setup authentication

This commit is contained in:
Robert Kaussow 2018-07-07 18:53:03 +02:00
parent 00b713d9d7
commit 76f0635074
8 changed files with 148 additions and 9 deletions

View File

@ -8,6 +8,10 @@ mongodb_system_group: mongod
mongodb_storage_dbpath: /var/lib/mongo mongodb_storage_dbpath: /var/lib/mongo
mongodb_storage_journal_enabled: True mongodb_storage_journal_enabled: True
mongodb_systemlog_destination: syslog mongodb_systemlog_destination: logfile
mongodb_systemlog_logappend: True mongodb_systemlog_logappend: True
mongodb_systemlog_path: /var/log/mongodb/mongod.log mongodb_systemlog_path: /var/log/mongodb/mongod.log
mongodb_rbac_enabled: True
mongodb_user_admin_name: mongoadm
mongodb_user_admin_password: secure

View File

@ -1,6 +1,6 @@
--- ---
- name: Restart mongod service - name: Restart service
systemd: service:
name: mongod name: mongod
state: restarted state: restarted
enabled: yes enabled: yes

42
tasks/auth.yml Normal file
View File

@ -0,0 +1,42 @@
---
- block:
- name: Backup current config file
copy:
src: /etc/mongod.conf
dest: /etc/mongod.conf.bak
remote_src: True
- name: Deploy config file without auth
template:
src: etc/mongod_init.conf.j2
dest: /etc/mongod.conf
mode: 0644
- name: Restart service
service:
name: mongod
state: restarte
become: True
changed_when: False
- name: Create admin user
mongodb_user:
database: admin
name: "{{ mongodb_user_admin_name }}"
password: "{{ mongodb_user_admin_password }}"
roles: readWriteAnyDatabase
state: present
- block:
- name: Restore config file
copy:
src: /etc/mongod.conf.bak
dest: /etc/mongod.conf
remote_src: True
- name: Restart service
service:
name: mongod
state: restarte
changed_when: False
become: True

10
tasks/config.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Configure database
block:
- name: Deploy configuration file
template:
src: etc/mongod.conf.j2
dest: /etc/mongod.conf
mode: 0644
notify: __mongod_restart
become: True

View File

@ -44,11 +44,10 @@
state: directory state: directory
when: mongodb_systemlog_destination == 'logfile' when: mongodb_systemlog_destination == 'logfile'
# - name: Make sure mongodb is running - name: Make sure mongodb is running
# systemd: systemd:
# name: mongod name: mongod
# state: started state: started
# enabled: yes enabled: yes
# daemon_reload: yes
become: True become: True
become_user: root become_user: root

View File

@ -1,2 +1,4 @@
--- ---
- include_tasks: install.yml - include_tasks: install.yml
- include_tasks: auth.yml
- include_tasks: config.yml

View File

@ -0,0 +1,41 @@
## {{ ansible_managed }}
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# where to write logging data.
systemLog:
destination: {{ mongodb_systemlog_destination }}
logAppend: {{ mongodb_systemlog_logappend | lower }}
path: /var/log/mongodb/mongod.log
# Where and how to store data.
storage:
dbPath: {{ mongodb_storage_dbpath }}
journal:
enabled: {{ mongodb_storage_journal_enabled | lower }}
# engine:
# mmapv1:
# wiredTiger:
# how the process runs
processManagement:
fork: true # fork and run in background
pidFilePath: /var/run/mongodb/mongod.pid # location of pidfile
timeZoneInfo: /usr/share/zoneinfo
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1 # Listen to local interface only, comment to listen on all interfaces.
security:
authorization: {{ 'enabled' if mongodb_rbac_enabled else 'disabled' }}
#operationProfiling:
#replication:
#sharding:

View File

@ -0,0 +1,41 @@
## {{ ansible_managed }}
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# Where and how to store data.
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# how the process runs
processManagement:
fork: true # fork and run in background
pidFilePath: /var/run/mongodb/mongod.pid # location of pidfile
timeZoneInfo: /usr/share/zoneinfo
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1 # Listen to local interface only, comment to listen on all interfaces.
#security:
#operationProfiling:
#replication:
#sharding: