Merge pull request voxpupuli#242 from ody/admin_passwd_setting

Setup admin account through user-seed.conf
nick-markowski · Jul 18, 2019 · e9500e7 · e9500e7
2 parents ef70a6f + 0557019
commit e9500e7
Show file tree

Hide file tree

Showing 13 changed files with 2,128 additions and 507 deletions.
diff --git a/README.md b/README.md
diff --git a/REFERENCE.md b/REFERENCE.md
diff --git a/manifests/enterprise.pp b/manifests/enterprise.pp
@@ -141,13 +141,27 @@
 # @param manage_password
 #   If set to true, Manage the contents of splunk.secret and passwd.
 #
+# @param seed_password
+#   If set to true, Manage the contents of splunk.secret and user-seed.conf.
+#
+# @param reset_seed_password
+#   If set to true, deletes `password_config_file` to trigger Splunk's password
+#   import process on restart of the Splunk services.
+#
 # @param password_config_file
 #   Which file to put the password in i.e. in linux it would be
 #   `/opt/splunk/etc/passwd`.
 #
+# @param seed_config_file
+#   Which file to place the admin password hash in so its imported by Splunk on
+#   restart.
+#
 # @param password_content
 #   The hashed password username/details for the user.
 #
+# @param password_hash
+#   The hashed password for the admin user.
+#
 # @param secret_file
 #   Which file we should put the secret in.
 #
@@ -194,8 +208,12 @@
   Boolean $purge_uiprefs                     = false,
   Boolean $purge_web                         = false,
   Boolean $manage_password                   = $splunk::params::manage_password,
+  Boolean $seed_password                     = $splunk::params::seed_password,
+  Boolean $reset_seeded_password             = $splunk::params::reset_seeded_password,
   Stdlib::Absolutepath $password_config_file = $splunk::params::enterprise_password_config_file,
+  Stdlib::Absolutepath $seed_config_file     = $splunk::params::enterprise_seed_config_file,
   String[1] $password_content                = $splunk::params::password_content,
+  String[1] $password_hash                   = $splunk::params::password_hash,
   Stdlib::Absolutepath $secret_file          = $splunk::params::enterprise_secret_file,
   String[1] $secret                          = $splunk::params::secret,
 ) inherits splunk {
@@ -209,6 +227,18 @@
     fail('This module does not currently support continuously upgrading Splunk Enterprise on Windows. Please do not set "package_ensure" to "latest" on Windows.')
   }
 
+  if $manage_password and $seed_password {
+    fail('The setting "manage_password" and "seed_password" are in conflict with one another; they are two ways of accomplishing the same goal, "seed_password" is preferred according to Splunk documentation. If you need to reset the admin user password after initially installation then set "reset_seeded_password" temporarily.')
+  }
+
+  if $manage_password {
+    info("The setting \"manage_password\" will manage the contents of ${password_config_file} which Splunk changes on restart, this results in Puppet initiating a corrective change event on every run and will trigger a resart of all Splunk services")
+  }
+
+  if $reset_seeded_password {
+    info("The setting \"reset_seeded_password\" will delete ${password_config_file} on each run of Puppet and generate a corrective change event, the file must be absent for Splunk's admin password seeding process to be triggered so this setting should only be used temporarily as it'll also cause a resart of the Splunk service")
+  }
+
   contain 'splunk::enterprise::install'
   contain 'splunk::enterprise::config'
   contain 'splunk::enterprise::service'

diff --git a/manifests/enterprise/config.pp b/manifests/enterprise/config.pp
@@ -4,19 +4,28 @@
 #
 class splunk::enterprise::config() {
 
