Implement new method for setting admin password

This commit introduces a new set of parameters and classes that are used instead of the previous implementation of the "manage_password" parameter to set the initial admin password through the documented user-seed.conf method. The old method still exists but now logs a message indicating that it is no longer the preferred method. This is being done to align the module with Splunk's documentation, prevent Puppet from causing a correctional change on each run, and make it possible to reset the admin password from the Splunk console when desired. The new seed method was implemented in a class separate from Class[splunk::{enterprise,forwarder}::config] to enable it to be easily used external from Puppet, specifically with a Bolt Plan in mind so people can reset the seeded admin password easily without the need to temporarily change infrastructure data sets. The old direct management method was migrated to the same method just for consistency. Fixes voxpupuli#226
nick-markowski · Jul 17, 2019 · 0557019 · 0557019
1 parent ef70a6f
commit 0557019
Show file tree

Hide file tree

Showing 13 changed files with 2,128 additions and 507 deletions.
diff --git a/README.md b/README.md
diff --git a/REFERENCE.md b/REFERENCE.md
diff --git a/manifests/enterprise.pp b/manifests/enterprise.pp
@@ -141,13 +141,27 @@
 # @param manage_password
 #   If set to true, Manage the contents of splunk.secret and passwd.
 #
+# @param seed_password
+#   If set to true, Manage the contents of splunk.secret and user-seed.conf.
+#
+# @param reset_seed_password
+#   If set to true, deletes `password_config_file` to trigger Splunk's password
+#   import process on restart of the Splunk services.
+#
 # @param password_config_file
 #   Which file to put the password in i.e. in linux it would be
 #   `/opt/splunk/etc/passwd`.
 #
+# @param seed_config_file
+#   Which file to place the admin password hash in so its imported by Splunk on
+#   restart.
+#
 # @param password_content
 #   The hashed password username/details for the user.
 #
+# @param password_hash
+#   The hashed password for the admin user.
+#
 # @param secret_file
 #   Which file we should put the secret in.
 #
@@ -194,8 +208,12 @@
   Boolean $purge_uiprefs                     = false,
   Boolean $purge_web                         = false,
   Boolean $manage_password                   = $splunk::params::manage_password,
+  Boolean $seed_password                     = $splunk::params::seed_password,
+  Boolean $reset_seeded_password             = $splunk::params::reset_seeded_password,
   Stdlib::Absolutepath $password_config_file = $splunk::params::enterprise_password_config_file,
+  Stdlib::Absolutepath $seed_config_file     = $splunk::params::enterprise_seed_config_file,
   String[1] $password_content                = $splunk::params::password_content,
+  String[1] $password_hash                   = $splunk::params::password_hash,
   Stdlib::Absolutepath $secret_file          = $splunk::params::enterprise_secret_file,
   String[1] $secret                          = $splunk::params::secret,
 ) inherits splunk {
@@ -209,6 +227,18 @@
     fail('This module does not currently support continuously upgrading Splunk Enterprise on Windows. Please do not set "package_ensure" to "latest" on Windows.')
   }
 
+  if $manage_password and $seed_password {
+    fail('The setting "manage_password" and "seed_password" are in conflict with one another; they are two ways of accomplishing the same goal, "seed_password" is preferred according to Splunk documentation. If you need to reset the admin user password after initially installation then set "reset_seeded_password" temporarily.')
+  }
+
+  if $manage_password {
+    info("The setting \"manage_password\" will manage the contents of ${password_config_file} which Splunk changes on restart, this results in Puppet initiating a corrective change event on every run and will trigger a resart of all Splunk services")
+  }
+
+  if $reset_seeded_password {
+    info("The setting \"reset_seeded_password\" will delete ${password_config_file} on each run of Puppet and generate a corrective change event, the file must be absent for Splunk's admin password seeding process to be triggered so this setting should only be used temporarily as it'll also cause a resart of the Splunk service")
+  }
+
   contain 'splunk::enterprise::install'
   contain 'splunk::enterprise::config'
   contain 'splunk::enterprise::service'

diff --git a/manifests/enterprise/config.pp b/manifests/enterprise/config.pp
@@ -4,19 +4,28 @@
 #
 class splunk::enterprise::config() {
 
