How to fill keystore via ansible script

Hi,

I am trying to add a key to kibana-keystore via (ansible) script. I have same issue when running via bash directly or via ansible script.

For elasicsearch-keystore this works awesome:

echo mypassword | ./elasticsearch-keystore add -f xpack.security.http.ssl.keystore.secure_password

Tried following things for kibana-keystore:

bash-4.2$ echo kibana | /usr/share/kibana/bin/kibana-keystore -f -x add 'elasticsearch.username'
bash-4.2$ /usr/share/kibana/bin/kibana-keystore list

bash-4.2$ echo kibana | /usr/share/kibana/bin/kibana-keystore -f -x add elasticsearch.username
bash-4.2$ /usr/share/kibana/bin/kibana-keystore list

If I omit -x and -f it works from bash:

bash-4.2$ echo kibana | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username
Enter value for elasticsearch.username: kibana
                                        bash-4.2$

But in ansible I get following error:

fatal: [qdetjt]: FAILED! => {"changed": true, "cmd": "echo kibana1 | ./kibana-keystore add elasticsearch.password", "delta": "0:00:00.420190", "end": "2019-12-17 09:24:23.094345", "msg": "non-zero return code", "rc": 1, "start": "2019-12-17 09:24:22.674155", "stderr": "/usr/share/kibana/src/legacy/server/utils/prompt.js:87\n output.cursorTo(questionPrompt.length);\n ^\n\nTypeError: output.cursorTo is not a function\n at Socket.input.on.char (/usr/share/kibana/src/legacy/server/utils/prompt.js:87:20)\n at Socket.emit (events.js:194:15)\n at addChunk (_stream_readable.js:284:12)\n at readableAddChunk (_stream_readable.js:265:11)\n at Socket.Readable.push (_stream_readable.js:220:10)\n at Pipe.onStreamRead [as onread] (internal/stream_base_commons.js:94:17)", "stderr_lines": ["/usr/share/kibana/src/legacy/server/utils/prompt.js:87", " output.cursorTo(questionPrompt.length);", " ^", "", "TypeError: output.cursorTo is not a function", " at Socket.input.on.char (/usr/share/kibana/src/legacy/server/utils/prompt.js:87:20)", " at Socket.emit (events.js:194:15)", " at addChunk (_stream_readable.js:284:12)", " at readableAddChunk (_stream_readable.js:265:11)", " at Socket.Readable.push (_stream_readable.js:220:10)", " at Pipe.onStreamRead [as onread] (internal/stream_base_commons.js:94:17)"], "stdout": "Enter value for elasticsearch.password: ", "stdout_lines": ["Enter value for elasticsearch.password: "]}

Any Idea how I can add an entry to kibana's keystore?

It's a pity, that the keystore application is behaving different in logstash, kibana and elasticsearch!

Thanks, Andreas

I also tried to workaround with expect module of ansible:

  - name: keystore - add elasticsearch.password
      expect:
        command: "./kibana-keystore add 'elasticsearch.password'"
        chdir: "/usr/share/kibana/bin"
        responses:
          '.*value.*': "{{ CRED_KIBANA_PW }}"
        timeout: 10

But I get such message from ansible:

fatal: [myhost]: FAILED! => {"changed": true, "cmd": "./kibana-keystore add 'elasticsearch.password'", "delta": "0:00:10.543556", "end": "2019-12-17 10:50:48.947242", "msg": "command exceeded timeout", "rc": null, "start": "2019-12-17 10:50:38.403686", "stdout": "\u001b[1G\u001b[0JEnter value for elasticsearch.password: \u001b[41Gkibana1\r\r\n\u001b[41G", "stdout_lines": ["\u001b[1G\u001b[0JEnter value for elasticsearch.password: \u001b[41Gkibana1", "", "\u001b[41G"]}

Any idea how to get the password into the keystore via ansible? Thanks a lot

The add specific flags should go after the add command. However I tried that and it also didn't work, it just spits out the help text. Seems to me there's a bug in the add command. Would you mind filing a ticket on the Kibana Github repo?

During creating the Bug Report I found this on github:

With the given information there I was able to get it running:

- name: keystore tasks
  block:
    - name: create keystore if not existing yet
      shell:
        cmd: "./kibana-keystore create"
        chdir: "/usr/share/kibana/bin"
        creates: /var/lib/kibana/kibana.keystore

    - name: keystore - add elasticsearch.password
      shell:
        cmd: "/usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin --force"
        stdin: "{{ CRED_KIBANA_PW }}"
    - name: keystore - add elasticsearch.username
      shell:
        cmd: "/usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin --force"
        stdin: "{{ CRED_KIBANA_USER }} "
  become_user: kibana
  become: yes

I had to take following 2 things into aspect:

  • usage info of kibana-keystore is wrong -> using like said in linked github request works from shell.
  • piping the password via echo to kibana-keystore does not not work in ansible. But it works when calling kibana-keystore directly ans configuring stdin of shell module to the needed value.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.