
+ tags:
+ - start
+
+- name: Grant admin permissions to users
+ shell: 'curl -X "POST" "https://{{dslproxy}}:5601/api/v1/configuration/rolesmapping/all_access" \
+ -b /tmp/cookie.txt -c /tmp/cookie.txt \
+ -k --user admin:{{ odfees_adminpass }} \
+ -H "kbn-xsrf: reporting" -H "Content-Type: application/json" \
+ -d @/tmp/role.json'
+ tags:
+ - start
+
#- name: cleanup temporary files for kibana_graph import
# shell: '/bin/rm -rf /tmp/cookie.txt /tmp/kibana_graphs.ndjson /tmp/tenant.json'
# ignore_errors: true
diff --git a/roles/odfekibana/templates/kibana.yml.j2 b/roles/odfekibana/templates/kibana.yml.j2
index 0d67007..55210f5 100644
--- a/roles/odfekibana/templates/kibana.yml.j2
+++ b/roles/odfekibana/templates/kibana.yml.j2
@@ -29,8 +29,8 @@ elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
-opendistro_security.multitenancy.enabled: true
-opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
+opendistro_security.multitenancy.enabled: false
+#opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
#new in 7.6
diff --git a/roles/odfekibana/templates/role.json.j2 b/roles/odfekibana/templates/role.json.j2
new file mode 100644
index 0000000..9d67a52
--- /dev/null
+++ b/roles/odfekibana/templates/role.json.j2
@@ -0,0 +1,15 @@
+{
+ "backend_roles":[
+ "admin"
+ ],
+ "hosts":[
+
+ ],
+ "users":[
+{% for user in ODFE_ADMIN_USERS %}
+ "{{ user }}",
+{% endfor %}
+ "admin"
+ ],
+ "description":"Maps admin to all_access"
+}
--
GitLab