Commit a358be84 authored by bow's avatar bow
Browse files

Update Ansible MongoDB role to add regular users

parent 74a0ba8e
---
## User-specific options ##
# Database root user
mongodb_user_root_name: db-root
mongodb_user_root_password: root
mongodb_root_name: dbRoot
mongodb_root_password: root
mongodb_user_sentinel_name: sentinel-api
mongodb_user_sentinel_password: api
mongodb_user_admin_name: dbUserAdmin
mongodb_user_admin_password: userAdmin
mongodb_users: []
## System options ##
# MongoDB package name (mongodb-org for vendor, mongodb for apt)
......
---
- name: ensure database root user exists
shell: "/usr/bin/mongo --quiet -u {{ mongodb_user_root_name }} -p {{ mongodb_user_root_password }} --eval \"db.system.users.find({user: '{{ mongodb_user_root_name }}'}).count()\" admin || true"
shell: "/usr/bin/mongo --quiet -u {{ mongodb_root_name }} -p {{ mongodb_root_password }} --eval \"db.system.users.find({user: '{{ mongodb_root_name }}'}).count()\" admin || true"
register: root_user_exists
changed_when: root_user_exists.stdout != "1" or root_user_exists.rc != 0
- name: ensure database sentinel user exists
shell: "/usr/bin/mongo --quiet -u {{ mongodb_user_root_name }} -p {{ mongodb_user_root_password }} --eval \"db.system.users.find({user: '{{ mongodb_user_sentinel_name }}'}).count()\" admin || true"
register: sentinel_user_exists
changed_when: sentinel_user_exists.stdout != "1" or sentinel_user_exists.rc != 0
- name: ensure database user admin user exists
shell: "/usr/bin/mongo --quiet -u {{ mongodb_root_name }} -p {{ mongodb_root_password }} --eval \"db.system.users.find({user: '{{ mongodb_user_admin_name }}'}).count()\" admin || true"
register: admin_user_exists
changed_when: admin_user_exists.stdout != "1" or admin_user_exists.rc != 0
- name: disable auth on mongod.conf if users need to be added
- name: ensure other users exist
shell: "/usr/bin/mongo --quiet -u {{ mongodb_root_name }} -p {{ mongodb_root_password }} --eval \"db.system.users.find({user: '{{ item.name }}'}).count()\" admin || true"
register: other_users_exist
changed_when: other_users_exist.stdout != "1" or other_users_exist.rc != 0
with_items:
- "{{ mongodb_users }}"
when: mongodb_users is defined and mongodb_users
- name: disable auth on mongod.conf if root or admin need to be added
template: src=mongod_noauth.conf.j2 dest=/etc/mongod.conf owner=root group=root mode=0644
when: root_user_exists|changed or sentinel_user_exists|changed
when: root_user_exists|changed or admin_user_exists|changed
- name: restart mongodb if config changed
service: name={{ mongodb_daemon_name }} state=restarted
when: root_user_exists|changed or sentinel_user_exists|changed
when: root_user_exists|changed or admin_user_exists|changed
- name: create database root user in admin if missing
- name: create database root user if missing
mongodb_user:
database: admin
name: "{{ item.name }}"
......@@ -28,15 +36,15 @@
state: present
with_items:
- {
name: "{{ mongodb_user_root_name }}",
password: "{{ mongodb_user_root_password }}",
roles: "root"
name: "{{ mongodb_root_name }}",
password: "{{ mongodb_root_password }}",
roles: root
}
when: root_user_exists|changed
- name: create database sentinel user in sentinel if missing
- name: create database admin user if missing
mongodb_user:
database: sentinel
database: admin
name: "{{ item.name }}"
password: "{{ item.password }}"
roles: "{{ item.roles }}"
......@@ -44,16 +52,31 @@
state: present
with_items:
- {
name: "{{ mongodb_user_sentinel_name }}",
password: "{{ mongodb_user_sentinel_password }}",
roles: "readWrite"
name: "{{ mongodb_user_admin_name }}",
password: "{{ mongodb_user_admin_password }}",
roles: userAdminAnyDatabase
}
when: sentinel_user_exists|changed
when: admin_user_exists|changed
- name: create other users
mongodb_user:
database: "{{ item.database }}"
name: "{{ item.name }}"
password: "{{ item.password }}"
roles: "{{ item.roles }}"
login_user: "{{ mongodb_user_admin_name }}"
login_database: admin
login_password: "{{ mongodb_user_admin_password }}"
login_port: "{{ mongodb_conf_port }}"
state: present
with_items:
- "{{ mongodb_users }}"
when: other_users_exist|changed
- name: restore mongod.conf if auth was disabled
template: src=mongod.conf.j2 dest=/etc/mongod.conf owner=root group=root mode=0644
when: root_user_exists|changed or sentinel_user_exists|changed
when: root_user_exists|changed or admin_user_exists|changed
- name: restart mongodb if config changed
service: name={{ mongodb_daemon_name }} state=restarted
when: root_user_exists|changed or sentinel_user_exists|changed
when: root_user_exists|changed or admin_user_exists|changed
......@@ -5,7 +5,7 @@
when: mongodb_js_script is defined
- name: run database config script
shell: /usr/bin/mongo --quiet 127.0.0.1:27017/sentinel {{ mongodb_misc_dir }}/{{ mongodb_js_script }} -u {{ mongodb_user_root_name }} -p {{ mongodb_user_root_password }} --authenticationDatabase admin
shell: /usr/bin/mongo --quiet 127.0.0.1:27017/sentinel {{ mongodb_misc_dir }}/{{ mongodb_js_script }} -u {{ mongodb_root_name }} -p {{ mongodb_root_password }} --authenticationDatabase admin
when: mongodb_js_script is defined
register: js_script
changed_when: js_script.stdout != ""
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment