diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml index b0f97bc3be48bbe8330b5e9e05a5683901dfb555..d4108e11b723c7bf5e75435888aed3d03525a23a 100644 --- a/group_vars/all/users.yml +++ b/group_vars/all/users.yml @@ -26,3 +26,8 @@ THEHIVE_KIBANA_USER: surname: "User" roles: '["read", "write"]' +# Special account for user management GUI, configured as admin user in some of the tools +USER_MGMT_ADMIN_USER: + username: "soctools-user-mgmt" + DN: "CN=soctools-user-mgmt" + CN: "soctools-user-mgmt" \ No newline at end of file diff --git a/roles/ca/tasks/main.yml b/roles/ca/tasks/main.yml index e851761376265268c0ea7af70ae65d47d789a43f..693108e48ac0dc8826c9ac68e37fa5af4315071e 100644 --- a/roles/ca/tasks/main.yml +++ b/roles/ca/tasks/main.yml @@ -113,6 +113,7 @@ - name: Check for existing user certificates command: roles/ca/files/easyrsa/easyrsa show-cert {{item.CN | regex_escape()}} with_items: + - "{{USER_MGMT_ADMIN_USER}}" - "{{soctools_users}}" environment: EASYRSA_BATCH: 1 @@ -123,6 +124,7 @@ - name: Generate user certificates command: roles/ca/files/easyrsa/easyrsa build-client-full {{item.CN | regex_escape()}} nopass with_items: + - "{{USER_MGMT_ADMIN_USER}}" - "{{soctools_users}}" environment: EASYRSA_BATCH: 1 @@ -138,6 +140,7 @@ responses: Enter Export Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}" with_items: + - "{{USER_MGMT_ADMIN_USER}}" - "{{soctools_users}}" environment: EASYRSA_BATCH: 1 @@ -150,3 +153,18 @@ with_items: - "{{soctools_users}}" +#- name: Convert certificate of soctools-user-mgmt user to PEM format (cert) +# expect: +# command: openssl pkcs12 -in "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.p12" -out "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.crt.pem" -clcerts -nokeys +# responses: +# Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}" +# with_items: +# - "{{USER_MGMT_ADMIN_USER}}" + +#- name: Convert certificate of soctools-user-mgmt user to PEM format (key) +# expect: +# command: openssl pkcs12 -in "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.p12" -out "{{playbook_dir}}/secrets/CA/private/{{item.CN}}.key.pem" -nocerts -nodes +# responses: +# Enter Import Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}" +# with_items: +# - "{{USER_MGMT_ADMIN_USER}}" diff --git a/roles/keycloak/templates/initkeycloakrealm.sh.j2 b/roles/keycloak/templates/initkeycloakrealm.sh.j2 index 1444717fc84aed57192ea89f8d047096d66c5ee6..f114c354ddcf6d65a834c21c6cd6d9ce3977f809 100644 --- a/roles/keycloak/templates/initkeycloakrealm.sh.j2 +++ b/roles/keycloak/templates/initkeycloakrealm.sh.j2 @@ -16,6 +16,7 @@ kcadm.sh update realms/{{openid_realm}} -b '{"browserFlow": "X.509 Browser"}' kcadm.sh create realms/{{openid_realm}}/authentication/executions/${BROWSERFORM}/config -b '{"config":{"x509-cert-auth.mapping-source-selection":"Subject'\''s Common Name","x509-cert-auth.canonical-dn-enabled":"true","x509-cert-auth.serialnumber-hex-enabled":false,"x509-cert-auth.regular-expression":"(.*?)(?:$)","x509-cert-auth.mapper-selection":"Custom Attribute Mapper","x509-cert-auth.mapper-selection.user-attribute-name":"CN","x509-cert-auth.timestamp-validation-enabled":"true","x509-cert-auth.crl-checking-enabled":"","x509-cert-auth.crldp-checking-enabled":false,"x509-cert-auth.crl-relative-path":"crl.pem","x509-cert-auth.ocsp-checking-enabled":"","x509-cert-auth.confirmation-page-disallowed":""},"alias":"x509-form-config"}' kcadm.sh create realms/{{openid_realm}}/groups -b '{"name":"GN43WP8T31"}' +kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{USER_MGMT_ADMIN_USER.DN}}"],"CN": ["{{USER_MGMT_ADMIN_USER.CN}}"]},"username":"{{USER_MGMT_ADMIN_USER.username}}","groups": ["/GN43WP8T31"] }' {% for user in soctools_users %} kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{user.DN}}"],"CN": ["{{user.CN}}"]},"username":"{{user.username}}","emailVerified":"","email":"{{user.email}}","firstName":"{{user.firstname}}","lastName":"{{user.lastname}}","groups": ["/GN43WP8T31"] }' kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/'+user.CN)}} diff --git a/roles/nifi/templates/users.xml.j2 b/roles/nifi/templates/users.xml.j2 index a57969859498c5610ab26a83ae05e53ca093d264..242113d25e46b076ac61a3b75357d8b45f7e2f18 100644 --- a/roles/nifi/templates/users.xml.j2 +++ b/roles/nifi/templates/users.xml.j2 @@ -7,8 +7,9 @@ {% endfor %} </group> <group identifier="c78caf19-016f-1000-0000-000000000002" name="Administrators"> + <user identifier="c78caf19-016f-1000-0002-000000000001"/> {% for user in soctools_users %} - <user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index) }}"/> + <user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index+1) }}"/> {% endfor %} </group> </groups> @@ -16,8 +17,9 @@ {% for nifi in groups['nificontainers'] %} <user identifier="c78caf19-016f-1000-0001-{{'%012d'|format(loop.index) }}" identity="CN={{ nifi }}"/> {% endfor %} + <user identifier="c78caf19-016f-1000-0002-000000000001" identity="{{ USER_MGMT_ADMIN_USER.username }}"/> {% for user in soctools_users %} - <user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index) }}" identity="{{ user.username }}"/> + <user identifier="c78caf19-016f-1000-0002-{{'%012d'|format(loop.index+1) }}" identity="{{ user.username }}"/> {% endfor %} </users> </tenants>