Add, modify, and clear up role mappings

Author: gaima8

README.md

@@ -391,6 +391,33 @@ es_roles:
             - create_index
 ```
 
+* ```es_role_mappings``` - Elasticsearch role mappings can be declared here as yml. Each key is a name of a role mapping, with yaml formatted JSON defining the role mapping as described [here](https://www.elastic.co/guide/en/x-pack/current/mapping-roles.html) e.g.
+
+```yaml
+es_role_mappings:
+  groupname-editor:
+    enabled: true
+    roles:
+      - editor
+    rules:
+      field:
+        groups: "EditorGroup"
+  groupname-admin:
+    enabled: true
+    roles:
+      - editor
+    rules:
+      field:
+        groups: "AdminGroup"
+  realmname-viewer:
+    enabled: true
+    roles:
+      - viewer
+    rules:
+      field:
+        realm.name: realm1
+```
+
 * ```es_xpack_license``` - X-Pack license. The license is a json blob. Set the variable directly (possibly protected by Ansible vault) or from a file in the Ansible project on the control machine via a lookup:
 
 ```yaml

defaults/main.yml

@@ -69,3 +69,4 @@ es_ssl_verification_mode: "certificate"
 es_validate_certs: "yes"
 es_delete_unmanaged_file: true
 es_delete_unmanaged_native: true
+es_delete_unmanaged_role_mappings: true

tasks/main.yml

@@ -103,6 +103,11 @@
   when: manage_native_realm | bool
   run_once: True
 
+- name: include xpack/security/elasticsearch-security-role_mappings.yml
+  include: ./xpack/security/elasticsearch-security-role_mappings.yml
+  when: es_role_mappings is defined and es_role_mappings.keys() | list | length > 0
+  run_once: True
+
 #Templates done after restart - handled by flushing the handlers. e.g. suppose user removes security on a running node and doesn't specify es_api_basic_auth_username and es_api_basic_auth_password.  The templates will subsequently not be removed if we don't wait for the node to restart.
 #We also do after the native realm to ensure any changes are applied here first and its denf up.
 - name: include elasticsearch-template.yml

tasks/xpack/security/elasticsearch-security-role_mappings.yml

@@ -0,0 +1,43 @@
+---
+#List current role mappings
+- name: List Role Mappings
+  uri:
+    url: "{{ es_api_uri }}/{{ es_security_api }}/role_mapping"
+    method: GET
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+    status_code: 200
+    validate_certs: "{{ es_validate_certs }}"
+  register: role_mapping_list_response
+  check_mode: no
+
+- name: set fact role_mappings_to_remove
+  set_fact: role_mappings_to_remove={{ role_mapping_list_response.json.keys() | difference ( es_role_mappings.keys() | list) }}
+
+#Delete all non required role mappings
+- name: Delete Role mappings
+  uri:
+    url: "{{ es_api_uri }}/{{ es_security_api }}/role_mapping/{{ item | urlencode }}"
+    method: DELETE
+    status_code: 200
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+    validate_certs: "{{ es_validate_certs }}"
+  when: es_delete_unmanaged_role_mappings
+  with_items: "{{ role_mappings_to_remove | default([]) }}"
+
+#Update other roles mappings
+- name: Update Role Mappings
+  uri:
+    url: "{{ es_api_uri }}/{{ es_security_api }}/role_mapping/{{ item | urlencode }}"
+    method: POST
+    body_format: json
+    body: "{{ es_role_mappings[item] | to_json}}"
+    status_code: 200
+    user: "{{es_api_basic_auth_username}}"
+    password: "{{es_api_basic_auth_password}}"
+    force_basic_auth: yes
+    validate_certs: "{{ es_validate_certs }}"
+  with_items: "{{ es_role_mappings.keys() | list | default([]) }}"