-  if $splunk::enterprise::manage_password {
-    file { $splunk::enterprise::password_config_file:
-      ensure  => file,
-      owner   => $splunk::enterprise::splunk_user,
-      group   => $splunk::enterprise::splunk_user,
-      content => $splunk::enterprise::password_content,
+  if $splunk::enterprise::seed_password {
+    class { 'splunk::enterprise::password::seed':
+      reset_seeded_password => $splunk::enterprise::reset_seeded_password,
+      password_config_file  => $splunk::enterprise::password_config_file,
+      seed_config_file      => $splunk::enterprise::seed_config_file,
+      password_hash         => $splunk::enterprise::password_hash,
+      secret_file           => $splunk::enterprise::secret_file,
+      secret                => $splunk::enterprise::secret,
+      splunk_user           => $splunk::enterprise::splunk_user,
+      mode                  => 'agent',
     }
+  }
 
-    file { $splunk::enterprise::secret_file:
-      ensure  => file,
-      owner   => $splunk::enterprise::splunk_user,
-      group   => $splunk::enterprise::splunk_user,
-      content => $splunk::enterprise::secret,
+  if $splunk::enterprise::manage_password {
+    class { 'splunk::enterprise::password::manage':
+      manage_password      => $splunk::enterprise::manage_password,
+      password_config_file => $splunk::enterprise::password_config_file,
+      password_content     => $splunk::enterprise::password_content,
+      secret_file          => $splunk::enterprise::secret_file,
+      secret               => $splunk::enterprise::secret,
+      splunk_user          => $splunk::enterprise::splunk_user,
+      mode                 => 'agent',
     }
   }
 