-  if $splunk::enterprise::manage_password {
-    file { $splunk::enterprise::password_config_file:
-      ensure  => file,
-      owner   => $splunk::enterprise::splunk_user,
-      group   => $splunk::enterprise::splunk_user,
-      content => $splunk::enterprise::password_content,
+  if $splunk::enterprise::seed_password {
+    class { 'splunk::enterprise::password::seed':
+      reset_seeded_password => $splunk::enterprise::reset_seeded_password,
+      password_config_file  => $splunk::enterprise::password_config_file,
+      seed_config_file      => $splunk::enterprise::seed_config_file,
+      password_hash         => $splunk::enterprise::password_hash,
+      secret_file           => $splunk::enterprise::secret_file,
+      secret                => $splunk::enterprise::secret,
+      splunk_user           => $splunk::enterprise::splunk_user,
+      mode                  => 'agent',
     }
+  }
 
-    file { $splunk::enterprise::secret_file:
-      ensure  => file,
-      owner   => $splunk::enterprise::splunk_user,
-      group   => $splunk::enterprise::splunk_user,
-      content => $splunk::enterprise::secret,
+  if $splunk::enterprise::manage_password {
+    class { 'splunk::enterprise::password::manage':
+      manage_password      => $splunk::enterprise::manage_password,
+      password_config_file => $splunk::enterprise::password_config_file,
+      password_content     => $splunk::enterprise::password_content,
+      secret_file          => $splunk::enterprise::secret_file,
+      secret               => $splunk::enterprise::secret,
+      splunk_user          => $splunk::enterprise::splunk_user,
+      mode                 => 'agent',
     }
   }
 

