cloudera-labs · wmudge · Oct 1, 2025 · Sep 10, 2025 · Sep 30, 2025 · Sep 30, 2025
diff --git a/roles/efm/README.md b/roles/efm/README.md
@@ -0,0 +1,128 @@
+# Edge Flow Manager
+
+## Requirements
+
+- Network access from the target host to the URL specified in `efm_tarball_url`
+- When `efm_tls_enabled: true`, all TLS-related variables must be defined in your playbook
+- When `efm_ldap_enabled: true`, all LDAP-related variables must be defined in your playbookr
+
+This role streamlines the deployment and configuration of Cloudera Edge Flow Manager (EFM) on designeted host. It covers the full installation workflow, from fetching the EFM package to setting up the service and applying configuration templates.
+
+## What this role does
+
+- Validates required configuration variables based on enabled features (TLS, LDAP)
+- Retrieves the EFM tarball from a user-defined or default source
+- Installs EFM into a configurable directory
+- Sets up the required system user and group for EFM
+- Applies configuration using a Jinja2 template for `efm.properties`
+- Installs and manages the EFM systemd service unit
+- Adjusts permissions for all relevant files and directories
+- Supports authentication for protected download sources
+
+# Requirements
+
+- Network access from the target host to the URL specified in `efm_tarball_url`.
+
+## Variables
+
+| Name                            | Purpose                                                      | Default (see `defaults/main.yml`)           |
+|----------------------------------|--------------------------------------------------------------|---------------------------------------------|
+| `efm_tarball_url`                | Download link for the EFM tarball                            | (default provided in role)                  |
+| `efm_directory`                  | Installation directory for EFM                               | `/opt/cloudera/cem`                         |
+| `efm_properties_directory`       | Path to the EFM properties file                              | `/opt/cloudera/cem/efm/conf/efm.properties` |
+| `efm_service_directory`          | Location for the systemd service file                        | `/etc/systemd/system/efm.service`           |
+| `efm_user`                       | System user for EFM                                          | `efm`                                       |
+| `efm_group`                      | System group for EFM                                         | `efm`                                       |
+| `efm_repo_username` | Username for protected repositories (optional)               |                                             |
+| `efm_repo_password` | Password for protected repositories (optional)               |                                             |
+| `efm_tls_enabled` | Enable/disable TLS for EFM server | `false` |
+| `efm_ssl_client_auth` | SSL client authentication mode | `WANT` |
+| `efm_ssl_keystore_type` | Type of keystore (jks, pkcs12) | `jks` |
+| `efm_ssl_truststore_type` | Type of truststore (jks, pkcs12) | `jks` |
+| `efm_ssl_keystore_path` | Path to SSL keystore (must be defined when TLS enabled) |
+| `efm_ssl_keystore_password` | SSL keystore password (must be defined when TLS enabled) |
+| `efm_ssl_key_password` | SSL private key password (must be defined when TLS enabled) |
+| `efm_ssl_truststore_path` | Path to SSL truststore (must be defined when TLS enabled) |
+| `efm_ssl_truststore_password` | SSL truststore password (must be defined when TLS enabled) |
+| `efm_ldap_enabled` | Enable/disable LDAP authentication | `false` |
+| `efm_ldap_url` | LDAP server URL (must be defined when LDAP enabled) |
+| `efm_ldap_authentication_strategy` | LDAP authentication strategy (must be defined when LDAP enabled) |