diff --git a/manifests/enterprise/password/manage.pp b/manifests/enterprise/password/manage.pp
@@ -0,0 +1,70 @@
+# @summary
+#   Implements the direct management of the Splunk Enterprise admin password
+#   so it can be used outside of regular management of the whole stack to
+#   facilitate admin password resets through Bolt Plans.
+#
+#   Note: Entirely done to make this implementation consistent with the method
+#   used to manage admin password seeding.
+#
+# @param manage_password
+#   If set to true, Manage the contents of splunk.secret and passwd.
+#
+# @param password_config_file
+#   Which file to put the password in i.e. in linux it would be
+#   `/opt/splunk/etc/passwd`.
+#
+# @param password_content
+#   The hashed password username/details for the user.
+# @param secret_file
+#   Which file we should put the secret in.
+#
+# @param secret
+#   The secret used to salt the splunk password.
+#
+# @params service
+#   Name of the Splunk Enterprise service that needs to be restarted after files
+#   are updated, not applicable when running in agent mode.
+#
+# @params mode
+#   The class is designed to work in two ways, as a helper that is called by
+#   Class[splunk::enterprise::config] or leveraged independently from with in a
+#   Bolt Plan. The value defaults to "bolt" implicitly assuming that anytime it
+#   is used outside of Class[splunk::enterprise::config], it is being used by
+#   Bolt
+#
+class splunk::enterprise::password::manage(
+  Boolean $manage_password                   = $splunk::params::manage_password,
+  Stdlib::Absolutepath $password_config_file = $splunk::params::forwarder_password_config_file,
+  String[1] $password_content                = $splunk::params::password_content,
+  Stdlib::Absolutepath $secret_file          = $splunk::params::forwarder_secret_file,
+  String[1] $secret                          = $splunk::params::secret,
+  String[1] $splunk_user                     = $splunk::params::splunk_user,
+  String[1] $service                         = $splunk::params::enterprise_service,
+  Enum['agent', 'bolt'] $mode                = 'bolt',
+) inherits splunk::params {
+
+  file { $secret_file:
+    ensure  => file,
+    owner   => $splunk_user,
+    group   => $splunk_user,
+    content => $secret,
+  }
+
+  file { $password_config_file:
+    ensure  => file,
+    owner   => $splunk_user,
+    group   => $splunk_user,
+    content => $password_content,
+    require => File[$secret_file],
+  }
+
+  if $mode == 'bolt' {
+    service { $service:
+      ensure     => running,
+      enable     => true,
+      hasstatus  => true,
+      hasrestart => true,
+      subscribe  => File[$password_config_file],
+    }
+  }
+}
diff --git a/manifests/enterprise/password/seed.pp b/manifests/enterprise/password/seed.pp
@@ -0,0 +1,83 @@
+# @summary
+#   Implements the seeding and reseeding of the Splunk Enterprise admin password
+#   so it can be used outside of regular management of the whole stack to
+#   facilitate admin password resets through Bolt Plans
+#
+# @param seed_password
+#   If set to true, Manage the contents of splunk.secret and user-seed.conf.
+#
+# @param reset_seed_password
+#   If set to true, deletes `password_config_file` to trigger Splunk's password
+#   import process on restart of the Splunk services.
+#
+# @param password_config_file
+#   Which file to put the password in i.e. in linux it would be
+#   `/opt/splunk/etc/passwd`.
+#
+# @param seed_config_file
+#   Which file to place the admin password hash in so its imported by Splunk on
+#   restart.
+#
+# @param password_hash
+#   The hashed password for the admin user.
+#
+# @param secret_file
+#   Which file we should put the secret in.
+#
+# @param secret
+#   The secret used to salt the splunk password.
+#
+# @params service
+#   Name of the Splunk Enterprise service that needs to be restarted after files
+#   are updated, not applicable when running in agent mode.
+#
+# @params mode
+#   The class is designed to work in two ways, as a helper that is called by
+#   Class[splunk::enterprise::config] or leveraged independently from with in a
+#   Bolt Plan. The value defaults to "bolt" implicitly assuming that anytime it
+#   is used outside of Class[splunk::enterprise::config], it is being used by
+#   Bolt
+#
+class splunk::enterprise::password::seed(
+  Boolean $reset_seeded_password             = $splunk::params::reset_seeded_password,
+  Stdlib::Absolutepath $password_config_file = $splunk::params::enterprise_password_config_file,
+  Stdlib::Absolutepath $seed_config_file     = $splunk::params::enterprise_seed_config_file,
+  String[1] $password_hash                   = $splunk::params::password_hash,
+  Stdlib::Absolutepath $secret_file          = $splunk::params::enterprise_secret_file,
+  String[1] $secret                          = $splunk::params::secret,
+  String[1] $splunk_user                     = $splunk::params::splunk_user,
+  String[1] $service                         = $splunk::params::enterprise_service,
+  Enum['agent', 'bolt'] $mode                = 'bolt',
+) inherits splunk::params {
+
+  file { $secret_file:
+    ensure  => file,
+    owner   => $splunk_user,
+    group   => $splunk_user,
+    content => $secret,
+  }
+
+  if $reset_seeded_password or $facts['splunk_version'].empty {
+    file { $password_config_file:
+      ensure => absent,
+      before => File[$seed_config_file],
+    }
+    file { $seed_config_file:
+      ensure  => file,
+      owner   => $splunk_user,
+      group   => $splunk_user,
+      content => epp('splunk/user-seed.conf.epp', { 'hash' => $password_hash}),
+      require => File[$secret_file],
+    }
+
+    if $mode == 'bolt' {
+      service { $service:
+        ensure     => running,
+        enable     => true,
+        hasstatus  => true,
+        hasrestart => true,
+        subscribe  => File[$seed_config_file],
+      }
+    }
+  }
+}
diff --git a/manifests/forwarder.pp b/manifests/forwarder.pp
@@ -117,13 +117,27 @@
 # @param manage_password
 #   If set to true, Manage the contents of splunk.secret and passwd.
 #
+# @param seed_password
+#   If set to true, Manage the contents of splunk.secret and user-seed.conf.
+#
+# @param reset_seed_password
+#   If set to true, deletes `password_config_file` to trigger Splunk's password
+#   import process on restart of the Splunk services.
+#
 # @param password_config_file
 #   Which file to put the password in i.e. in linux it would be
 #   `/opt/splunkforwarder/etc/passwd`.
 #
+# @param seed_config_file
+#   Which file to place the admin password hash in so its imported by Splunk on
+#   restart.
+#
 # @param password_content
 #   The hashed password username/details for the user.
 #
+# @param password_hash
+#   The hashed password for the admin user.
+#
 # @param secret_file
 #   Which file we should put the secret in.
 #
@@ -164,8 +178,12 @@
   Hash $forwarder_output                     = $splunk::params::forwarder_output,
   Hash $forwarder_input                      = $splunk::params::forwarder_input,
   Boolean $manage_password                   = $splunk::params::manage_password,
+  Boolean $seed_password                     = $splunk::params::seed_password,
+  Boolean $reset_seeded_password             = $splunk::params::reset_seeded_password,
   Stdlib::Absolutepath $password_config_file = $splunk::params::forwarder_password_config_file,
+  Stdlib::Absolutepath $seed_config_file     = $splunk::params::forwarder_seed_config_file,
   String[1] $password_content                = $splunk::params::password_content,
+  String[1] $password_hash                   = $splunk::params::password_hash,
   Stdlib::Absolutepath $secret_file          = $splunk::params::forwarder_secret_file,
   String[1] $secret                          = $splunk::params::secret,
   Hash $addons                               = {},
@@ -180,6 +198,18 @@
     fail('This module does not currently support continuously upgrading the Splunk Universal Forwarder on Windows. Please do not set "package_ensure" to "latest" on Windows.')
   }
 
