#!/bin/bash set -e read -p "Elasticsearch username: [elastic]: " ES_USERNAME ES_USERNAME=${ES_USERNAME:-elastic} read -s -p "Elasticsearch password: " ES_PASSWORD ES_PASSWORD=${ES_PASSWORD:-password} echo read -p "Elasticsearch URL [http://localhost:9200]: " ES_URL ES_URL=${ES_URL:-http://localhost:9200} read -p "Investigate system indices prefix [.siren]: " INVESTIGATE_SYSTEM_PREFIX INVESTIGATE_SYSTEM_PREFIX=${INVESTIGATE_SYSTEM_PREFIX:-.siren} read -p "Prefix for data indices managed by Investigate [siren]: " INVESTIGATE_DATA_PREFIX INVESTIGATE_DATA_PREFIX=${INVESTIGATE_DATA_PREFIX:-siren} read -p "Index pattern matching indices readable by Investigate users [data-*]:" DATA_INDICES DATA_INDICES=${DATA_INDICES:-"data-*"} read -p "curl flags: " CURL_FLAGS echo "Creating investigate_system role..." curl $CURL_FLAGS -XPUT -u $ES_USERNAME:$ES_PASSWORD $ES_URL/_security/role/investigate_system -H "Content-Type: application/json" -d '{ "cluster": [ "cluster:internal/federate/*", "cluster:admin/federate/*", "cluster:monitor/*", "manage_index_templates", "manage_ingest_pipelines", "delegate_pki", "manage_oidc", "manage_token" ], "indices": [ { "names": [ "/\\'${INVESTIGATE_SYSTEM_PREFIX}'.*/", "/'${INVESTIGATE_DATA_PREFIX}'-.*/", "/.*_revised/", "/watcher.*/", "/web-service-.*/" ], "privileges": [ "all" ] } ] } }' echo echo echo "Creating federate_system role..." curl $CURL_FLAGS -XPUT -u $ES_USERNAME:$ES_PASSWORD $ES_URL/_security/role/federate_system -H "Content-Type: application/json" -d '{ "cluster": [ "cluster:internal/federate/*", "cluster:admin/federate/*", "cluster:monitor/*", "manage_index_templates", "manage_ingest_pipelines" ], "indices": [ { "names": [ "/\\.siren-federate-.*/" ], "privileges": [ "all" ] }, { "names": [ "/'${INVESTIGATE_DATA_PREFIX}'-.*/" ], "privileges": [ "all" ] } ] }' echo echo echo "Creating investigate_user role" curl $CURL_FLAGS -XPUT -u $ES_USERNAME:$ES_PASSWORD $ES_URL/_security/role/investigate_user -H "Content-Type: application/json" -d '{ "cluster": [ "cluster:internal/federate/*" ], "indices": [ { "names": [ "/'${INVESTIGATE_DATA_PREFIX}'-import-.*/" ], "privileges": [ "indices:data/read*", "indices:admin/aliases/get", "indices:admin/aliases/exists", "indices:admin/get", "indices:admin/exists", "indices:admin/mappings/fields/get*", "indices:admin/mappings/get*", "indices:admin/types/exists", "indices:admin/validate/query" ], "query": { "bool": { "should": [ { "siren_dataspaces": { "field": "_siren.sic.namespace" } }, { "bool": { "must_not": { "exists": { "field": "_siren.sic.namespace" } } } } ] } } }, { "names": [ "'${DATA_INDICES}'" ], "privileges": [ "indices:data/read*", "indices:admin/aliases/get", "indices:admin/aliases/exists", "indices:admin/get", "indices:admin/exists", "indices:admin/mappings/fields/get*", "indices:admin/mappings/get*", "indices:admin/mappings/federate/connector/get*", "indices:admin/mappings/federate/connector/fields/get*", "indices:admin/types/exists", "indices:admin/validate/query" ] } ] }' echo echo echo "Creating investigate_admin role" curl $CURL_FLAGS -XPUT -u $ES_USERNAME:$ES_PASSWORD $ES_URL/_security/role/investigate_admin -H "Content-Type: application/json" -d '{ "cluster": [ "cluster:internal/federate/*", "cluster:admin/federate/*", "cluster:monitor/*", "cluster:admin/xpack/security/*" ], "indices": [ { "names": [ "'${DATA_INDICES}'" ], "privileges": [ "all" ] } ] }' echo echo