Puppet Class: splunk::enterprise::password::seed

Inherits:
splunk::params
Defined in:
manifests/enterprise/password/seed.pp

Summary

Implements the seeding and reseeding of the Splunk Enterprise admin password so it can be used outside of regular management of the whole stack to facilitate admin password resets through Bolt Plans

Overview

Parameters:

  • seed_password

    If set to true, Manage the contents of splunk.secret and user-seed.conf.

  • reset_seed_password

    If set to true, deletes ‘password_config_file` to trigger Splunk’s password import process on restart of the Splunk services.

  • password_config_file (Stdlib::Absolutepath) (defaults to: $splunk::params::enterprise_password_config_file)

    Which file to put the password in i.e. in linux it would be ‘/opt/splunk/etc/passwd`.

  • seed_config_file (Stdlib::Absolutepath) (defaults to: $splunk::params::enterprise_seed_config_file)

    Which file to place the admin password hash in so its imported by Splunk on restart.

  • password_hash (String[1]) (defaults to: $splunk::params::password_hash)

    The hashed password for the admin user.

  • secret_file (Stdlib::Absolutepath) (defaults to: $splunk::params::enterprise_secret_file)

    Which file we should put the secret in.

  • secret (String[1]) (defaults to: $splunk::params::secret)

    The secret used to salt the splunk password.

  • reset_seeded_password (Boolean) (defaults to: $splunk::params::reset_seeded_password)
  • splunk_user (String[1]) (defaults to: $splunk::params::splunk_user)
  • service (String[1]) (defaults to: $splunk::params::enterprise_service)
  • mode (Enum['agent', 'bolt']) (defaults to: 'bolt') 


41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
# File 'manifests/enterprise/password/seed.pp', line 41

class splunk::enterprise::password::seed(
  Boolean $reset_seeded_password             = $splunk::params::reset_seeded_password,
  Stdlib::Absolutepath $password_config_file = $splunk::params::enterprise_password_config_file,
  Stdlib::Absolutepath $seed_config_file     = $splunk::params::enterprise_seed_config_file,
  String[1] $password_hash                   = $splunk::params::password_hash,
  Stdlib::Absolutepath $secret_file          = $splunk::params::enterprise_secret_file,
  String[1] $secret                          = $splunk::params::secret,
  String[1] $splunk_user                     = $splunk::params::splunk_user,
  String[1] $service                         = $splunk::params::enterprise_service,
  Enum['agent', 'bolt'] $mode                = 'bolt',
) inherits splunk::params {

  file { $secret_file:
    ensure  => file,
    owner   => $splunk_user,
    group   => $splunk_user,
    content => $secret,
  }

  if $reset_seeded_password or $facts['splunk_version'].empty {
    file { $password_config_file:
      ensure => absent,
      before => File[$seed_config_file],
    }
    file { $seed_config_file:
      ensure  => file,
      owner   => $splunk_user,
      group   => $splunk_user,
      content => epp('splunk/user-seed.conf.epp', { 'hash' => $password_hash}),
      require => File[$secret_file],
    }

    if $mode == 'bolt' {
      service { $service:
        ensure     => running,
        enable     => true,
        hasstatus  => true,
        hasrestart => true,
        subscribe  => File[$seed_config_file],
      }
    }
  }
}