Merge "Add authentication for Kibana"
This commit is contained in:
commit
7e7949ff00
@ -74,6 +74,12 @@ firewall { '101 kibana':
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall { '101 proxy-kibana':
|
||||
port => hiera('lma::elasticsearch::apache_port'),
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall { '999 drop all other requests':
|
||||
proto => 'all',
|
||||
chain => 'INPUT',
|
||||
|
@ -15,7 +15,7 @@
|
||||
notice('fuel-plugin-elasticsearch-kibana: haproxy.pp')
|
||||
|
||||
$es_port = hiera('lma::elasticsearch::rest_port')
|
||||
$kibana_backend_port = hiera('lma::elasticsearch::kibana_port')
|
||||
$kibana_backend_port = hiera('lma::elasticsearch::apache_port')
|
||||
$kibana_frontend_port = hiera('lma::elasticsearch::kibana_frontend_port')
|
||||
$vip = hiera('lma::elasticsearch::vip')
|
||||
|
||||
|
@ -66,7 +66,7 @@ if is_integer($elasticsearch_kibana['recover_after_nodes']) and $elasticsearch_k
|
||||
$instance_name = 'es-01'
|
||||
$logs_dir = "/var/log/elasticsearch/${instance_name}"
|
||||
|
||||
$tls_enabled = $elasticsearch_kibana['tls_enabled']
|
||||
$tls_enabled = $elasticsearch_kibana['tls_enabled'] or false
|
||||
if $tls_enabled {
|
||||
$kibana_hostname = $elasticsearch_kibana['kibana_hostname']
|
||||
$cert_base_dir = '/etc/haproxy'
|
||||
@ -102,6 +102,7 @@ lma::elasticsearch::vip: <%= @vip %>
|
||||
lma::elasticsearch::es_haproxy_service: elasticsearch-rest
|
||||
lma::elasticsearch::listen_address: <%= @listen_address%>
|
||||
lma::elasticsearch::kibana_frontend_port: 80
|
||||
lma::elasticsearch::apache_port: 80
|
||||
lma::elasticsearch::kibana_port: 5601
|
||||
lma::elasticsearch::kibana_index: .kibana
|
||||
lma::elasticsearch::rest_port: 9200
|
||||
@ -121,12 +122,13 @@ lma::elasticsearch::jvm_size: <%= @elasticsearch_kibana["jvm_heap_size"] %>
|
||||
lma::elasticsearch::instance_name: <%= @instance_name %>
|
||||
lma::elasticsearch::node_name: "<%= @fqdn %>_es-01"
|
||||
lma::elasticsearch::cluster_name: lma
|
||||
|
||||
lma::kibana::tls::enabled: <%= @tls_enabled %>
|
||||
<% if @tls_enabled -%>
|
||||
lma::kibana::tls::hostname: <%= @kibana_hostname %>
|
||||
lma::kibana::tls::cert_file_path: <%= @cert_file_path %>
|
||||
<% end -%>
|
||||
lma::kibana::username: <%= @elasticsearch_kibana["kibana_username"] %>
|
||||
lma::kibana::password: <%= @elasticsearch_kibana["kibana_password"] %>
|
||||
')
|
||||
|
||||
file { $hiera_file:
|
||||
|
@ -21,3 +21,13 @@ class { 'lma_logging_analytics::kibana':
|
||||
es_port => hiera('lma::elasticsearch::rest_port'),
|
||||
version => '4.5.1',
|
||||
}
|
||||
|
||||
class { 'lma_logging_analytics::kibana_authentication':
|
||||
listen_address => hiera('lma::elasticsearch::listen_address'),
|
||||
listen_port => hiera('lma::elasticsearch::apache_port'),
|
||||
kibana_address => hiera('lma::elasticsearch::listen_address'),
|
||||
kibana_port => hiera('lma::elasticsearch::kibana_port'),
|
||||
username => hiera('lma::kibana::username'),
|
||||
password => hiera('lma::kibana::password'),
|
||||
require => Class[lma_logging_analytics::kibana],
|
||||
}
|
||||
|
@ -9,5 +9,11 @@ fixtures:
|
||||
concat:
|
||||
repo: "git://github.com/puppetlabs/puppetlabs-concat"
|
||||
ref: "1.2.4"
|
||||
apache:
|
||||
repo: "git://github.com/puppetlabs/puppetlabs-apache"
|
||||
ref: "1.5.0"
|
||||
htpasswd:
