From d578219afb074e5abca383bb684202db26525de0 Mon Sep 17 00:00:00 2001
From: Temur Maisuradze <temur@grena.ge>
Date: Tue, 15 Feb 2022 14:39:48 +0400
Subject: [PATCH] integrate cortex users

---
 roles/cortex/tasks/configure.yml              | 81 +++++++++++++++++++
 roles/cortex/tasks/main.yml                   |  3 +
 roles/cortex/templates/admin.json             |  1 +
 roles/cortex/templates/application.conf.j2    |  8 +-
 .../cortex/templates/cortex_organization.json |  1 +
 5 files changed, 90 insertions(+), 4 deletions(-)
 create mode 100644 roles/cortex/tasks/configure.yml
 create mode 100644 roles/cortex/templates/admin.json
 create mode 100644 roles/cortex/templates/cortex_organization.json

diff --git a/roles/cortex/tasks/configure.yml b/roles/cortex/tasks/configure.yml
new file mode 100644
index 0000000..cbcb0e9
--- /dev/null
+++ b/roles/cortex/tasks/configure.yml
@@ -0,0 +1,81 @@
+---
+
+- name: migrate(create) cortex database
+  remote_user: root
+  shell: "curl -X POST http://127.0.0.1:9001/api/maintenance/migrate -H 'Content-Type: application/json'"
+  run_once: True
+
+- name: copy json file for admin user creation in cortex container
+  remote_user: root
+  template:
+    src: admin.json
+    dest: /tmp/admin.json
+
+- name: Create Admin(superadmin) user in cortex
+  shell: "curl -X POST http://127.0.0.1:9001/api/user -H 'Content-Type: application/json' -d @/tmp/admin.json"
+  run_once: True
+
+- name: enable basic auth
+  remote_user: root
+  lineinfile:
+    dest: "/etc/cortex/application.conf"
+    insertafter: 'auth {'
+    line: "        method.basic = true"
+  
+- name: Restart Cortex
+  remote_user: root
+  command: "supervisorctl restart cortex"
+
+- name: Wait for Cortex
+  remote_user: root
+  wait_for:
+    host: "{{groups['cortex'][0]}}"
+    port: 9001
+    state: started
+    delay: 5
+
+- name: generate api key for admin user
+  remote_user: root
+  shell: "curl -XPOST -u 'admin:{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_adminpass')}}' 'http://127.0.0.1:9001/api/user/admin/key/renew'"
+  run_once: True
+  register: cortexadminuserkey
+  args:
+    warn: false
+  run_once: True
+
+- set_fact:
+    cortexadminuserapikey={{ cortexadminuserkey.stdout }}
+
+- name: copy cortex API key to local file
+  local_action: copy content="{{cortexadminuserapikey}}" dest=secrets/tokens/cortex_secret_key
+
+- name: copy json file for organization creation in cortex
+  remote_user: root
+  template:
+    src: cortex_organization.json
+    dest: /tmp/cortex_organization.json
+
+- name: create organization in cortex
+  remote_user: root
+  shell: "curl -XPOST -H 'Authorization: Bearer {{cortexadminuserapikey}}' -H 'Content-Type: application/json' 'http://127.0.0.1:9001/api/organization' -d  @/tmp/cortex_organization.json"
+  run_once: True
+
+- name: disable basic auth
+  remote_user: root
+  lineinfile:
+    dest: "/etc/cortex/application.conf"
+    regexp: 'method.basic = true'
+    state: absent
+
+- name: Restart Cortex
+  remote_user: root
+  command: "supervisorctl restart cortex"
+
+- name: Wait for Cortex
+  remote_user: root
+  wait_for:
+    host: "{{groups['cortex'][0]}}"
+    port: 9001
+    state: started
+    delay: 5
+
diff --git a/roles/cortex/tasks/main.yml b/roles/cortex/tasks/main.yml
index a494e3f..0b9f142 100644
--- a/roles/cortex/tasks/main.yml
+++ b/roles/cortex/tasks/main.yml
@@ -8,6 +8,9 @@
    - start
    - start-cortex
    - init
+- include: configure.yml
+  tags:
+   - init
 - include: stop.yml
   tags:
    - stop
diff --git a/roles/cortex/templates/admin.json b/roles/cortex/templates/admin.json
new file mode 100644
index 0000000..4eb4b06
--- /dev/null
+++ b/roles/cortex/templates/admin.json
@@ -0,0 +1 @@
+{"login":"admin","name":"Admin","password":"{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_adminpass')}}","roles":["superadmin"],"organization":"cortex"}
diff --git a/roles/cortex/templates/application.conf.j2 b/roles/cortex/templates/application.conf.j2
index db6f91c..acfe902 100644
--- a/roles/cortex/templates/application.conf.j2
+++ b/roles/cortex/templates/application.conf.j2
@@ -127,7 +127,7 @@ auth {
     # scope = "profile"
 
     userIdField = "email"
-    scope = ["openid email profile offline_access User.Read"]
+    scope = ["openid email profile"]
   }
 
   ws.ssl.trustManager {
@@ -143,10 +143,10 @@ auth {
 
   # Single-Sign On
   sso {
-    autocreate = false
-    autoupdate = false
+    autocreate = true
+    autoupdate = true
     autologin = true
-    defaultRoles = ["read"]
+    defaultRoles = ["read", "analyze"]
     defaultOrganization = "{{domain}}"
 
     mapper = simple
diff --git a/roles/cortex/templates/cortex_organization.json b/roles/cortex/templates/cortex_organization.json
new file mode 100644
index 0000000..f1c58ff
--- /dev/null
+++ b/roles/cortex/templates/cortex_organization.json
@@ -0,0 +1 @@
+{"name": "{{domain}}", "description": "{{domain}}", "status": "Active"}
-- 
GitLab