+| `efm_ldap_user_auth_groups_manager` | Authentication groups manager (must be defined when LDAP enabled) |
+| `efm_ldap_auth_enabled` | Enable LDAP authentication (must be defined when LDAP enabled) |
+| `efm_ldap_auth_search_filter` | LDAP search filter for users (must be defined when LDAP enabled) |
+| `efm_ldap_user_search_base` | LDAP search base for users (must be defined when LDAP enabled) |
+| `efm_ldap_user_object_class` | LDAP object class for users (must be defined when LDAP enabled) |
+| `efm_ldap_tls_protocol` | TLS protocol for LDAP connections (must be defined when LDAP enabled) |
+| `efm_ldap_user_search_scope` | LDAP search scope (must be defined when LDAP enabled) |
+| `efm_ldap_user_identity_attribute` | LDAP identity attribute (must be defined when LDAP enabled) |
+| `efm_db_url` | Database connection URL | `jdbc:postgresql://localhost:5432/efm` |
+| `efm_db_driver_class` | Database driver class | `org.postgresql.Driver` |
+| `efm_db_username` | Database username | `efm` |
+| `efm_db_password` | Database password | `efmPassword` |
+
+## Example usage
+
+```yaml
+# Basic EFM installation
+- hosts: efm_nodes
+  become: true
+  tasks:
+    - name: Install EFM with basic configuration
+      ansible.builtin.import_role:
+        name: cloudera.exe.efm
+      vars:
+        efm_tarball_url: "https://archive.cloudera.com/p/CEM/redhat9/2.x/updates/2.2.0.0/tars/efm/efm-2.2.0.0-1-bin.tar.gz"
+        efm_repo_username: "repo_user"
+        efm_repo_password: "repo_pass"
+        efm_encryption_password: "MySecurePassword123"
+
+    - name: Install EFM with TLS and LDAP enabled
+      ansible.builtin.import_role:
+        name: cloudera.exe.efm
+      vars:
+        efm_encryption_password: "MySecurePassword123"
+        # TLS Configuration (ALL variables required when efm_tls_enabled: true)
+        efm_tls_enabled: true
+        efm_ssl_client_auth: "WANT"
+        efm_ssl_keystore_type: "jks"
+        efm_ssl_truststore_type: "jks"
+        efm_ssl_keystore_path: "/opt/cloudera/cem/certs/keystore.jks"
+        efm_ssl_keystore_password: "MyKeystorePass"
+        efm_ssl_key_password: "MyKeyPass"
+        efm_ssl_truststore_path: "/opt/cloudera/cem/certs/truststore.jks"
+        efm_ssl_truststore_password: "MyTruststorePass"
+        # LDAP Configuration (ALL variables required when efm_ldap_enabled: true)
+        efm_ldap_enabled: true
+        efm_ldap_url: "ldaps://your-ldap-server.example.com:636"
+        efm_ldap_authentication_strategy: "LDAPS"
+        efm_ldap_user_auth_groups_manager: "LDAP"
+        efm_ldap_auth_enabled: true
+        efm_ldap_auth_search_filter: "(uid={0})"
+        efm_ldap_user_search_base: "cn=users,cn=accounts,dc=example,dc=com"
+        efm_ldap_user_object_class: "person"
+        efm_ldap_tls_protocol: "TLSv1.2"
+        efm_ldap_user_search_scope: "ONE_LEVEL"
+        efm_ldap_user_identity_attribute: "uid"
+        # Database Configuration (if not using defaults)
+        efm_db_url: "jdbc:postgresql://db-server:5432/efm_prod"
+        efm_db_username: "efm_user"
+        efm_db_password: "SecureDbPassword"
+```
+
+## License
+
+```
+Copyright 2025 Cloudera, Inc.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+```
diff --git a/roles/efm/defaults/main.yml b/roles/efm/defaults/main.yml
@@ -0,0 +1,55 @@
+---
+# Copyright 2025 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+efm_tarball_url: "https://archive.cloudera.com/p/CEM/redhat9/2.x/updates/2.1.3.0/tars/efm/efm-2.1.3.0-2-bin.tar.gz"
+efm_properties_directory: "/opt/cloudera/cem/efm/conf/efm.properties"
+efm_service_directory: "/etc/systemd/system/efm.service"
+efm_directory: "/opt/cloudera/cem"
+efm_user: efm
+efm_group: efm
+efm_server_address: "0.0.0.0"
+efm_server_port: "10090"
