Merge pull request #354 from Icinga/feature/icingaweb2-users

Add ability to add more users to Icinga Web

changelogs/fragments/feature_add_icingaweb2_users.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - Add the ability to create additional Icinga Web 2 users - Thanks @losten-git

doc/role-icingaweb2/role-icingaweb2.md

@@ -32,6 +32,21 @@ icingaweb2_db:
 * `icingaweb2_admin_<username|password>: string`
   * Set the username and password for the first admin user for Icinga Web 2.
 
+* `icingaweb2_admin_recreate: boolean`
+  * Recreate can be used to change the password of the admin. **Default: False**
+
+In addition to the Icinga Web 2 Admin, other users can be configured by defining `icingaweb2_users`.<br>
+The `recreate` parameter can be used to change passwords or to enable the user if he has been disabled. **Default: False**
+
+```yaml
+icingaweb2_users:
+  - username: 'foo'
+    password: 'bar'
+    recreate: true
+  - username: webadmin
+    [...]
+```
+
 ### Resources
 
 Besides the standard Icinga Web 2 database you may configure additional resources for IcingaDB or automated imports.

roles/icingaweb2/defaults/main.yml

@@ -41,3 +41,4 @@ icingaweb2_config:
   themes:
     default: Icinga
 icingaweb2_cli: icingacli
+icingaweb2_users: []

roles/icingaweb2/tasks/main.yml

@@ -40,8 +40,10 @@
   ansible.builtin.include_tasks: "manage_icingaweb_config.yml"
 
 - name: Manage Icinga Web 2 DB
-  ansible.builtin.include_tasks: "manage_icingaweb_{{ icingaweb2_db.type }}_db.yml"
-  when: icingaweb2_db is defined
+  ansible.builtin.include_tasks: "manage_icingaweb_db.yml"
+  when:
+    - icingaweb2_db is defined
+    - (icingaweb2_db_import_schema | default(false)) or (icingaweb2_users is defined) or (icingaweb2_admin_username is defined)
 
 - name: Manage module states
   ansible.builtin.file:

roles/icingaweb2/tasks/manage_icingaweb_db.yml

@@ -0,0 +1,27 @@
+---
+
+- name: Prepare database
+  ansible.builtin.include_tasks: "{{ icingaweb2_db.type | default('mysql') }}/prepare_db.yml"
+
+- name: Import database schema
+  ansible.builtin.include_tasks: "{{ icingaweb2_db.type | default('mysql') }}/import_db.yml"
+  when: icingaweb2_db_import_schema | default(false)
+
+- name: Add admin to users list
+  ansible.builtin.set_fact:
+    icingaweb2_users: "{{ icingaweb2_users + [_current_user]}}"
+  vars:
+    _current_user:
+      username: "{{ icingaweb2_admin_username }}"
+      password: "{{ icingaweb2_admin_password }}"
+      recreate: "{{ icingaweb2_admin_recreate | default(false) }}"
+  when:
+    - icingaweb2_admin_username is defined
+    - icingaweb2_admin_password is defined
+
+- name: Add Icinga web 2 users
+  ansible.builtin.include_tasks: "{{ icingaweb2_db.type | default('mysql') }}/users_db.yml"
+  loop: "{{ icingaweb2_users }}"
+  loop_control:
+    loop_var: _current_user
+  when: icingaweb2_users | length > 0

roles/icingaweb2/tasks/mysql/import_db.yml

@@ -0,0 +1,16 @@
+---
+
+- name: MySQL check for icingaweb db schema
+  ansible.builtin.shell: >
+    {{ _tmp_mysqlcmd }}
+    -Ns -e "select * from icingaweb_user"
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  register: _icingaweb2_db_schema
+
+- name: MySQL import icingaweb db schema
+  ansible.builtin.shell: >
+    {{ _tmp_mysqlcmd }}
+    < /usr/share/icingaweb2/schema/mysql.schema.sql
+  when: _icingaweb2_db_schema.rc != 0

roles/icingaweb2/tasks/mysql/prepare_db.yml

@@ -0,0 +1,30 @@
+---
+
+- name: Check Database Credentials
+  ansible.builtin.assert:
+    that:
+      - icingaweb2_db['user'] is defined
+      - icingaweb2_db['password'] is defined
+    fail_msg: "No database credentials defined. Please set icingaweb2_db.<user|password> or a privileged user with icingaweb2_priv_db_<user|password>"
+  when: icingaweb2_priv_db_password is undefined and icingaweb2_priv_db_user is undefined
+
+- name: Set db user with admin privileges
+  ansible.builtin.set_fact:
+    _priv_db_user: "{{ icingaweb2_priv_db_user }}"
+    _priv_db_pass: "{{ icingaweb2_priv_db_password }}"
+  when: icingaweb2_priv_db_password is defined and icingaweb2_priv_db_user is defined
+
+- name: Build mysql command
+  ansible.builtin.set_fact:
+    _tmp_mysqlcmd: >-
+      mysql {% if icingaweb2_db['host'] | default('localhost') != 'localhost'  %} -h "{{ icingaweb2_db['host'] }}" {%- endif %}
+      {% if icingaweb2_db['port'] is defined %} -P "{{ icingaweb2_db['port'] }}" {%- endif %}
+      {% if icingaweb2_db['ssl_mode'] is defined %} --ssl-mode "{{ icingaweb2_db['ssl_mode'] }}" {%- endif %}
+      {% if icingaweb2_db['ssl_ca'] is defined %} --ssl-ca "{{ icingaweb2_db['ssl_ca'] }}" {%- endif %}
+      {% if icingaweb2_db['ssl_cert'] is defined %} --ssl-cert "{{ icingaweb2_db['ssl_cert'] }}" {%- endif %}
+      {% if icingaweb2_db['ssl_key'] is defined %} --ssl-key "{{ icingaweb2_db['ssl_key'] }}" {%- endif %}
+      {% if icingaweb2_db['ssl_cipher'] is defined %} --ssl-cipher "{{ icingaweb2_db['ssl_cipher'] }}" {%- endif %}
+      {% if icingaweb2_db['ssl_extra_options'] is defined %} {{ icingaweb2_db['ssl_extra_options'] }} {%- endif %}
+      -u "{{ icingaweb2_priv_db_user | default(icingaweb2_db['user']) }}"
+      -p"{{ icingaweb2_priv_db_password | default(icingaweb2_db['password']) }}"
+      "{{ icingaweb2_db['name'] }}"

