Merge "Add authentication for Kibana"

2016-06-24 16:09:34 +00:00 · 2016-06-24 16:09:34 +00:00 · 7e7949ff00
parent 9ed1ae1a93 469db9e35d
commit 7e7949ff00
12 changed files with 186 additions and 5 deletions
--- a/deployment_scripts/puppet/manifests/firewall.pp
+++ b/deployment_scripts/puppet/manifests/firewall.pp
@ -74,6 +74,12 @@ firewall { '101 kibana':
  action => 'accept',
 }

+firewall { '101 proxy-kibana':
+  port   => hiera('lma::elasticsearch::apache_port'),
+  proto  => 'tcp',
+  action => 'accept',
+}
+
 firewall { '999 drop all other requests':
  proto  => 'all',
  chain  => 'INPUT',
--- a/deployment_scripts/puppet/manifests/haproxy.pp
+++ b/deployment_scripts/puppet/manifests/haproxy.pp
@ -15,7 +15,7 @@
 notice('fuel-plugin-elasticsearch-kibana: haproxy.pp')

 $es_port = hiera('lma::elasticsearch::rest_port')
-$kibana_backend_port = hiera('lma::elasticsearch::kibana_port')
+$kibana_backend_port = hiera('lma::elasticsearch::apache_port')
 $kibana_frontend_port = hiera('lma::elasticsearch::kibana_frontend_port')
 $vip = hiera('lma::elasticsearch::vip')

--- a/deployment_scripts/puppet/manifests/hiera_override.pp
+++ b/deployment_scripts/puppet/manifests/hiera_override.pp
@ -66,7 +66,7 @@ if is_integer($elasticsearch_kibana['recover_after_nodes']) and $elasticsearch_k
 $instance_name = 'es-01'
 $logs_dir = "/var/log/elasticsearch/${instance_name}"

-$tls_enabled = $elasticsearch_kibana['tls_enabled']
+$tls_enabled = $elasticsearch_kibana['tls_enabled'] or false
 if $tls_enabled {
  $kibana_hostname = $elasticsearch_kibana['kibana_hostname']
  $cert_base_dir = '/etc/haproxy'
@ -102,6 +102,7 @@ lma::elasticsearch::vip: <%= @vip %>
 lma::elasticsearch::es_haproxy_service: elasticsearch-rest
 lma::elasticsearch::listen_address: <%= @listen_address%>
 lma::elasticsearch::kibana_frontend_port: 80
+lma::elasticsearch::apache_port: 80
 lma::elasticsearch::kibana_port: 5601
 lma::elasticsearch::kibana_index: .kibana
 lma::elasticsearch::rest_port: 9200
@ -121,12 +122,13 @@ lma::elasticsearch::jvm_size: <%= @elasticsearch_kibana["jvm_heap_size"] %>
 lma::elasticsearch::instance_name: <%= @instance_name %>
 lma::elasticsearch::node_name: "<%= @fqdn %>_es-01"
 lma::elasticsearch::cluster_name: lma
-
 lma::kibana::tls::enabled: <%= @tls_enabled %>
 <% if @tls_enabled -%>
 lma::kibana::tls::hostname: <%= @kibana_hostname %>
 lma::kibana::tls::cert_file_path: <%= @cert_file_path %>
 <% end -%>
+lma::kibana::username: <%= @elasticsearch_kibana["kibana_username"] %>
+lma::kibana::password: <%= @elasticsearch_kibana["kibana_password"] %>
 ')

