fedelemantuano · fedelemantuano · May 11, 2021 · Jan 14, 2021 · Jan 14, 2021 · Mar 15, 2021
diff --git a/README_SSL.md b/README_SSL.md
@@ -48,13 +48,37 @@ server_ssl_key_passphrase: elastic
 Stores the Kibana username/password in he Kibana keystore instead of the kibana.conf file.
 
 `secure_settings: true`
+4. Implement OIDC kibana configuration as documented here
+   [Configuring Kibana](https://www.elastic.co/guide/en/elasticsearch/reference/7.10/oidc-kibana.html) and  
+   [Set up OpenID Connect with Azure, Google, or Okta](https://www.elastic.co/guide/en/cloud/7.10/ec-securing-clusters-oidc-op.html)
+   [Secure your clusters with OpenID Connect]( https://www.elastic.co/guide/en/cloud-heroku/7.10/ech-secure-clusters-oidc.html)
+
+This is controlled via `es_enable_oidc: true`
+And will add the following settings to `kibana.yml`
+```yaml
+xpack.security.authc.providers:
+  oidc.oidc1:
+    order: 0
+    realm: oidc1
+    description: "Log in with my OpenID Connect"
+  basic.basic1:
+    order: 1
+```   
+
+If you are using a Kibana instance of version 7.6 or earlier change the settings in your `kibana.yml` to:
+```yaml
+xpack.security.authc.providers: [oidc]
+xpack.security.authc.oidc.realm: "oidc1" 
+server.xsrf.whitelist: [/api/security/v1/oidc]
+```
+## Here is a sample Playbook with all the variables
 
 ```yaml
-  - name: Simple Example with SSL 
+  - name: Simple Kibana Playbook with SSL enabled 
     hosts: kibana-node
     roles:
     - role: fedelemantuano.kibana
-      es_version: 7.6.2
+      es_version: 7.11.2
       kibana_api_host: "{{ ansible_default_ipv4.address }}"
       #Secure communication with Elasticsearch
       es_enable_http_ssl: true
@@ -74,18 +98,24 @@ Stores the Kibana username/password in he Kibana keystore instead of the kibana.
       #server_ssl_key_passphrase: elastic
       #Store kibana settings in the keystore
       secure_settings: true
-      es_user: kibana
+      es_user: kibana_system
       es_pass: changeme
+      es_enable_oidc: false
       kibana_config:
           server.name: "{{ inventory_hostname }}"
           server.port: 5601
           server.host: "{{ ansible_default_ipv4.address }}"
           elasticsearch.hosts: "https://{{ ansible_default_ipv4.address }}:9200"
           xpack.security.audit.enabled: true
+          #Add this when deploying behing AWS ALB Target Group
+          #server.basePath: "/kibana"
+          #server.rewriteBasePath: true
 
 
 ```
 
+
+
 ### Debugging tips
 
 Check what is stored in the Kibana keystore. 
@@ -96,4 +126,25 @@ server.ssl.keystore.password
 elasticsearch.username
 elasticsearch.password
 [root@kibana-host]#
-``` 
+``` 
+
+### Removing Kibana 
+
+Use this playbook for removing kibana from RPM based system.
+```yaml
+- hosts:  kibana-node
+  tasks:
+    - yum:
+        name: kibana
+        state: absent
+      become: true
+    - file:
+        path: "{{item}}"
+        state: absent
+      loop:
+        - /etc/kibana
+        - /usr/share/kibana
+        - /var/lib/kibana
+      become: true
+
+```
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,13 +1,13 @@
 ---
 # Commons parameters for all ELK Stack
 es_major_version: "7.x"
-es_version: "7.6.1"
+es_version: "7.11.2"
 es_use_repository: true
 es_apt_key: "https://artifacts.elastic.co/GPG-KEY-elasticsearch"
 es_apt_url: "deb https://artifacts.elastic.co/packages/{{ es_repo_name }}/apt stable main"
 es_apt_url_old: "deb http://packages.elastic.co/elasticsearch/{{ es_repo_name }}/debian stable main"
 #Elasticsearch username and password
-es_user: kibana
+es_user: kibana_system
 es_pass: elastic
 # Kibana parameters
 kibana_install_oss: false
@@ -62,3 +62,5 @@ server_ssl_key: ''
 server_ssl_key_passphrase: ''
 #Optionally use the keystore for saving the user/pass
 secure_settings: false
+#Enable OIDC integration
+es_enable_oidc: false
diff --git a/tasks/kibana-ssl.yml b/tasks/kibana-ssl.yml
@@ -78,46 +78,47 @@
 #Create KeyStore
 - name: Check that Kibana keystore exists
   stat:
-    path: "{{ kibana_data_dirs }}/kibana.keystore"
+    path: "{{ conf_dir }}/kibana.keystore"
   register: keystore_exists
+  become: yes
 
