added "soctools-user-mgmt" user

A special user account with Admin privileges in some services by which the user management GUI can manage user accounts

added "soctools-user-mgmt" user
a1a32672 · Václav Bartoš · 77148774 · a1a32672 · a1a32672 · a1a32672
Commit a1a32672 authored 3 years ago by Václav Bartoš
--- a/group_vars/all/users.yml
+++ b/group_vars/all/users.yml
@@ -26,3 +26,8 @@ THEHIVE_KIBANA_USER:
  surname: "User"
  roles: '["read", "write"]'

+# Special account for user management GUI, configured as admin user in some of the tools
+USER_MGMT_ADMIN_USER:
+  username: "soctools-user-mgmt"
+  DN: "CN=soctools-user-mgmt"
+  CN: "soctools-user-mgmt"
\ No newline at end of file
--- a/roles/ca/tasks/main.yml
+++ b/roles/ca/tasks/main.yml
@@ -113,6 +113,7 @@
 - name: Check for existing user certificates
  command: roles/ca/files/easyrsa/easyrsa show-cert {{item.CN | regex_escape()}}
  with_items:
+    - "{{USER_MGMT_ADMIN_USER}}"
    - "{{soctools_users}}"
  environment:
    EASYRSA_BATCH: 1
@@ -123,6 +124,7 @@
 - name: Generate user certificates
  command: roles/ca/files/easyrsa/easyrsa build-client-full {{item.CN | regex_escape()}} nopass
  with_items:
+    - "{{USER_MGMT_ADMIN_USER}}"
    - "{{soctools_users}}"
  environment:
    EASYRSA_BATCH: 1
@@ -138,6 +140,7 @@
    responses:
      Enter Export Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
  with_items:
+    - "{{USER_MGMT_ADMIN_USER}}"
    - "{{soctools_users}}"
  environment:
    EASYRSA_BATCH: 1
@@ -150,3 +153,18 @@
  with_items:
    - "{{soctools_users}}"

+#- name: Convert certificate of soctools-user-mgmt user to PEM format (cert)
+#  expect:
+#    command: openssl pkcs12 -in "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.p12" -out "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.crt.pem" -clcerts -nokeys
+#    responses:
+#      Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
+#  with_items:
+#    - "{{USER_MGMT_ADMIN_USER}}"
+
+#- name: Convert certificate of soctools-user-mgmt user to PEM format (key)
+#  expect:
+#    command: openssl pkcs12 -in "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.p12" -out "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.key.pem" -nocerts -nodes
+#    responses:
+#      Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
+#  with_items:
+#    - "{{USER_MGMT_ADMIN_USER}}"
--- a/roles/keycloak/templates/initkeycloakrealm.sh.j2
+++ b/roles/keycloak/templates/initkeycloakrealm.sh.j2
@@ -16,6 +16,7 @@ kcadm.sh update realms/{{openid_realm}} -b '{"browserFlow": "X.509 Browser"}'
 kcadm.sh create realms/{{openid_realm}}/authentication/executions/${BROWSERFORM}/config -b '{"config":{"x509-cert-auth.mapping-source-selection":"Subject'\''s Common Name","x509-cert-auth.canonical-dn-enabled":"true","x509-cert-auth.serialnumber-hex-enabled":false,"x509-cert-auth.regular-expression":"(.*?)(?:$)","x509-cert-auth.mapper-selection":"Custom Attribute Mapper","x509-cert-auth.mapper-selection.user-attribute-name":"CN","x509-cert-auth.timestamp-validation-enabled":"true","x509-cert-auth.crl-checking-enabled":"","x509-cert-auth.crldp-checking-enabled":false,"x509-cert-auth.crl-relative-path":"crl.pem","x509-cert-auth.ocsp-checking-enabled":"","x509-cert-auth.confirmation-page-disallowed":""},"alias":"x509-form-config"}'
 kcadm.sh create realms/{{openid_realm}}/groups -b '{"name":"GN43WP8T31"}'

+kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{USER_MGMT_ADMIN_USER.DN}}"],"CN": ["{{USER_MGMT_ADMIN_USER.CN}}"]},"username":"{{USER_MGMT_ADMIN_USER.username}}","groups": ["/GN43WP8T31"] }'
 {% for user in soctools_users %}
 kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{user.DN}}"],"CN": ["{{user.CN}}"]},"username":"{{user.username}}","emailVerified":"","email":"{{user.email}}","firstName":"{{user.firstname}}","lastName":"{{user.lastname}}","groups": ["/GN43WP8T31"] }'
 kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/'+user.CN)}}

--- a/roles/nifi/templates/users.xml.j2
+++ b/roles/nifi/templates/users.xml.j2
@@ -7,8 +7,9 @@
 	{% endfor %}
      </group>
      <group identifier="c78caf19-016f-1000-0000-000000000002" name="Administrators">
+	    <user identifier="c78caf19-016f-1000-0002-000000000001"/>
 	{% for user in soctools_users %}
-	<user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index) }}"/>
+	<user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index+1) }}"/>
 	{% endfor %}
      </group>
    </groups>
@@ -16,8 +17,9 @@
 	{% for nifi in groups['nificontainers'] %}
        <user identifier="c78caf19-016f-1000-0001-{{'%012d'|format(loop.index) }}" identity="CN={{ nifi }}"/>
        {% endfor %}
+        <user identifier="c78caf19-016f-1000-0002-000000000001" identity="{{ USER_MGMT_ADMIN_USER.username }}"/>
 	{% for user in soctools_users %}
-        <user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index) }}" identity="{{ user.username }}"/>
+        <user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index+1) }}" identity="{{ user.username }}"/>
        {% endfor %}        
    </users>
 </tenants>