 file { $hiera_file:
--- a/deployment_scripts/puppet/manifests/kibana.pp
+++ b/deployment_scripts/puppet/manifests/kibana.pp
@ -21,3 +21,13 @@ class { 'lma_logging_analytics::kibana':
  es_port        => hiera('lma::elasticsearch::rest_port'),
  version        => '4.5.1',
 }
+
+class { 'lma_logging_analytics::kibana_authentication':
+  listen_address => hiera('lma::elasticsearch::listen_address'),
+  listen_port    => hiera('lma::elasticsearch::apache_port'),
+  kibana_address => hiera('lma::elasticsearch::listen_address'),
+  kibana_port    => hiera('lma::elasticsearch::kibana_port'),
+  username       => hiera('lma::kibana::username'),
+  password       => hiera('lma::kibana::password'),
+  require        => Class[lma_logging_analytics::kibana],
+}
--- a/deployment_scripts/puppet/modules/lma_logging_analytics/.fixtures.yml
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/.fixtures.yml
@ -9,5 +9,11 @@ fixtures:
    concat:
      repo: "git://github.com/puppetlabs/puppetlabs-concat"
      ref: "1.2.4"
+    apache:
+      repo: "git://github.com/puppetlabs/puppetlabs-apache"
+      ref: "1.5.0"
+    htpasswd:
+      repo: "git://github.com/leinaddm/puppet-htpasswd"
+      ref: "0.0.3"
  symlinks:
    lma_logging_analytics: "#{source_dir}"
--- a/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp
@ -0,0 +1,62 @@
+#    Copyright 2016 Mirantis, Inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+# Class lma_logging_analytics::kibana_authentication
+
+class lma_logging_analytics::kibana_authentication (
+  $listen_address,
+  $listen_port,
+  $kibana_port,
+  $kibana_address,
+  $username,
+  $password,
+) {
+
+  include lma_logging_analytics::params
+
+  $apache_modules = ['proxy', 'proxy_http', 'rewrite',
+                    'authn_file', 'auth_basic', 'authz_user']
+
+  ## Configure apache
+  class { 'apache':
+    # be good citizen by not erasing other configurations
+    purge_configs       => false,
+    default_confd_files => false,
+    default_vhost       => false,
+    mpm_module          => false,
+    default_mods        => $apache_modules,
+  }
+
+  apache::listen { "${listen_address}:${listen_port}": }
+
+  $htpasswd_file = $lma_logging_analytics::params::apache_htpasswd_file
+  htpasswd { $username:
+    cryptpasswd => ht_md5($password, 'salt'),
+    target      => $htpasswd_file,
+    require     => Class['apache'],
+  }
+
+  file { $htpasswd_file:
+    ensure  => present,
+    mode    => '0440',
+    owner   => $::apache::user,
+    group   => $::apache::group,
+    require => Class[Apache],
+  }
+
+  apache::custom_config { 'kibana-proxy':
+    content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'),
+    require => [Class['apache'], File[$htpasswd_file]],
+  }
+}
--- a/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/params.pp
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/params.pp
@ -20,6 +20,7 @@ class lma_logging_analytics::params {

