0

Updated deploy-elastic script – version 9

Last update to version 8 is listed here


The original post for the deploy-elastic.sh script is here

Changes:

  • Starting 7.12.x added node.roles. es01 & es02 is tagged as data_content & data_hot and es03 is tagged as data_frozen. This will allow users to play with the frozen tier, configure searchable snapshots, partically mounted indices, restored indices, and more. (make sure to run the script with snapshot option so that minio is stood up)
  • LDAP mode was added. To test various role_mappings and for basic ldap authentication configurations and settings LDAP mode was added and it will work with any versions of elasticsearch.
    • user1/user1 was added with the admin group access
    • user2/user2 was added with the user group access
    • admin group is role_mapped to superuser
    • user group is role_mapped to *_admin groups
$ ./deploy-elastic.sh ldap 8.2.2
[DEBUG] Deployment does not exist.  Starting deployment first
********** Deploying elasticsearch & kibana 8.2.2 **********
[DEBUG] docker.elastic.co/elasticsearch/elasticsearch:8.2.2 docker image already exists.. moving forward..
[DEBUG] docker.elastic.co/kibana/kibana:8.2.2 docker image already exists.. moving forward..
[DEBUG] Setting  password for elastic as IwFCBHg2YqQb8zx8O5YTXVUkY
[DEBUG] elasticsearch.yml created
[DEBUG] kibana.yml created
[DEBUG] .env created
[DEBUG] stack-compose.yml created
[DEBUG] Starting our deployment
Creating network "es_default" with the default driver
Creating volume "es_certs" with local driver
Creating volume "es_data01" with local driver
Creating volume "es_data02" with local driver
Creating volume "es_data03" with local driver
Creating volume "es_kibanadata" with local driver
Creating es_setup_1 ... done
Creating es01       ... done
Creating es02       ... done
Creating es03       ... done
Creating kibana     ... done
[DEBUG] Copied ca.crt to /Users/jlim/elasticstack
[DEBUG] Generated encryption keys for kibana
[DEBUG] Restarted kibana to pick encryption keys
[DEBUG] Complete! - stack deployed. 8.2.2 elastic password: IwFCBHg2YqQb8zx8O5YTXVUkY
********** Deploying OpenLDAP server and configure the stack with LDAP **********
[DEBUG] elastic user's password found IwFCBHg2YqQb8zx8O5YTXVUkY
[DEBUG] elasticsearch health is GREEN moving forward.
[DEBUG] osixia/openldap docker image already exists.. moving forward..
[DEBUG] Generating ldap.ldif
[DEBUG] Starting OpenLDAP
[DEBUG] OpenLDAP container deployed
[DEBUG] Importing ldap.ldif
[DEBUG] Updating elasticsearch.yml
[DEBUG] Creating role_mappings
[DEBUG] Adding xpack.security.authc.realms.ldap.ldap1.secure_bind_password to keystore and restarting instances
[DEBUG] elasticsearch is unhealthy. Checking again in 2 seconds... if this doesnt finish in ~ 30 seconds something is wrong ctrl-c please.
[DEBUG] elasticsearch is unhealthy. Checking again in 2 seconds... if this doesnt finish in ~ 30 seconds something is wrong ctrl-c please.
[DEBUG] elasticsearch is unhealthy. Checking again in 2 seconds... if this doesnt finish in ~ 30 seconds something is wrong ctrl-c please.
[DEBUG] elasticsearch is unhealthy. Checking again in 2 seconds... if this doesnt finish in ~ 30 seconds something is wrong ctrl-c please.
[DEBUG] elasticsearch is unhealthy. Checking again in 2 seconds... if this doesnt finish in ~ 30 seconds something is wrong ctrl-c please.
[DEBUG] elasticsearch is unhealthy. Checking again in 2 seconds... if this doesnt finish in ~ 30 seconds something is wrong ctrl-c please.
[DEBUG] elasticsearch is unhealthy. Checking again in 2 seconds... if this doesnt finish in ~ 30 seconds something is wrong ctrl-c please.
[DEBUG] elasticsearch health is GREEN moving forward.
[DEBUG] LDAP configured
[DEBUG] user1/user1 is configured for ldap group admin and has superuser role
[DEBUG] user2/user2 is configured for ldap group users and has *_admin roles

$ curl -k -u user1:user1 https://localhost:9200/_security/_authenticate\?pretty
{
  "username" : "user1",
  "roles" : [
    "superuser"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "ldap_dn" : "cn=user1,dc=example,dc=org",
    "ldap_groups" : [
      "cn=admins,ou=groups,dc=example,dc=org"
    ]
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "ldap1",
    "type" : "ldap"
  },
  "lookup_realm" : {
    "name" : "ldap1",
    "type" : "ldap"
  },
  "authentication_type" : "realm"
}

$ curl -k -u user2:user2 https://localhost:9200/_security/_authenticate\?pretty
{
  "username" : "user2",
  "roles" : [
    "watcher_admin",
    "viewer",
    "beats_admin",
    "kibana_admin",
    "machine_learning_admin",
    "transform_admin",
    "logstash_admin",
    "rollup_admin",
    "ingest_admin"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "ldap_dn" : "cn=user2,dc=example,dc=org",
    "ldap_groups" : [
      "cn=users,ou=groups,dc=example,dc=org"
    ]
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "ldap1",
    "type" : "ldap"
  },
  "lookup_realm" : {
    "name" : "ldap1",
    "type" : "ldap"
  },
  "authentication_type" : "realm"
}

jlim0930

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.