+efm_encryption_password: "{{ undef(hint='Please define the EFM encryption password (efm_encryption_password)') }}"
+
+# TLS Configuration
+efm_tls_enabled: false
+# SSL/TLS settings (only used when efm_tls_enabled is true)
+# efm_ssl_client_auth: "WANT"
+# efm_ssl_keystore_type: "jks"
+# efm_ssl_truststore_type: "jks"
+# efm_ssl_keystore_path: /etc/pki/tls/private/keystore.jks
+# efm_ssl_truststore_path: /etc/pki/tls/private/truststore.jks
+# efm_ssl_keystore_password: keystore-passowrd
+# efm_ssl_key_password: keystore-passowrd
+# efm_ssl_truststore_password: keystore-passowrd
+
+# LDAP Authentication Configuration
+efm_ldap_enabled: false
+# efm_ldap_url: "{{ undef(hint='Please define the EFM LDAP URL (efm_ldap_url)')}}"
+# efm_ldap_authentication_strategy: "LDAPS"
+# efm_ldap_user_auth_groups_manager: "LDAP"
+# efm_ldap_auth_enabled: true
+# efm_ldap_auth_search_filter: "(uid={0})"
+# efm_ldap_user_search_base: "cn=users,cn=accounts,dc=cldr,dc=internal"
+# efm_ldap_user_object_class: "person"
+# efm_ldap_tls_protocol: "TLSv1.2"
+# efm_ldap_user_search_scope: "ONE_LEVEL"
+# efm_ldap_user_identity_attribute: "uid"
+
+# Database Configuration
+efm_db_url: "jdbc:postgresql://localhost:5432/efm"
+efm_db_driver_class: "org.postgresql.Driver"
+efm_db_username: "efm"
+efm_db_password: "efmPassword"
diff --git a/roles/efm/handlers/main.yml b/roles/efm/handlers/main.yml
@@ -0,0 +1,21 @@
+---
+# Copyright 2025 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Start efm service
+  ansible.builtin.systemd:
+    name: efm
+    daemon_reload: true
+    enabled: true
+    state: started
diff --git a/roles/efm/meta/argument_specs.yml b/roles/efm/meta/argument_specs.yml
@@ -0,0 +1,173 @@
+---
+# Copyright 2025 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+argument_specs:
+  main:
+    short_description: Install and configure Cloudera Edge Flow Manager (EFM)
+    description:
+      - Validates required configuration variables based on enabled features (TLS, LDAP).
+      - Downloads, installs, and configures Cloudera Edge Flow Manager (EFM) on the target host.
+      - Sets up the EFM properties, and manages the systemd service.
+    author: Cloudera Labs
+    version_added: "3.2.0"
+    options:
+      efm_tarball_url:
+        description: URL to the EFM tarball to download and install.
+        type: str
+        required: false
+        default: "https://archive.cloudera.com/p/CEM/redhat9/2.x/updates/2.1.3.0/tars/efm/efm-2.1.3.0-2-bin.tar.gz"
+      efm_directory:
+        description: Directory where EFM will be installed.
+        type: str
+        required: false
+        default: "/opt/cloudera/cem"
+      efm_properties_directory:
+        description: Path to the EFM properties file.
+        type: str
+        required: false
+        default: "/opt/cloudera/cem/efm/conf/efm.properties"
+      efm_service_directory:
+        description: Path to the EFM systemd service file.
+        type: str
+        required: false
+        default: "/etc/systemd/system/efm.service"
+      efm_user:
+        description: System user to own EFM files and run the service.
+        type: str
+        required: false
+        default: "efm"
+      efm_group:
+        description: System group to own EFM files.
+        type: str
+        required: false
+        default: "efm"
+      efm_server_address:
+        description: The address to which the EFM server will bind.
+        type: str
+        required: false
+        default: "0.0.0.0"
+      efm_server_port:
+        description: The port on which the EFM server will listen.
+        type: str
+        required: false
+        default: "10090"
+      efm_encryption_password:
+        description: Password used for EFM encryption. This must be provided by the user.