  $kibana_dir              = '/opt/kibana'
  $kibana_config           = "${kibana_dir}/config.js"
+  $apache_htpasswd_file    = '/etc/apache2/kibana.htpasswd'
  $kibana_dashboard_prefix = 'Logging, Monitoring and Alerting - '
  $kibana_default_route    = join(['/dashboard/elasticsearch/', $kibana_dashboard_prefix, 'Logs'], '')
  $kibana_replicas         = 0
--- a/deployment_scripts/puppet/modules/lma_logging_analytics/metadata.json
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/metadata.json
@ -21,6 +21,9 @@
    "dependencies": [
        {"name": "puppetlabs/stdlib", "version_requirement": "4.x"},
        {"name": "jfryman/nginx", "version_requirement": ">= 0.2.2"},
-        {"name": "elasticsearch/elasticsearch", "version_requirement": ">= 0.10.x"}
+        {"name": "elasticsearch/elasticsearch", "version_requirement": ">= 0.10.x"},
+        {"name": "puppetlabs/concat", "version_requirement": "1.2.3"},
+        {"name": "puppetlabs/apache", "version_requirement": "1.5.0"},
+        {"name": "leinaddm/htpasswd", "version_requirement": ">= 0.0.3"}
    ]
 }
--- a/deployment_scripts/puppet/modules/lma_logging_analytics/spec/classes/lma_logging_analytics_kibana_authentication_spec.rb
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/spec/classes/lma_logging_analytics_kibana_authentication_spec.rb
@ -0,0 +1,37 @@
+#    Copyright 2016 Mirantis, Inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+require 'spec_helper'
+
+describe 'lma_logging_analytics::kibana_authentication' do
+    let(:facts) do
+        {:kernel => 'Linux', :operatingsystem => 'Ubuntu',
+         :operatingsystemrelease => '12.4', :osfamily => 'Debian',
+         :concat_basedir => '/foo' }
+    end
+
+    let(:params) do
+        {:listen_address => '127.0.0.1', :listen_port => 80,
+         :kibana_address  => '127.0.0.1', :kibana_port => 5106,
+         :username => 'foouser', :password => 'foopass'
+        }
+    end
+
+    it {
+      should contain_class('apache')
+      should contain_apache__custom_config('kibana-proxy')
+      should contain_htpasswd('foouser')
+      should contain_file('/etc/apache2/kibana.htpasswd')
+    }
+end
+
--- a/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb
@ -0,0 +1,30 @@
+# ************************************
+# Vhost template in module lma_logging_analytics
+# Managed by Puppet
+# ************************************
+
+<VirtualHost <%= @listen_address %>:<%= @listen_port %>>
+  ServerName kibana
+  DocumentRoot "/opt/kibana"
+
+  ProxyRequests Off
+
+  <Proxy *>
+    Order Allow,Deny
+    Allow From All
+    AuthName "Kibana Access"
+    AuthType Basic
+    AuthUserFile <%= @htpasswd_file %>
+    require valid-user
+  </Proxy>
+
+  ProxyPass / http://<%= @kibana_address %>:<%= @kibana_port %>
+  ProxyPassReverse / http://<%= @kibana_address %>:<%= @kibana_port %>
+  RewriteEngine on
+  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
+  RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA]
+
+  ErrorLog "/var/log/apache2/kibana_error.log"
+  ServerSignature Off
+  CustomLog "/var/log/apache2/kibana_access.log" combined
+</VirtualHost>
--- a/environment_config.yaml
+++ b/environment_config.yaml
@ -26,12 +26,32 @@ attributes:
    value: '1'
    label: 'JVM heap size'
    description: 'in GB (between 1 and 32). The amount of memory reserved for the JVM.'
-    weight: 18
+    weight: 16
    type: "text"
    regex:
      source: '^([1-9]|[12][0-9]|3[0-2])$'
      error: 'Enter a value between 1 and 32'

+  kibana_username:
+    value: 'lma'
+    label: 'User name'
+    description: 'The username to access Kibana.'
+    weight: 17
+    type: "text"
+    regex:
+      source: '\S'
+      error: "You must provide a username."
+
+  kibana_password:
+    value: ''
+    label: 'User password'
+    description: 'The password to access Kibana.'
+    weight: 18
+    type: "password"
+    regex:
+      source: '^[\S]{4,}$'
+      error: "You must provide a password with at least 4 characters"
+
  advanced_settings:
    label: "Advanced settings"
    value: false
--- a/4
+++ b/4
@ -10,6 +10,8 @@ ELASTICSEARCH_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/elasticsearc
 # Dependency for Elasticsearch 0.10.x
 DATACAT_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/richardc-datacat-0.6.2.tar.gz"
 FIREWALL_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/puppetlabs-firewall-1.7.2.tar.gz"
+APACHE_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/puppetlabs-apache-1.4.0.tar.gz"
+HTPASSWD_TARBALL_URL="https://forgeapi.puppetlabs.com/v3/files/leinaddm-htpasswd-0.0.3.tar.gz"

 TZ_VERSION="2016d-0ubuntu0.14.04_all"

@ -37,6 +39,8 @@ download_puppet_module "stdlib" "$STDLIB_TARBALL_URL"
 download_puppet_module "elasticsearch" "$ELASTICSEARCH_TARBALL_URL"
 download_puppet_module "firewall" "$FIREWALL_TARBALL_URL"
 download_puppet_module "datacat" "$DATACAT_TARBALL_URL"
+download_puppet_module "apache" "${APACHE_TARBALL_URL}"
+download_puppet_module "htpasswd" "${HTPASSWD_TARBALL_URL}"


 # Update tzdata-java package to remove strict dependency on tzdata (see LP bug #1560436)