Improve Security practices #75
Comments
|
Here's a gist of some tasks that will idempotently (or at least I think they're idempotent):
There's also a set of group_vars for my stackstorm group in my inventory. https://gist.github.com/cognifloyd/c03cafc62f26a3ea0cfe1a5ed5c4238d |
This was referenced Nov 9, 2017
cognifloyd
added a commit
to cognifloyd/ansible-st2
that referenced
this issue
Sep 21, 2018
Adds auth to mongo when the mongodb_auth_enable flag is true. Any additional users should be passed in via mongodb_users. There are several other default variables as well (like mongodb_host, mongodb_port) that can be overridden in the play or inventory that uses this role. This does not attempt to generate any passwords. It only adds users if explicitly requested, but allows external tasks/roles to import the mongodb_auth.yml tasks to add users as required after mongo is installed. This uses lineinfile to edit mongod.conf with regexs to catch as many edge cases in yaml formatting (spaces, quotes) as possible. Also, this uses a bit of python to validate that the yaml file was modified in such a way that it is still valid yaml, and the entries intrduced in the file are present as expected. This uses the mongo shell to see if authorization is required before adding the admin user. This should handle cases such as the localhost exception in a new install or upgrades where auth is not enabled or upgrades where auth is enabled. As explained in comments, we only update mongo user passwords on_create because that is the only way to maintain idempotency. This should be idempotent. Part of StackStorm#75.
cognifloyd
added a commit
to cognifloyd/ansible-st2
that referenced
this issue
Sep 21, 2018
Adds auth to mongo when the mongodb_auth_enable flag is true. Any additional users should be passed in via mongodb_users. There are several other default variables as well (like mongodb_host, mongodb_port) that can be overridden in the play or inventory that uses this role. This does not attempt to generate any passwords. It only adds users if explicitly requested, but allows external tasks/roles to import the mongodb_auth.yml tasks to add users as required after mongo is installed. This uses lineinfile to edit mongod.conf with regexs to catch as many edge cases in yaml formatting (spaces, quotes) as possible. Also, this uses a bit of python to validate that the yaml file was modified in such a way that it is still valid yaml, and the entries intrduced in the file are present as expected. This uses the mongo shell to see if authorization is required before adding the admin user. This should handle cases such as the localhost exception in a new install or upgrades where auth is not enabled or upgrades where auth is enabled. As explained in comments, we only update mongo user passwords on_create because that is the only way to maintain idempotency. This should be idempotent. Part of StackStorm#75.
cognifloyd
added a commit
to cognifloyd/ansible-st2
that referenced
this issue
Sep 21, 2018
Adds auth to mongo when the mongodb_auth_enable flag is true. Any additional users should be passed in via mongodb_users. There are several other default variables as well (like mongodb_host, mongodb_port) that can be overridden in the play or inventory that uses this role. This does not attempt to generate any passwords. It only adds users if explicitly requested, but allows external tasks/roles to import the mongodb_auth.yml tasks to add users as required after mongo is installed. This uses lineinfile to edit mongod.conf with regexs to catch as many edge cases in yaml formatting (spaces, quotes) as possible. Also, this uses a bit of python to validate that the yaml file was modified in such a way that it is still valid yaml, and the entries intrduced in the file are present as expected. This uses the mongo shell to see if authorization is required before adding the admin user. This should handle cases such as the localhost exception in a new install or upgrades where auth is not enabled or upgrades where auth is enabled. This installs pip using system packages if `pip` is not present. `pip` is needed to install pymongo which is used to manage mongo users through the mongodb_user ansible module. As explained in comments, we only update mongo user passwords on_create because that is the only way to maintain idempotency. This should be idempotent. Part of StackStorm#75.
