From c50b17832729669f9d0890660f67231a2fcee3c2 Mon Sep 17 00:00:00 2001
From: gaima8 <7595658+gaima8@users.noreply.github.com>
Date: Mon, 1 Nov 2021 18:36:47 +0000
Subject: [PATCH] Add, modify, and clear up role mappings

---
 README.md                                     | 27 ++++++++++++
 defaults/main.yml                             |  1 +
 tasks/main.yml                                |  5 +++
 .../elasticsearch-security-role_mappings.yml  | 43 +++++++++++++++++++
 4 files changed, 76 insertions(+)
 create mode 100644 tasks/xpack/security/elasticsearch-security-role_mappings.yml

diff --git a/README.md b/README.md
index ff23d371..9e0da1f8 100644
--- a/README.md
+++ b/README.md
@@ -391,6 +391,33 @@ es_roles:
             - create_index
 ```
 
+* ```es_role_mappings``` - Elasticsearch role mappings can be declared here as yml. Each key is a name of a role mapping, with yaml formatted JSON defining the role mapping as described [here](https://www.elastic.co/guide/en/x-pack/current/mapping-roles.html) e.g.
+
+```yaml
+es_role_mappings:
+  groupname-editor:
+    enabled: true
+    roles:
+      - editor
+    rules:
+      field:
+        groups: "EditorGroup"
+  groupname-admin:
+    enabled: true
+    roles:
+      - editor
+    rules:
+      field:
+        groups: "AdminGroup"
+  realmname-viewer:
+    enabled: true
+    roles:
+      - viewer
+    rules:
+      field:
+        realm.name: realm1
+```
+
 * ```es_xpack_license``` - X-Pack license. The license is a json blob. Set the variable directly (possibly protected by Ansible vault) or from a file in the Ansible project on the control machine via a lookup:
 
 ```yaml
diff --git a/defaults/main.yml b/defaults/main.yml
index a0c3c41a..9a1771c9 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -69,3 +69,4 @@ es_ssl_verification_mode: "certificate"
 es_validate_certs: "yes"
 es_delete_unmanaged_file: true
 es_delete_unmanaged_native: true
+es_delete_unmanaged_role_mappings: true
diff --git a/tasks/main.yml b/tasks/main.yml
index c0ad7004..a4bac11a 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -103,6 +103,11 @@
   when: manage_native_realm | bool
   run_once: True
 
+- name: include xpack/security/elasticsearch-security-role_mappings.yml
+  include: ./xpack/security/elasticsearch-security-role_mappings.yml
+  when: es_role_mappings is defined and es_role_mappings.keys() | list | length > 0
+  run_once: True
+
 #Templates done after restart - handled by flushing the handlers. e.g. suppose user removes security on a running node and doesn't specify es_api_basic_auth_username and es_api_basic_auth_password.  The templates will subsequently not be removed if we don't wait for the node to restart.
 #We also do after the native realm to ensure any changes are applied here first and its denf up.
 - name: include elasticsearch-template.yml
diff --git a/tasks/xpack/security/elasticsearch-security-role_mappings.yml b/tasks/xpack/security/elasticsearch-security-role_mappings.yml
new file mode 100644
index 00000000..b18391ac
--- /dev/null
+++ b/tasks/xpack/security/elasticsearch-security-role_mappings.yml
@@ -0,0 +1,43 @@
+---
+#List current role mappings
+- name: List Role Mappings
+  uri:
+    url: "{{ es_api_uri }}/{{ es_security_api }}/role_mapping"
+    method: GET
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+    status_code: 200
+    validate_certs: "{{ es_validate_certs }}"
+  register: role_mapping_list_response
+  check_mode: no
+
+- name: set fact role_mappings_to_remove
+  set_fact: role_mappings_to_remove={{ role_mapping_list_response.json.keys() | difference ( es_role_mappings.keys() | list) }}
+
+#Delete all non required role mappings
+- name: Delete Role mappings
+  uri:
+    url: "{{ es_api_uri }}/{{ es_security_api }}/role_mapping/{{ item | urlencode }}"
+    method: DELETE
+    status_code: 200
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+    validate_certs: "{{ es_validate_certs }}"
+  when: es_delete_unmanaged_role_mappings
+  with_items: "{{ role_mappings_to_remove | default([]) }}"
+
+#Update other roles mappings
+- name: Update Role Mappings
+  uri:
+    url: "{{ es_api_uri }}/{{ es_security_api }}/role_mapping/{{ item | urlencode }}"
+    method: POST
+    body_format: json
+    body: "{{ es_role_mappings[item] | to_json}}"
+    status_code: 200
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+    validate_certs: "{{ es_validate_certs }}"
+  with_items: "{{ es_role_mappings.keys() | list | default([]) }}"