|
||||
repo: "git://github.com/leinaddm/puppet-htpasswd"
|
||||
ref: "0.0.3"
|
||||
symlinks:
|
||||
lma_logging_analytics: "#{source_dir}"
|
||||
|
@ -0,0 +1,62 @@
|
||||
# Copyright 2016 Mirantis, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Class lma_logging_analytics::kibana_authentication
|
||||
|
||||
class lma_logging_analytics::kibana_authentication (
|
||||
$listen_address,
|
||||
$listen_port,
|
||||
$kibana_port,
|
||||
$kibana_address,
|
||||
$username,
|
||||
$password,
|
||||
) {
|
||||
|
||||
include lma_logging_analytics::params
|
||||
|
||||
$apache_modules = ['proxy', 'proxy_http', 'rewrite',
|
||||
'authn_file', 'auth_basic', 'authz_user']
|
||||
|
||||
## Configure apache
|
||||
class { 'apache':
|
||||
# be good citizen by not erasing other configurations
|
||||
purge_configs => false,
|
||||
default_confd_files => false,
|
||||
default_vhost => false,
|
||||
mpm_module => false,
|
||||
default_mods => $apache_modules,
|
||||
}
|
||||
|
||||
apache::listen { "${listen_address}:${listen_port}": }
|
||||
|
||||
$htpasswd_file = $lma_logging_analytics::params::apache_htpasswd_file
|
||||
htpasswd { $username:
|
||||
cryptpasswd => ht_md5($password, 'salt'),
|
||||
target => $htpasswd_file,
|
||||
require => Class['apache'],
|
||||
}
|
||||
|
||||
file { $htpasswd_file:
|
||||
ensure => present,
|
||||
mode => '0440',
|
||||
owner => $::apache::user,
|
||||
group => $::apache::group,
|
||||
require => Class[Apache],
|
||||
}
|
||||
|
||||
apache::custom_config { 'kibana-proxy':
|
||||
content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'),
|
||||
require => [Class['apache'], File[$htpasswd_file]],
|
||||
}
|
||||
}
|
@ -20,6 +20,7 @@ class lma_logging_analytics::params {
|
||||
|
||||
$kibana_dir = '/opt/kibana'
|
||||
$kibana_config = "${kibana_dir}/config.js"
|
||||
$apache_htpasswd_file = '/etc/apache2/kibana.htpasswd'
|
||||
$kibana_dashboard_prefix = 'Logging, Monitoring and Alerting - '
|
||||
$kibana_default_route = join(['/dashboard/elasticsearch/', $kibana_dashboard_prefix, 'Logs'], '')
|
||||
$kibana_replicas = 0
|
||||
|
@ -21,6 +21,9 @@
|
||||
"dependencies": [
|
||||
{"name": "puppetlabs/stdlib", "version_requirement": "4.x"},
|
||||
{"name": "jfryman/nginx", "version_requirement": ">= 0.2.2"},
|
||||
{"name": "elasticsearch/elasticsearch", "version_requirement": ">= 0.10.x"}
|
||||
{"name": "elasticsearch/elasticsearch", "version_requirement": ">= 0.10.x"},
|
||||
{"name": "puppetlabs/concat", "version_requirement": "1.2.3"},
|
||||
{"name": "puppetlabs/apache", "version_requirement": "1.5.0"},
|
||||
{"name": "leinaddm/htpasswd", "version_requirement": ">= 0.0.3"}
|
||||
]
|
||||
}
|
||||
|
@ -0,0 +1,37 @@
|
||||
# Copyright 2016 Mirantis, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'lma_logging_analytics::kibana_authentication' do
|
||||
let(:facts) do
|
||||
{:kernel => 'Linux', :operatingsystem => 'Ubuntu',
|
||||
:operatingsystemrelease => '12.4', :osfamily => 'Debian',
|
||||
:concat_basedir => '/foo' }
|
||||
end
|
||||
|
||||
let(:params) do
|
||||
{:listen_address => '127.0.0.1', :listen_port => 80,
|
||||
:kibana_address => '127.0.0.1', :kibana_port => 5106,
|
||||
:username => 'foouser', :password => 'foopass'
|
||||
}
|
||||
end
|
||||
|
||||
it {
|
||||
should contain_class('apache')
|
||||