+        type: str
+        required: true
+      efm_repo_username:
+        description: Username for protected Cloudera repositories (if required).
+        type: str
+        required: false
+      efm_repo_password:
+        description: Password for protected Cloudera repositories (if required).
+        type: str
+        required: false
+      efm_tls_enabled:
+        description: Enable or disable TLS/SSL for EFM server.
+        type: bool
+        default: false
+      efm_ssl_client_auth:
+        description: SSL client authentication mode (NONE, WANT, NEED).
+        type: str
+        default: "WANT"
+      efm_ssl_keystore_type:
+        description: Type of keystore (jks, pkcs12).
+        type: str
+        default: "jks"
+      efm_ssl_truststore_type:
+        description: Type of truststore (jks, pkcs12).
+        type: str
+        default: "jks"
+      efm_ssl_keystore_path:
+        description: Path to the SSL keystore file. Must be defined in playbook when efm_tls_enabled is true.
+        type: str
+        required: false
+      efm_ssl_keystore_password:
+        description: Password for the SSL keystore. Must be defined in playbook when efm_tls_enabled is true.
+        type: str
+        required: false
+      efm_ssl_key_password:
+        description: Password for the SSL private key. Must be defined in playbook when efm_tls_enabled is true.
+        type: str
+        required: false
+      efm_ssl_truststore_path:
+        description: Path to the SSL truststore file. Must be defined in playbook when efm_tls_enabled is true.
+        type: str
+        required: false
+      efm_ssl_truststore_password:
+        description: Password for the SSL truststore. Must be defined in playbook when efm_tls_enabled is true.
+        type: str
+        required: false
+      efm_ldap_enabled:
+        description: Enable or disable LDAP authentication for EFM.
+        type: bool
+        default: false
+      efm_ldap_url:
+        description: LDAP server URL. Must be defined in playbook when efm_ldap_enabled is true.
+        type: str
+        required: false
+      efm_ldap_authentication_strategy:
+        description: LDAP authentication strategy. Must be defined in playbook when efm_ldap_enabled is true.
+        type: str
+        required: false
+      efm_ldap_user_auth_groups_manager:
+        description: Authentication groups manager type. Must be defined in playbook when efm_ldap_enabled is true.
+        type: str
+        required: false
+      efm_ldap_auth_enabled:
+        description: Enable LDAP authentication. Must be defined in playbook when efm_ldap_enabled is true.
+        type: bool
+        required: false
+      efm_ldap_auth_search_filter:
+        description: LDAP search filter for user authentication. Must be defined in playbook when efm_ldap_enabled is true.
+        type: str
+        required: false
+      efm_ldap_user_search_base:
+        description: LDAP search base for users. Must be defined in playbook when efm_ldap_enabled is true.
+        type: str
+        required: false
+      efm_ldap_user_object_class:
+        description: LDAP object class for users. Must be defined in playbook when efm_ldap_enabled is true.
+        type: str
+        required: false
+      efm_ldap_tls_protocol:
+        description: TLS protocol version for LDAP connections. Must be defined in playbook when efm_ldap_enabled is true.
+        type: str
+        required: false
+      efm_ldap_user_search_scope:
+        description: LDAP search scope for users. Must be defined in playbook when efm_ldap_enabled is true.
+        type: str
+        required: false
+      efm_ldap_user_identity_attribute:
+        description: LDAP attribute used for user identity. Must be defined in playbook when efm_ldap_enabled is true.
+        type: str
+        required: false
+      efm_db_url:
+        description: Database connection URL.
+        type: str
+        default: "jdbc:postgresql://localhost:5432/efm"
+      efm_db_driver_class:
+        description: Database driver class name.
+        type: str
+        default: "org.postgresql.Driver"
+      efm_db_username:
+        description: Database username.
+        type: str
+        default: "efm"
+      efm_db_password:
+        description: Database password.
+        type: str
+        default: "efmPassword"