Update Ansible MongoDB role to add regular users

a358be84 · bow · 74a0ba8e · a358be84 · a358be84 · a358be84
Commit a358be84 authored Jan 24, 2016 by bow
--- a/deployment/ansible-role-mongodb/defaults/main.yml
+++ b/deployment/ansible-role-mongodb/defaults/main.yml
 ---
 ## User-specific options ##
 # Database root user
-mongodb_user_root_name: db-root
-mongodb_user_root_password: root
+mongodb_root_name: dbRoot
+mongodb_root_password: root

-mongodb_user_sentinel_name: sentinel-api
-mongodb_user_sentinel_password: api
+mongodb_user_admin_name: dbUserAdmin
+mongodb_user_admin_password: userAdmin

+mongodb_users: []

 ## System options ##
 # MongoDB package name (mongodb-org for vendor, mongodb for apt)

--- a/deployment/ansible-role-mongodb/tasks/config_auth.yml
+++ b/deployment/ansible-role-mongodb/tasks/config_auth.yml
 ---

 - name: ensure database root user exists
-  shell: "/usr/bin/mongo --quiet -u {{ mongodb_user_root_name }} -p {{ mongodb_user_root_password }} --eval \"db.system.users.find({user: '{{ mongodb_user_root_name }}'}).count()\" admin || true"
+  shell: "/usr/bin/mongo --quiet -u {{ mongodb_root_name }} -p {{ mongodb_root_password }} --eval \"db.system.users.find({user: '{{ mongodb_root_name }}'}).count()\" admin || true"
  register: root_user_exists
  changed_when: root_user_exists.stdout != "1" or root_user_exists.rc != 0

- name: ensure database sentinel user exists
-  shell: "/usr/bin/mongo --quiet -u {{ mongodb_user_root_name }} -p {{ mongodb_user_root_password }} --eval \"db.system.users.find({user: '{{ mongodb_user_sentinel_name }}'}).count()\" admin || true"
-  register: sentinel_user_exists
-  changed_when: sentinel_user_exists.stdout != "1" or sentinel_user_exists.rc != 0
+- name: ensure database user admin user exists
+  shell: "/usr/bin/mongo --quiet -u {{ mongodb_root_name }} -p {{ mongodb_root_password }} --eval \"db.system.users.find({user: '{{ mongodb_user_admin_name }}'}).count()\" admin || true"
+  register: admin_user_exists
+  changed_when: admin_user_exists.stdout != "1" or admin_user_exists.rc != 0

- name: disable auth on mongod.conf if users need to be added
+- name: ensure other users exist
+  shell: "/usr/bin/mongo --quiet -u {{ mongodb_root_name }} -p {{ mongodb_root_password }} --eval \"db.system.users.find({user: '{{ item.name }}'}).count()\" admin || true"
+  register: other_users_exist
+  changed_when: other_users_exist.stdout != "1" or other_users_exist.rc != 0
+  with_items:
+    - "{{ mongodb_users }}"
+  when: mongodb_users is defined and mongodb_users
+
+- name: disable auth on mongod.conf if root or admin need to be added
  template: src=mongod_noauth.conf.j2 dest=/etc/mongod.conf owner=root group=root mode=0644
-  when: root_user_exists|changed or sentinel_user_exists|changed
+  when: root_user_exists|changed or admin_user_exists|changed

 - name: restart mongodb if config changed
  service: name={{ mongodb_daemon_name }} state=restarted
-  when: root_user_exists|changed or sentinel_user_exists|changed
+  when: root_user_exists|changed or admin_user_exists|changed

- name: create database root user in admin if missing
+- name: create database root user if missing
  mongodb_user:
    database: admin
    name: "{{ item.name }}"
@@ -28,15 +36,15 @@
    state: present
  with_items:
    - {
-      name: "{{ mongodb_user_root_name }}",
-      password: "{{ mongodb_user_root_password }}",
-      roles: "root"
+      name: "{{ mongodb_root_name }}",
+      password: "{{ mongodb_root_password }}",
+      roles: root
      }
  when: root_user_exists|changed

- name: create database sentinel user in sentinel if missing
+- name: create database admin user if missing
  mongodb_user:
-    database: sentinel
+    database: admin
    name: "{{ item.name }}"
    password: "{{ item.password }}"
    roles: "{{ item.roles }}"
@@ -44,16 +52,31 @@
    state: present
  with_items:
    - {
-      name: "{{ mongodb_user_sentinel_name }}",
-      password: "{{ mongodb_user_sentinel_password }}",
-      roles: "readWrite"
+      name: "{{ mongodb_user_admin_name }}",
+      password: "{{ mongodb_user_admin_password }}",
+      roles: userAdminAnyDatabase
      }
-  when: sentinel_user_exists|changed
+  when: admin_user_exists|changed
+
+- name: create other users
+  mongodb_user:
+    database: "{{ item.database }}"
+    name: "{{ item.name }}"
+    password: "{{ item.password }}"
+    roles: "{{ item.roles }}"
+    login_user: "{{ mongodb_user_admin_name }}"
+    login_database: admin
+    login_password: "{{ mongodb_user_admin_password }}"
+    login_port: "{{ mongodb_conf_port }}"
+    state: present
+  with_items:
+    - "{{ mongodb_users }}"
+  when: other_users_exist|changed

 - name: restore mongod.conf if auth was disabled
  template: src=mongod.conf.j2 dest=/etc/mongod.conf owner=root group=root mode=0644
-  when: root_user_exists|changed or sentinel_user_exists|changed
+  when: root_user_exists|changed or admin_user_exists|changed

 - name: restart mongodb if config changed
  service: name={{ mongodb_daemon_name }} state=restarted
-  when: root_user_exists|changed or sentinel_user_exists|changed
+  when: root_user_exists|changed or admin_user_exists|changed
--- a/deployment/ansible-role-mongodb/tasks/config_db.yml
+++ b/deployment/ansible-role-mongodb/tasks/config_db.yml
@@ -5,7 +5,7 @@
  when: mongodb_js_script is defined

 - name: run database config script
-  shell: /usr/bin/mongo --quiet 127.0.0.1:27017/sentinel {{ mongodb_misc_dir }}/{{ mongodb_js_script }} -u {{ mongodb_user_root_name }} -p {{ mongodb_user_root_password }} --authenticationDatabase admin
+  shell: /usr/bin/mongo --quiet 127.0.0.1:27017/sentinel {{ mongodb_misc_dir }}/{{ mongodb_js_script }} -u {{ mongodb_root_name }} -p {{ mongodb_root_password }} --authenticationDatabase admin
  when: mongodb_js_script is defined
  register: js_script
  changed_when: js_script.stdout != ""