roles/icingaweb2/tasks/mysql/users_db.yml

@@ -0,0 +1,18 @@
+---
+
+- name: MySQL check for icingaweb db schema
+  ansible.builtin.shell: >
+    {{ _tmp_mysqlcmd }}
+    -Ns -e "select name from icingaweb_user where name like '{{ _current_user.username }}'"
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  register: _icingaweb2_db_user
+
+- name: Create user in Icinga Web (or reenable user / reset password)
+  run_once: true
+  ansible.builtin.shell: >-
+    echo "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('{{ _current_user.username }}', 1,
+    '"`php -r 'echo password_hash("{{ _current_user.password }}", PASSWORD_DEFAULT);'`"')
+    ON DUPLICATE KEY UPDATE active = 1, password_hash = '"`php -r 'echo password_hash("{{ _current_user.password }}", PASSWORD_DEFAULT);'`"'" |  {{ _tmp_mysqlcmd }} -Ns
+  when: (_icingaweb2_db_user.stdout_lines | length <= 0) or (_current_user.recreate is true)

roles/icingaweb2/tasks/pgsql/import_db.yml

@@ -0,0 +1,17 @@
+---
+
+- name: PostgreSQL check for icingaweb db schema
+  ansible.builtin.shell: >
+    {{ _tmp_pgsqlcmd }}
+    -w -c "select * from icingaweb_user"
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  register: _icingaweb2_db_schema
+
+- name: PostgreSQL import icingaweb db schema
+  ansible.builtin.shell: >
+    {{ _tmp_pgsqlcmd }}
+    -w -f /usr/share/icingaweb2/schema/pgsql.schema.sql
+  when:
+    - _icingaweb2_db_schema.rc != 0

roles/icingaweb2/tasks/pgsql/prepare_db.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Check Database Credentials
+  ansible.builtin.assert:
+    that:
+      - icingaweb2_db['user'] is defined
+      - icingaweb2_db['password'] is defined
+    fail_msg: "No database credentials defined. Please set icingaweb2_db.<user|password> or a privileged user with icingaweb2_priv_db_<user|password>"
+  when: icingaweb2_priv_db_password is undefined and icingaweb2_priv_db_user is undefined
+
+- name: Build psql command
+  ansible.builtin.set_fact:
+    _tmp_pgsqlcmd: >-
+      PGPASSWORD="{{ icingaweb2_priv_db_password | default(icingaweb2_db['password']) }}"
+      psql
+      "host={{ icingaweb2_db['host'] }}
+      {% if icingaweb2_db['port'] is defined %} port={{ icingaweb2_db['port'] }} {%- endif %}
+      user={{ icingaweb2_priv_db_user | default(icingaweb2_db['user']) }}
+      dbname={{ icingaweb2_db['name'] }}
+      {% if icingaweb2_db['ssl_mode'] is defined %} sslmode={{ icingaweb2_db['ssl_mode'] | default('require') }} {%- endif %}
+      {% if icingaweb2_db['ssl_cert'] is defined %} sslcert={{ icingaweb2_db['ssl_cert']  }} {%- endif %}
+      {% if icingaweb2_db['ssl_key'] is defined %} sslkey={{ icingaweb2_db['ssl_key'] }} {%- endif %}
+      {% if icingaweb2_db['ssl_extra_options'] is defined %} {{ icingaweb2_db['ssl_extra_options'] }} {%- endif %}"

roles/icingaweb2/tasks/pgsql/users_db.yml

@@ -0,0 +1,20 @@
+---
+
+- name: PostgreSQL check for icingaweb admin user
+  ansible.builtin.shell: >
+    LANG=C
+    {{ _tmp_pgsqlcmd }}
+    -w -c "select name from icingaweb_user where name like '{{ _current_user.username }}'"
+  failed_when: false
+  changed_when: false
+  check_mode: false
+  register: _icingaweb2_db_user
+
+- name: Create user in Icinga Web (or reenable user / reset password)
+  run_once: true
+  ansible.builtin.shell: >-
+    echo "INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('{{ _current_user.username }}', 1,
+    '"`php -r 'echo password_hash("{{ _current_user.password }}", PASSWORD_DEFAULT);'`"')
+    ON CONFLICT (name) DO UPDATE
+    SET active = 1, password_hash = '"`php -r 'echo password_hash("{{ _current_user.password }}", PASSWORD_DEFAULT);'`"'" | {{ _tmp_pgsqlcmd }} -w
+  when: ("(0 rows)" in _icingaweb2_db_user.stdout_lines) or (_current_user.recreate is true)