+  if $manage_password and $seed_password {
+    fail('The setting "manage_password" and "seed_password" are in conflict with one another; they are two ways of accomplishing the same goal, "seed_password" is preferred according to Splunk documentation. If you need to reset the admin user password after initially installation then set "reset_seeded_password" temporarily.')
+  }
+
+  if $manage_password {
+    info("The setting \"manage_password\" will manage the contents of ${password_config_file} which Splunk changes on restart, this results in Puppet initiating a corrective change event on every run and will trigger a resart of all Splunk services")
+  }
+
+  if $reset_seeded_password {
+    info("The setting \"reset_seeded_password\" will delete ${password_config_file} on each run of Puppet and generate a corrective change event, the file must be absent for Splunk's admin password seeding process to be triggered so this setting should only be used temporarily as it'll also cause a resart of the Splunk service")
+  }
+
   contain 'splunk::forwarder::install'
   contain 'splunk::forwarder::config'
   contain 'splunk::forwarder::service'

diff --git a/manifests/forwarder/config.pp b/manifests/forwarder/config.pp
@@ -5,19 +5,28 @@
 #
 class splunk::forwarder::config {
 
-  if $splunk::forwarder::manage_password {
-    file { $splunk::forwarder::password_config_file:
-      ensure  => file,
-      owner   => $splunk::forwarder::splunk_user,
-      group   => $splunk::forwarder::splunk_user,
-      content => $splunk::forwarder::password_content,
+  if $splunk::forwarder::seed_password {
+    class { 'splunk::forwarder::password::seed':
+      reset_seeded_password => $splunk::forwarder::reset_seeded_password,
+      password_config_file  => $splunk::forwarder::password_config_file,
+      seed_config_file      => $splunk::forwarder::seed_config_file,
+      password_hash         => $splunk::forwarder::password_hash,
+      secret_file           => $splunk::forwarder::secret_file,
+      secret                => $splunk::forwarder::secret,
+      splunk_user           => $splunk::forwarder::splunk_user,
+      mode                  => 'agent',
     }
+  }
 
-    file { $splunk::forwarder::secret_file:
-      ensure  => file,
-      owner   => $splunk::forwarder::splunk_user,
-      group   => $splunk::forwarder::splunk_user,
-      content => $splunk::forwarder::secret,
+  if $splunk::forwarder::manage_password {
+    class { 'splunk::forwarder::password::manage':
+      manage_password      => $splunk::forwarder::manage_password,
+      password_config_file => $splunk::forwarder::password_config_file,
+      password_content     => $splunk::forwarder::password_content,
+      secret_file          => $splunk::forwarder::secret_file,
+      secret               => $splunk::forwarder::secret,
+      splunk_user          => $splunk::forwarder::splunk_user,
+      mode                 => 'agent',
     }
   }