diff --git a/manifests/enterprise/password/manage.pp b/manifests/enterprise/password/manage.pp
@@ -0,0 +1,70 @@
+# @summary
+#   Implements the direct management of the Splunk Enterprise admin password
+#   so it can be used outside of regular management of the whole stack to
+#   facilitate admin password resets through Bolt Plans.
+#
+#   Note: Entirely done to make this implementation consistent with the method
+#   used to manage admin password seeding.
+#
+# @param manage_password
+#   If set to true, Manage the contents of splunk.secret and passwd.
+#
+# @param password_config_file
+#   Which file to put the password in i.e. in linux it would be
+#   `/opt/splunk/etc/passwd`.
+#
+# @param password_content
+#   The hashed password username/details for the user.
+# @param secret_file
+#   Which file we should put the secret in.
+#
+# @param secret
+#   The secret used to salt the splunk password.
+#
+# @params service
+#   Name of the Splunk Enterprise service that needs to be restarted after files
+#   are updated, not applicable when running in agent mode.
+#
+# @params mode
+#   The class is designed to work in two ways, as a helper that is called by
+#   Class[splunk::enterprise::config] or leveraged independently from with in a
+#   Bolt Plan. The value defaults to "bolt" implicitly assuming that anytime it
+#   is used outside of Class[splunk::enterprise::config], it is being used by
+#   Bolt
+#
+class splunk::enterprise::password::manage(
+  Boolean $manage_password                   = $splunk::params::manage_password,
+  Stdlib::Absolutepath $password_config_file = $splunk::params::forwarder_password_config_file,
+  String[1] $password_content                = $splunk::params::password_content,
+  Stdlib::Absolutepath $secret_file          = $splunk::params::forwarder_secret_file,
+  String[1] $secret                          = $splunk::params::secret,
+  String[1] $splunk_user                     = $splunk::params::splunk_user,
+  String[1] $service                         = $splunk::params::enterprise_service,
+  Enum['agent', 'bolt'] $mode                = 'bolt',
+) inherits splunk::params {
+
+  file { $secret_file:
+    ensure  => file,
+    owner   => $splunk_user,
+    group   => $splunk_user,
+    content => $secret,
+  }
+
+  file { $password_config_file:
+    ensure  => file,
+    owner   => $splunk_user,
+    group   => $splunk_user,
+    content => $password_content,
+    require => File[$secret_file],
+  }
+
+  if $mode == 'bolt' {
+    service { $service:
+      ensure     => running,
+      enable     => true,
+      hasstatus  => true,
+      hasrestart => true,
+      subscribe  => File[$password_config_file],
+    }
+  }
+}
diff --git a/manifests/enterprise/password/seed.pp b/manifests/enterprise/password/seed.pp
@@ -0,0 +1,83 @@
+# @summary
+#   Implements the seeding and reseeding of the Splunk Enterprise admin password
+#   so it can be used outside of regular management of the whole stack to
+#   facilitate admin password resets through Bolt Plans
+#
+# @param seed_password
+#   If set to true, Manage the contents of splunk.secret and user-seed.conf.
+#
+# @param reset_seed_password
+#   If set to true, deletes `password_config_file` to trigger Splunk's password
+#   import process on restart of the Splunk services.
+#
+# @param password_config_file
+#   Which file to put the password in i.e. in linux it would be
+#   `/opt/splunk/etc/passwd`.
+#
+# @param seed_config_file
+#   Which file to place the admin password hash in so its imported by Splunk on
+#   restart.
+#
+# @param password_hash
+#   The hashed password for the admin user.
+#
+# @param secret_file
+#   Which file we should put the secret in.
+#
+# @param secret
+#   The secret used to salt the splunk password.
+#
+# @params service
+#   Name of the Splunk Enterprise service that needs to be restarted after files
+#   are updated, not applicable when running in agent mode.
+#
+# @params mode
+#   The class is designed to work in two ways, as a helper that is called by
+#   Class[splunk::enterprise::config] or leveraged independently from with in a
+#   Bolt Plan. The value defaults to "bolt" implicitly assuming that anytime it
+#   is used outside of Class[splunk::enterprise::config], it is being used by
+#   Bolt
+#
+class splunk::enterprise::password::seed(
+  Boolean $reset_seeded_password             = $splunk::params::reset_seeded_password,
+  Stdlib::Absolutepath $password_config_file = $splunk::params::enterprise_password_config_file,
+  Stdlib::Absolutepath $seed_config_file     = $splunk::params::enterprise_seed_config_file,
+  String[1] $password_hash                   = $splunk::params::password_hash,
+  Stdlib::Absolutepath $secret_file          = $splunk::params::enterprise_secret_file,
+  String[1] $secret                          = $splunk::params::secret,
+  String[1] $splunk_user                     = $splunk::params::splunk_user,
+  String[1] $service                         = $splunk::params::enterprise_service,
+  Enum['agent', 'bolt'] $mode                = 'bolt',
+) inherits splunk::params {
+
+  file { $secret_file:
+    ensure  => file,
+    owner   => $splunk_user,
+    group   => $splunk_user,
+    content => $secret,
+  }
+
+  if $reset_seeded_password or $facts['splunk_version'].empty {
+    file { $password_config_file:
+      ensure => absent,
+      before => File[$seed_config_file],
+    }
+    file { $seed_config_file:
+      ensure  => file,
+      owner   => $splunk_user,
+      group   => $splunk_user,
+      content => epp('splunk/user-seed.conf.epp', { 'hash' => $password_hash}),
+      require => File[$secret_file],
+    }
+
+    if $mode == 'bolt' {
+      service { $service:
+        ensure     => running,
+        enable     => true,
+        hasstatus  => true,
+        hasrestart => true,
+        subscribe  => File[$seed_config_file],
+      }
+    }
+  }
+}
diff --git a/manifests/forwarder.pp b/manifests/forwarder.pp
@@ -117,13 +117,27 @@
 # @param manage_password
 #   If set to true, Manage the contents of splunk.secret and passwd.
 #
+# @param seed_password
+#   If set to true, Manage the contents of splunk.secret and user-seed.conf.
+#
+# @param reset_seed_password
+#   If set to true, deletes `password_config_file` to trigger Splunk's password
+#   import process on restart of the Splunk services.
+#
 # @param password_config_file
 #   Which file to put the password in i.e. in linux it would be
 #   `/opt/splunkforwarder/etc/passwd`.
 #
+# @param seed_config_file
+#   Which file to place the admin password hash in so its imported by Splunk on
+#   restart.
+#
 # @param password_content
 #   The hashed password username/details for the user.
 #
+# @param password_hash
+#   The hashed password for the admin user.
+#
 # @param secret_file
 #   Which file we should put the secret in.
 #
@@ -164,8 +178,12 @@
   Hash $forwarder_output                     = $splunk::params::forwarder_output,
   Hash $forwarder_input                      = $splunk::params::forwarder_input,
   Boolean $manage_password                   = $splunk::params::manage_password,
+  Boolean $seed_password                     = $splunk::params::seed_password,
+  Boolean $reset_seeded_password             = $splunk::params::reset_seeded_password,
   Stdlib::Absolutepath $password_config_file = $splunk::params::forwarder_password_config_file,
+  Stdlib::Absolutepath $seed_config_file     = $splunk::params::forwarder_seed_config_file,
   String[1] $password_content                = $splunk::params::password_content,
+  String[1] $password_hash                   = $splunk::params::password_hash,
   Stdlib::Absolutepath $secret_file          = $splunk::params::forwarder_secret_file,
   String[1] $secret                          = $splunk::params::secret,
   Hash $addons                               = {},
@@ -180,6 +198,18 @@
     fail('This module does not currently support continuously upgrading the Splunk Universal Forwarder on Windows. Please do not set "package_ensure" to "latest" on Windows.')
   }
 
