Puppet Class: splunk::enterprise::password::seed

Inherits:
splunk::params
Defined in:
manifests/enterprise/password/seed.pp

Summary

Implements the seeding and reseeding of the Splunk Enterprise admin password so it can be used outside of regular management of the whole stack to facilitate admin password resets through Bolt Plans

Overview

Parameters:

  • reset_seeded_password (Boolean) (defaults to: $splunk::params::reset_seeded_password)

    If set to true, deletes ‘password_config_file` to trigger Splunk’s password import process on restart of the Splunk services.

  • password_config_file (Stdlib::Absolutepath) (defaults to: $splunk::params::enterprise_password_config_file)

    Which file to put the password in i.e. in linux it would be ‘/opt/splunk/etc/passwd`.

  • seed_config_file (Stdlib::Absolutepath) (defaults to: $splunk::params::enterprise_seed_config_file)

    Which file to place the admin password hash in so its imported by Splunk on restart.

  • seed_user (String[1]) (defaults to: $splunk::params::seed_user)

    The local user (usually ‘admin’) imported by Splunk.

  • password_hash (String[1]) (defaults to: $splunk::params::password_hash)

    The hashed password for the admin user.

  • secret_file (Stdlib::Absolutepath) (defaults to: $splunk::params::enterprise_secret_file)

    Which file we should put the secret in.

  • secret (String[1]) (defaults to: $splunk::params::secret)

    The secret used to salt the splunk password.

  • service (String[1]) (defaults to: $splunk::params::enterprise_service)

    Name of the Splunk Enterprise service that needs to be restarted after files are updated, not applicable when running in agent mode.

  • mode (Enum['agent', 'bolt']) (defaults to: 'bolt')

    The class is designed to work in two ways, as a helper that is called by Class or leveraged independently from with in a Bolt Plan. The value defaults to “bolt” implicitly assuming that anytime it is used outside of Class, it is being used by Bolt

  • splunk_user (String[1]) (defaults to: $splunk::params::splunk_user) 


41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
# File 'manifests/enterprise/password/seed.pp', line 41

class splunk::enterprise::password::seed (
  Boolean $reset_seeded_password             = $splunk::params::reset_seeded_password,
  Stdlib::Absolutepath $password_config_file = $splunk::params::enterprise_password_config_file,
  Stdlib::Absolutepath $seed_config_file     = $splunk::params::enterprise_seed_config_file,
  String[1] $seed_user                       = $splunk::params::seed_user,
  String[1] $password_hash                   = $splunk::params::password_hash,
  Stdlib::Absolutepath $secret_file          = $splunk::params::enterprise_secret_file,
  String[1] $secret                          = $splunk::params::secret,
  String[1] $splunk_user                     = $splunk::params::splunk_user,
  String[1] $service                         = $splunk::params::enterprise_service,
  Enum['agent', 'bolt'] $mode                = 'bolt',
) inherits splunk::params {
  file { $secret_file:
    ensure  => file,
    owner   => $splunk_user,
    group   => $splunk_user,
    content => $secret,
  }

  if $reset_seeded_password or $facts['splunk_version'].empty {
    file { $password_config_file:
      ensure => absent,
      before => File[$seed_config_file],
    }
    file { $seed_config_file:
      ensure  => file,
      owner   => $splunk_user,
      group   => $splunk_user,
      content => epp('splunk/user-seed.conf.epp', { 'user' => $seed_user, 'hash' => $password_hash }),
      require => File[$secret_file],
    }

    if $mode == 'bolt' {
      service { $service:
        ensure     => running,
        enable     => true,
        hasstatus  => true,
        hasrestart => true,
        subscribe  => File[$seed_config_file],
      }
    }
  }
}