cognifloyd
added a commit
to cognifloyd/ansible-st2
that referenced
this issue
Sep 22, 2018
Adds auth to mongo when the mongodb_auth_enable flag is true. Any additional users should be passed in via mongodb_users. There are several other default variables as well (like mongodb_host, mongodb_port) that can be overridden in the play or inventory that uses this role. This does not attempt to generate any passwords. It only adds users if explicitly requested, but allows external tasks/roles to import the mongodb_auth.yml tasks to add users as required after mongo is installed. This uses lineinfile to edit mongod.conf with regexs to catch as many edge cases in yaml formatting (spaces, quotes) as possible. Also, this uses a bit of python to validate that the yaml file was modified in such a way that it is still valid yaml, and the entries intrduced in the file are present as expected. This uses the mongo shell to see if authorization is required before adding the admin user. This should handle cases such as the localhost exception in a new install or upgrades where auth is not enabled or upgrades where auth is enabled. This installs pip using system packages if `pip` is not present. `pip` is needed to install pymongo which is used to manage mongo users through the mongodb_user ansible module. As explained in comments, we only update mongo user passwords on_create because that is the only way to maintain idempotency. This should be idempotent. Part of StackStorm#75.
cognifloyd
added a commit
to cognifloyd/ansible-st2
that referenced
this issue
Sep 22, 2018
Adds auth to mongo when the mongodb_auth_enable flag is true. Any additional users should be passed in via mongodb_users. There are several other default variables as well (like mongodb_host, mongodb_port) that can be overridden in the play or inventory that uses this role. This does not attempt to generate any passwords. It only adds users if explicitly requested, but allows external tasks/roles to import the mongodb_auth.yml tasks to add users as required after mongo is installed. This uses lineinfile to edit mongod.conf with regexs to catch as many edge cases in yaml formatting (spaces, quotes) as possible. Also, this uses a bit of python to validate that the yaml file was modified in such a way that it is still valid yaml, and the entries intrduced in the file are present as expected. This uses the mongo shell to see if authorization is required before adding the admin user. This should handle cases such as the localhost exception in a new install or upgrades where auth is not enabled or upgrades where auth is enabled. This installs pip using system packages if `pip` is not present. `pip` is needed to install pymongo which is used to manage mongo users through the mongodb_user ansible module. As explained in comments, we only update mongo user passwords on_create because that is the only way to maintain idempotency. This should be idempotent. Part of StackStorm#75.
cognifloyd
added a commit
to cognifloyd/ansible-st2
that referenced
this issue
Sep 22, 2018
Adds auth to mongo when the mongodb_auth_enable flag is true. Any additional users should be passed in via mongodb_users. There are several other default variables as well (like mongodb_host, mongodb_port) that can be overridden in the play or inventory that uses this role. This does not attempt to generate any passwords. It only adds users if explicitly requested, but allows external tasks/roles to import the mongodb_auth.yml tasks to add users as required after mongo is installed. This uses lineinfile to edit mongod.conf with regexs to catch as many edge cases in yaml formatting (spaces, quotes) as possible. Also, this uses a bit of python to validate that the yaml file was modified in such a way that it is still valid yaml, and the entries intrduced in the file are present as expected. This uses the mongo shell to see if authorization is required before adding the admin user. This should handle cases such as the localhost exception in a new install or upgrades where auth is not enabled or upgrades where auth is enabled. This installs pip using system packages if `pip` is not present. `pip` is needed to install pymongo which is used to manage mongo users through the mongodb_user ansible module. As explained in comments, we only update mongo user passwords on_create because that is the only way to maintain idempotency. This should be idempotent. Part of StackStorm#75.
cognifloyd
added a commit
to cognifloyd/ansible-st2
that referenced
this issue
Sep 22, 2018
Adds auth to mongo when the mongodb_auth_enable flag is true. Any additional users should be passed in via mongodb_users. There are several other default variables as well (like mongodb_host, mongodb_port) that can be overridden in the play or inventory that uses this role. This does not attempt to generate any passwords. It only adds users if explicitly requested, but allows external tasks/roles to import the mongodb_auth.yml tasks to add users as required after mongo is installed. This uses lineinfile to edit mongod.conf with regexs to catch as many edge cases in yaml formatting (spaces, quotes) as possible. Also, this uses a bit of python to validate that the yaml file was modified in such a way that it is still valid yaml, and the entries intrduced in the file are present as expected. This uses the mongo shell to see if authorization is required before adding the admin user. This should handle cases such as the localhost exception in a new install or upgrades where auth is not enabled or upgrades where auth is enabled. This installs pip using system packages if `pip` is not present. `pip` is needed to install pymongo which is used to manage mongo users through the mongodb_user ansible module. As explained in comments, we only update mongo user passwords on_create because that is the only way to maintain idempotency. This should be idempotent. Part of StackStorm#75.