 - name: Create Kibana keystore
   become: yes
-  shell: "{{ kibana_home }}/bin/kibana-keystore create --allow-root"
+  shell: "{{ kibana_home }}/bin/kibana-keystore create"
   when:  not keystore_exists.stat.exists
   ignore_errors: yes
 #Set keystore or certificate passwords
 - name: Set Elasticsearch SSL Keystore Password
   become: yes
-  shell: echo "{{ es_ssl_keystore_password }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.ssl.keystore.password  --allow-root
+  shell: echo "{{ es_ssl_keystore_password }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.ssl.keystore.password
   when: es_ssl_keystore_password and copy_es_keystore.changed
   ignore_errors: yes
 
 - name: Set Elasticsearch SSL Key Passphrase
   become: yes
-  shell: echo "{{ es_ssl_key_passphrase }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.ssl.keyPassphrase  --allow-root
+  shell: echo "{{ es_ssl_key_passphrase }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.ssl.keyPassphrase
   when: es_ssl_key_passphrase and copy_es_certificates.changed
   ignore_errors: yes
 
 - name: Set Kibana Server SSL Keystore Password
   become: yes
-  shell: echo "{{ server_ssl_keystore_password }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f server.ssl.keystore.password  --allow-root
+  shell: echo "{{ server_ssl_keystore_password }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f server.ssl.keystore.password
   when: server_ssl_keystore_password and (copy_server_keystore.changed or (es_kibana_same_keystore_or_cert and copy_es_keystore.changed))
   ignore_errors: yes
 
 - name: Set Kibana Server SSL Key Passphrase
   become: yes
-  shell: echo "{{ server_ssl_key_passphrase }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f server.ssl.keyPassphrase  --allow-root
+  shell: echo "{{ server_ssl_key_passphrase }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f server.ssl.keyPassphrase
   when: server_ssl_key_passphrase and ( copy_server_certificates.changed or( es_kibana_same_keystore_or_cert and copy_es_certificates.changed))
   ignore_errors: yes
 #Add String settings to the Keystore
 - name: Add Es useraname to Kibana keystore
   become: yes
-  shell: echo "{{ es_user }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.username  --allow-root
+  shell: echo "{{ es_user }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.username
   when: secure_settings and es_user
   ignore_errors: yes
 - name: Add Es password to Kibana keystore
   become: yes
-  shell: echo "{{ es_pass }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.password  --allow-root
+  shell: echo "{{ es_pass }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.password
   when: secure_settings and es_pass
   ignore_errors: yes
diff --git a/templates/kibana.yml.j2 b/templates/kibana.yml.j2
@@ -75,6 +75,16 @@ elasticsearch.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }
 elasticsearch.ssl.verificationMode: "{{ es_ssl_verification_mode }}"
 {% endif %}
 
+#OIDC configuration
+{% if es_enable_oidc |bool == true %}
+xpack.security.authc.providers:
+  oidc.oidc1:
+    order: 0
+    realm: oidc1
+    description: "Log in with my OpenID Connect"
+  basic.basic1:
+    order: 1
+{% endif %}
 # Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
 # the elasticsearch.requestTimeout setting.
 #elasticsearch.pingTimeout: 1500