should contain_apache__custom_config('kibana-proxy')
|
||||
should contain_htpasswd('foouser')
|
||||
should contain_file('/etc/apache2/kibana.htpasswd')
|
||||
}
|
||||
end
|
||||
|
@ -0,0 +1,30 @@
|
||||
# ************************************
|
||||
# Vhost template in module lma_logging_analytics
|
||||
# Managed by Puppet
|
||||
# ************************************
|
||||
|
||||
<VirtualHost <%= @listen_address %>:<%= @listen_port %>>
|
||||
ServerName kibana
|
||||
DocumentRoot "/opt/kibana"
|
||||
|
||||
ProxyRequests Off
|
||||
|
||||
<Proxy *>
|
||||
Order Allow,Deny
|
||||
Allow From All
|
||||
AuthName "Kibana Access"
|
||||
AuthType Basic
|
||||
AuthUserFile <%= @htpasswd_file %>
|
||||
require valid-user
|
||||
</Proxy>
|
||||
|
||||
ProxyPass / http://<%= @kibana_address %>:<%= @kibana_port %>
|
||||
ProxyPassReverse / http://<%= @kibana_address %>:<%= @kibana_port %>
|
||||
RewriteEngine on
|
||||
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
|
||||
RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA]
|
||||
|
||||
ErrorLog "/var/log/apache2/kibana_error.log"
|
||||
ServerSignature Off
|
||||
CustomLog "/var/log/apache2/kibana_access.log" combined
|
||||
</VirtualHost>
|
@ -26,12 +26,32 @@ attributes:
|
||||
value: '1'
|
||||
label: 'JVM heap size'
|
||||
description: 'in GB (between 1 and 32). The amount of memory reserved for the JVM.'
|
||||
weight: 18
|
||||
weight: 16
|
||||
type: "text"
|
||||
regex:
|
||||
source: '^([1-9]|[12][0-9]|3[0-2])$'
|
||||
error: 'Enter a value between 1 and 32'
|
||||
|
||||
kibana_username:
|
||||
value: 'lma'
|
||||
label: 'User name'
|
||||
description: 'The username to access Kibana.'
|
||||
weight: 17
|
||||
type: "text"
|
||||
regex:
|
||||
source: '\S'
|
||||
error: "You must provide a username."
|
||||
|
||||
kibana_password:
|
||||
value: ''
|
||||
label: 'User password'
|
||||
description: 'The password to access Kibana.'
|
||||
weight: 18
|
||||
type: "password"
|
||||
regex:
|
||||
source: '^[\S]{4,}$'
|
||||
error: "You must provide a password with at least 4 characters"
|
||||
|
||||
advanced_settings:
|
||||
label: "Advanced settings"
|
||||
value: false
|
||||
|
@ -10,6 +10,8 @@ ELASTICSEARCH_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/elasticsearc
|
||||
# Dependency for Elasticsearch 0.10.x
|
||||
DATACAT_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/richardc-datacat-0.6.2.tar.gz"
|
||||
FIREWALL_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/puppetlabs-firewall-1.7.2.tar.gz"
|
||||
APACHE_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/puppetlabs-apache-1.4.0.tar.gz"
|
||||
HTPASSWD_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/leinaddm-htpasswd-0.0.3.tar.gz"
|
||||
|
||||
TZ_VERSION="2016d-0ubuntu0.14.04_all"
|
||||
|
||||
@ -37,6 +39,8 @@ download_puppet_module "stdlib" "$STDLIB_TARBALL_URL"
|
||||
download_puppet_module "elasticsearch" "$ELASTICSEARCH_TARBALL_URL"
|
||||
download_puppet_module "firewall" "$FIREWALL_TARBALL_URL"
|
||||
download_puppet_module "datacat" "$DATACAT_TARBALL_URL"
|
||||
download_puppet_module "apache" "${APACHE_TARBALL_URL}"
|
||||
download_puppet_module "htpasswd" "${HTPASSWD_TARBALL_URL}"
|
||||
|
||||
|
||||
# Update tzdata-java package to remove strict dependency on tzdata (see LP bug #1560436)
|
||||
|
Loading…
Reference in New Issue
Block a user