cognifloyd
added a commit
to theatro/ansible-st2
that referenced
this issue
Nov 10, 2018
Adds auth to mongo when the mongodb_auth_enable flag is true. Any additional users should be passed in via mongodb_users. There are several other default variables as well (like mongodb_host, mongodb_port) that can be overridden in the play or inventory that uses this role. This does not attempt to generate any passwords. It only adds users if explicitly requested, but allows external tasks/roles to import the mongodb_auth.yml tasks to add users as required after mongo is installed. This uses lineinfile to edit mongod.conf with regexs to catch as many edge cases in yaml formatting (spaces, quotes) as possible. Also, this uses a bit of python to validate that the yaml file was modified in such a way that it is still valid yaml, and the entries intrduced in the file are present as expected. This uses the mongo shell to see if authorization is required before adding the admin user. This should handle cases such as the localhost exception in a new install or upgrades where auth is not enabled or upgrades where auth is enabled. This installs pip using system packages if `pip` is not present. `pip` is needed to install pymongo which is used to manage mongo users through the mongodb_user ansible module. As explained in comments, we only update mongo user passwords on_create because that is the only way to maintain idempotency. This should be idempotent. Part of StackStorm#75.
cognifloyd
added a commit
to theatro/ansible-st2
that referenced
this issue
Jan 29, 2020
Adds auth to mongo when the mongodb_auth_enable flag is true. Any additional users should be passed in via mongodb_users. There are several other default variables as well (like mongodb_host, mongodb_port) that can be overridden in the play or inventory that uses this role. This does not attempt to generate any passwords. It only adds users if explicitly requested, but allows external tasks/roles to import the mongodb_auth.yml tasks to add users as required after mongo is installed. This uses lineinfile to edit mongod.conf with regexs to catch as many edge cases in yaml formatting (spaces, quotes) as possible. Also, this uses a bit of python to validate that the yaml file was modified in such a way that it is still valid yaml, and the entries intrduced in the file are present as expected. This uses the mongo shell to see if authorization is required before adding the admin user. This should handle cases such as the localhost exception in a new install or upgrades where auth is not enabled or upgrades where auth is enabled. As explained in comments, we only update mongo user passwords on_create because that is the only way to maintain idempotency. This should be idempotent. Part of StackStorm#75.
cognifloyd
added a commit
to theatro/ansible-st2
that referenced
this issue
Jan 29, 2020
Adds auth to mongo when the mongodb_auth_enable flag is true. Any additional users should be passed in via mongodb_users. There are several other default variables as well (like mongodb_host, mongodb_port) that can be overridden in the play or inventory that uses this role. This only adds users if explicitly requested. External tasks/roles can also import the mongodb_auth.yml tasks to add users as required after mongo is installed. This uses lineinfile to edit mongod.conf with regexs to catch as many edge cases in yaml formatting (spaces, quotes) as possible. Also, this uses a bit of python to validate that the yaml file was modified in such a way that it is still valid yaml, and the entries introduced in the file are present as expected. This uses the mongo shell to see if authorization is required before adding any users. Before adding users, including admin, we need to know if authentication is already enabled in the running instance of mongodb to (a) have an idempotent playbook, and (b) to cleanly handle edge cases where people are configuring a mongo instance that is already has auth configured or partially configured. For a truly idempotent playbook, the playbook needs to be able to run both before authentication is enabled and after it is enabled. The check validates the state of mongo auth including: Is auth enabled? Are users configured?. Even after mongo is restarted with auth enabled, the check task will still return rc=0 until users are added due to the localhost exception[1]. As explained in code comments, we only update mongo user passwords on_create (vs always) because of a mongodb restriction that prevents the ansible module from idempotently/sanely setting the password. The role allows overriding that by setting mongodb_force_update_password. Part of StackStorm#75. [1] https://docs.mongodb.com/manual/core/security-users/#localhost-exception
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From the:
At the moment we don't even configure any username/passwords for external services like Mongo, RabbitMQ with st2 Ansible installation. Additionally, we're not sure whether those services are listening on
127.0.0.1or are open to public net.All of that needs better control and improvement.
hostfor dependent services127.0.0.1(PostgreSQL, Mongo, RabbitMQ) by defaultst2.confThe text was updated successfully, but these errors were encountered: