Merge pull request #4 from stone-payments/feat/security-ldap

carlos-gonzaga · web-flow · commit 4ffe1d508fa9 · 2021-05-17T22:25:36.000-03:00
Adjusted ldap configurations
diff --git a/README.md b/README.md
@@ -78,7 +78,9 @@ mongodb_processmanagement_fork: false # Fork server process
 # Disable or enable security. Possible values: 'disabled', 'enabled'
 mongodb_security_authorization: "disabled"
 mongodb_security_keyfile: /etc/mongodb-keyfile  # Specify path to keyfile with password for inter-process authentication
-mongodb_active_directory_role: ""               # Create role root to active directory integration
+mongodb_active_directory_role:                  # Create role root to active directory integration
+  - role_name: "CN=sysadmin,OU=grants,OU=Groups,OU=base,DC=mycompany,DC=com,DC=br"
+    role_permission: "root"
 
 ## storage Options
 mongodb_storage_dbpath: /data/mongodb # Directory for datafiles
@@ -149,16 +151,18 @@ mongodb_replication_oplogsize: 1024 # specifies a maximum size in megabytes for
 # Configure setParameter option.
 # Example :
 mongodb_set_parameters:
-  {
-    "enableLocalhostAuthBypass": "true",
-    "authenticationMechanisms": "SCRAM-SHA-1,MONGODB-CR",
-  }
+  enableLocalhostAuthBypass: "true"
+  authenticationMechanisms: "SCRAM-SHA-1,MONGODB-CR"
 
 ## Extend config with arbitrary values
 # Example :
 mongodb_config:
   replication:
-    - "enableMajorityReadConcern: false"
+    enableMajorityReadConcern: "false"
+  auditLog:
+    destination: "file"
+    format: "JSON"
+    path: "/var/log/mongodb/audit.json"
 
 # MMS Agent
 mongodb_mms_agent_pkg: https://cloud.mongodb.com/download/agent/monitoring/mongodb-mms-monitoring-agent_7.2.0.488-1_amd64.ubuntu1604.deb
diff --git a/tasks/auth_initialization.yml b/tasks/auth_initialization.yml
@@ -81,24 +81,27 @@
     - name: Check if Active Directory Role already exists
       command: >
         mongo --quiet {{ '--ssl --host ' + mongodb_net_ssl_host if mongodb_net_ssl_mode == 'requireSSL' else '' }} -u {{ mongodb_root_user_name }} \
-              -p {{ mongodb_root_user_password }} --port {{ mongodb_net_port }} --eval 'db.getSiblingDB("admin").getRole( "{{ mongodb_active_directory_role }}" )'
+              -p {{ mongodb_root_user_password }} --port {{ mongodb_net_port }} --eval 'db.getSiblingDB("admin").getRole( "{{ item.role_name }}" )'
       register: mongodb_role_ad_check
-      changed_when: false
+      changed_when: mongodb_role_ad_check.stdout == 'null'
       check_mode: no
       ignore_errors: true
       no_log: true
+      loop: "{{ mongodb_active_directory_role }}"
       when: mongodb_active_directory_role | length > 0
 
     - name: Create MongoDB Active Directory Role
       command: >
         mongo --quiet {{ '--ssl --host ' + mongodb_net_ssl_host if mongodb_net_ssl_mode == 'requireSSL' else '' }} -u {{ mongodb_root_user_name }} \
               -p {{ mongodb_root_user_password }} --port {{ mongodb_net_port }} \
-              --eval 'db.getSiblingDB("admin").createRole({ role:"{{ mongodb_active_directory_role }}",privileges:[], roles:["root"] })'    
+              --eval 'db.getSiblingDB("admin").createRole({ role:"{{ item.role_name }}",privileges:[], roles:["{{ item.role_permission }}"] })'    
       check_mode: no
+      ignore_errors: true
       no_log: true
+      loop: "{{ mongodb_active_directory_role }}"
       when:
         - mongodb_active_directory_role | length > 0 
-        - mongodb_role_ad_check.stdout == "null"
+        - mongodb_role_ad_check.changed
 
   always:
     - name: Move back mongod.conf
diff --git a/templates/mongod.conf.j2 b/templates/mongod.conf.j2
@@ -82,10 +82,27 @@ security:
   javascriptEnabled: {{ mongodb_security_javascript_enabled | to_nice_json }}
   {% if mongodb_config['security'] is defined and mongodb_config['security'] is iterable -%}
   {% for item in mongodb_config['security'] -%}
+  {% if item == 'ldap' -%}
+  ldap:
+    transportSecurity: "{{ mongodb_config['security']['ldap'].transportSecurity }}"
+    servers: "{{ mongodb_config['security']['ldap'].servers }}"
+    bind:
+      queryUser: "{{ mongodb_config['security']['ldap'].bind.queryUser }}"
+      queryPassword: "{{ mongodb_config['security']['ldap'].bind.queryPassword }}"
+    authz:
+      queryTemplate: "{{ mongodb_config['security']['ldap'].authz.queryTemplate }}"
+    userToDNMapping: 
+      {{ mongodb_config['security']['ldap'].userToDNMapping }}
+  {% else -%}
+  {% if mongodb_config['security'][item] is mapping -%}
   {{ item }}:
   {% for key, value in mongodb_config['security'][item].items() %}
   {{ key }}: {{ value | to_nice_json }}
   {% endfor -%}
+  {% else -%}
+  {{ item }}: {{ mongodb_config['security'][item] | to_nice_json }}
+  {% endif -%}
+  {% endif -%}
   {% endfor %}
   {% endif %}
 
