Adding new application:
In repo it-puppet-hostgroup-dashboard, in data/hostgroup/dashboard/elasticsearch.yaml add the new application to the list elasticsearch_index_apps:
<appname>: "<prefix>[-*_a-z0-9A-Z]*(,<prefix>[-*_a-z0-9A-Z]*)*"
for example:
fts3: "fts3-[-*_a-z0-9A-Z]*(,fts3-[-*_a-z0-9A-Z]*)*"
Adding basic http auth:
Add new user(s):
On aiadm:
Get passwd from tbag
cd /tmp/$USER
for dev:
tbag show dashboard_elasticsearch_password --hg dashboard/elasticsearch/search/development --file passwd
for production:
tbag show dashboard_elasticsearch_password --hg dashboard/elasticsearch --file passwd
Add user(s) to passwd
For each user:
Set passwd in tbag
for dev:
tbag set dashboard_elasticsearch_password --hg dashboard/elasticsearch/search/development --file passwd
for production:
tbag set dashboard_elasticsearch_password --hg dashboard/elasticsearch --file passwd
rm passwd
Send password(s) to application admin(s)
Add allowed groups to tbag secret
On aiadm:
Get groupfile from tbag
cd /tmp/$USER
for dev:
tbag show dashboard_elasticsearch_group --hg dashboard/elasticsearch/search/development --file groupfile
for production:
tbag show dashboard_elasticsearch_group --hg dashboard/elasticsearch --file groupfile
Edit groupfile
add the new groups
<ro_group>: <ro_usernames>
<rw_group>: <rw_usernames>
for example:
fts3: fts3
fts3_rw: fts3
add the new users to group "anyone" that has access to safe urls like plugin and node status.
anyone: ... <ro_usernames> <rw_usernames>
for example:
anyone: ... fts3
Set goupfile in tbag
for dev:
tbag set dashboard_elasticsearch_group --hg dashboard/elasticsearch/search/development --file groupfile
for production:
tbag set dashboard_elasticsearch_group --hg dashboard/elasticsearch --file groupfile
rm groupfile
Configure allowed groups in hiera
In repo it-puppet-hostgroup-dashboard, in data/hostgroup/dashboard/elasticsearch.yaml add the groups allowed to read and write:
elasticsearch_index_groups_rw:
...
<appname>: "<group(s) allowed to write>"
...
elasticsearch_index_groups_ro:
...
<appname>: "<group(s) allowed to read>"
...
for example:
elasticsearch_index_groups_rw:
...
fts3: "fts3_rw"
...
elasticsearch_index_groups_ro:
...
fts3: "fts3"
...
Adding CERN SSO access (e-group auth)
Configure allowed e-groups in hiera
In repo it-puppet-hostgroup-dashboard, in data/hostgroup/dashboard/elasticsearch.yaml add the groups allowed to read and write:
elasticsearch_index_egroups_rw:
...
<appname>: "<e-group(s) allowed to write>"
...
elasticsearch_index_egroups_ro:
...
<appname>: "<e-group(s) allowed to read>"
...
for example:
elasticsearch_index_egroups_rw:
...
fts3: "dashb-es-fts3-rw dashb-es-admins"
...
elasticsearch_index_egroups_ro:
...
fts3: "dashb-es-fts3 dashb-es-admins"
...
Configure e-groups
Create e-groups
https://e-groups.cern.ch/e-groups/EgroupsSearchOwner.do
Populate with users/e-groups that should have r/o and r/w access
Add new e-groups to e-group dashb-es-users to allow saving kibana dashboards