+  if $manage_password and $seed_password {
+    fail('The setting "manage_password" and "seed_password" are in conflict with one another; they are two ways of accomplishing the same goal, "seed_password" is preferred according to Splunk documentation. If you need to reset the admin user password after initially installation then set "reset_seeded_password" temporarily.')
+  }
+
+  if $manage_password {
+    info("The setting \"manage_password\" will manage the contents of ${password_config_file} which Splunk changes on restart, this results in Puppet initiating a corrective change event on every run and will trigger a resart of all Splunk services")
+  }
+
+  if $reset_seeded_password {
+    info("The setting \"reset_seeded_password\" will delete ${password_config_file} on each run of Puppet and generate a corrective change event, the file must be absent for Splunk's admin password seeding process to be triggered so this setting should only be used temporarily as it'll also cause a resart of the Splunk service")
+  }
+
   contain 'splunk::forwarder::install'
   contain 'splunk::forwarder::config'
   contain 'splunk::forwarder::service'

diff --git a/manifests/forwarder/config.pp b/manifests/forwarder/config.pp
@@ -5,19 +5,28 @@
 #
 class splunk::forwarder::config {
 
-  if $splunk::forwarder::manage_password {
-    file { $splunk::forwarder::password_config_file:
-      ensure  => file,
-      owner   => $splunk::forwarder::splunk_user,
-      group   => $splunk::forwarder::splunk_user,
-      content => $splunk::forwarder::password_content,
+  if $splunk::forwarder::seed_password {
+    class { 'splunk::forwarder::password::seed':
+      reset_seeded_password => $splunk::forwarder::reset_seeded_password,
+      password_config_file  => $splunk::forwarder::password_config_file,
+      seed_config_file      => $splunk::forwarder::seed_config_file,
+      password_hash         => $splunk::forwarder::password_hash,
+      secret_file           => $splunk::forwarder::secret_file,
+      secret                => $splunk::forwarder::secret,
+      splunk_user           => $splunk::forwarder::splunk_user,
+      mode                  => 'agent',
     }
+  }
 
-    file { $splunk::forwarder::secret_file:
-      ensure  => file,
-      owner   => $splunk::forwarder::splunk_user,
-      group   => $splunk::forwarder::splunk_user,
-      content => $splunk::forwarder::secret,
+  if $splunk::forwarder::manage_password {
+    class { 'splunk::forwarder::password::manage':
+      manage_password      => $splunk::forwarder::manage_password,
+      password_config_file => $splunk::forwarder::password_config_file,
+      password_content     => $splunk::forwarder::password_content,
+      secret_file          => $splunk::forwarder::secret_file,
+      secret               => $splunk::forwarder::secret,
+      splunk_user          => $splunk::forwarder::splunk_user,
+      mode                 => 'agent',
     }
   }