From e3da2c2e3ef374d2c92a2bebce1bbe7477309a35 Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Mon, 20 Aug 2018 15:04:44 +1000 Subject: [PATCH] Add kerberos-client role A role to setup a host as a kerberos client This is largely a port of the client ports of openstack-infra/puppet-kerberos. This is a generic role because it will be used from Zuul jobs (wheel-builds) and in the control-plane (servers mounting AFS) Tested-By: https://review.openstack.org/589335 Needed-By: https://review.openstack.org/590636 Change-Id: I4b38ea7ec2325071a67068555ef47e15d559c18e --- roles/kerberos-client/README.rst | 20 +++ roles/kerberos-client/defaults/main.yaml | 3 + .../tasks/install-packages/CentOS.yaml | 14 ++ .../tasks/install-packages/default.yaml | 5 + roles/kerberos-client/tasks/main.yaml | 39 +++++ .../templates/etc/krb5.conf.j2 | 146 ++++++++++++++++++ roles/kerberos-client/vars/Debian.yaml | 3 + roles/kerberos-client/vars/RedHat.yaml | 3 + roles/kerberos-client/vars/default.yaml | 1 + 9 files changed, 234 insertions(+) create mode 100644 roles/kerberos-client/README.rst create mode 100644 roles/kerberos-client/defaults/main.yaml create mode 100644 roles/kerberos-client/tasks/install-packages/CentOS.yaml create mode 100644 roles/kerberos-client/tasks/install-packages/default.yaml create mode 100644 roles/kerberos-client/tasks/main.yaml create mode 100644 roles/kerberos-client/templates/etc/krb5.conf.j2 create mode 100644 roles/kerberos-client/vars/Debian.yaml create mode 100644 roles/kerberos-client/vars/RedHat.yaml create mode 100644 roles/kerberos-client/vars/default.yaml diff --git a/roles/kerberos-client/README.rst b/roles/kerberos-client/README.rst new file mode 100644 index 0000000000..c2a72a81e1 --- /dev/null +++ b/roles/kerberos-client/README.rst @@ -0,0 +1,20 @@ +An ansible role to configure a kerberos client + +**Role Variables** + +.. zuul:rolevar:: kerberos_realm + + The realm for Kerberos authentication. You must set the realm. + e.g. ``MY.COMPANY.COM``. This will be the default realm. + +.. zuul:rolevar:: kerberos_admin_server + :default: {{ ansible_fqdn }} + + The host where the administraion server is running. Typically this + is the master Kerberos server. + +.. zuul:rolevar:: kerberos_kdcs + :default: [ {{ ansible_fqdn }} ] + + A list of key distribution center (KDC) hostnames for the realm. + diff --git a/roles/kerberos-client/defaults/main.yaml b/roles/kerberos-client/defaults/main.yaml new file mode 100644 index 0000000000..524c5ca178 --- /dev/null +++ b/roles/kerberos-client/defaults/main.yaml @@ -0,0 +1,3 @@ +admin_server: '{{ ansible_fqdn }}' +kdcs: + - '{{ ansible_fqdn }}' diff --git a/roles/kerberos-client/tasks/install-packages/CentOS.yaml b/roles/kerberos-client/tasks/install-packages/CentOS.yaml new file mode 100644 index 0000000000..ebd8bcacd9 --- /dev/null +++ b/roles/kerberos-client/tasks/install-packages/CentOS.yaml @@ -0,0 +1,14 @@ +- name: Ensure EPEL is pre-installed + package: + name: + - epel-release + state: present + become: yes + +- name: Install kerberos client packages + yum: + name: '{{ kerberos_client_packages }}' + enablerepo: epel + state: present + become: yes + diff --git a/roles/kerberos-client/tasks/install-packages/default.yaml b/roles/kerberos-client/tasks/install-packages/default.yaml new file mode 100644 index 0000000000..e93dabdd79 --- /dev/null +++ b/roles/kerberos-client/tasks/install-packages/default.yaml @@ -0,0 +1,5 @@ +- name: Install kerberos client packages + package: + name: '{{ kerberos_client_packages }}' + state: present + become: yes diff --git a/roles/kerberos-client/tasks/main.yaml b/roles/kerberos-client/tasks/main.yaml new file mode 100644 index 0000000000..6100037f11 --- /dev/null +++ b/roles/kerberos-client/tasks/main.yaml @@ -0,0 +1,39 @@ +- name: Get OS specific package names + include_vars: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - "{{ ansible_distribution }}.{{ ansible_architecture }}.yaml" + - "{{ ansible_distribution }}.yaml" + - "{{ ansible_os_family }}.yaml" + - "default.yaml" + paths: + - vars + +- name: Check package names + fail: + msg: 'No kerberos client packages defined for this platform' + when: not kerberos_client_packages + +- name: Install configuration file + template: + dest: /etc/krb5.conf + owner: root + group: root + mode: 0644 + src: etc/krb5.conf.j2 + become: yes + +# NOTE(ianw): urgh, we have to install with yum directly to enable +# epel on CentOS for kstart, which is a pretty hard dependency for +# useful automation. If this ever changes, remove this and we can +# just go back to generic package: installer. +- name: Distro install kerberos client packages + include_tasks: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - "{{ansible_distribution}}.yaml" + - "default.yaml" + paths: + - install-packages \ No newline at end of file diff --git a/roles/kerberos-client/templates/etc/krb5.conf.j2 b/roles/kerberos-client/templates/etc/krb5.conf.j2 new file mode 100644 index 0000000000..f364f0902b --- /dev/null +++ b/roles/kerberos-client/templates/etc/krb5.conf.j2 @@ -0,0 +1,146 @@ +[libdefaults] + default_realm = {{ kerberos_realm }} + +# The following krb5.conf variables are only for MIT Kerberos. + krb4_config = /etc/krb.conf + krb4_realms = /etc/krb.realms + kdc_timesync = 1 + ccache_type = 4 + forwardable = true + proxiable = true + +# The following encryption type specification will be used by MIT Kerberos +# if uncommented. In general, the defaults in the MIT Kerberos code are +# correct and overriding these specifications only serves to disable new +# encryption types as they are added, creating interoperability problems. +# +# Thie only time when you might need to uncomment these lines and change +# the enctypes is if you have local software that will break on ticket +# caches containing ticket encryption types it doesn't know about (such as +# old versions of Sun Java). + +# default_tgs_enctypes = des3-hmac-sha1 +# default_tkt_enctypes = des3-hmac-sha1 +# permitted_enctypes = des3-hmac-sha1 + +# The following libdefaults parameters are only for Heimdal Kerberos. + v4_instance_resolve = false + v4_name_convert = { + host = { + rcmd = host + ftp = ftp + } + plain = { + something = something-else + } + } + fcc-mit-ticketflags = true + +[realms] + ATHENA.MIT.EDU = { + kdc = kerberos.mit.edu:88 + kdc = kerberos-1.mit.edu:88 + kdc = kerberos-2.mit.edu:88 + admin_server = kerberos.mit.edu + default_domain = mit.edu + } + MEDIA-LAB.MIT.EDU = { + kdc = kerberos.media.mit.edu + admin_server = kerberos.media.mit.edu + } + ZONE.MIT.EDU = { + kdc = casio.mit.edu + kdc = seiko.mit.edu + admin_server = casio.mit.edu + } + MOOF.MIT.EDU = { + kdc = three-headed-dogcow.mit.edu:88 + kdc = three-headed-dogcow-1.mit.edu:88 + admin_server = three-headed-dogcow.mit.edu + } + CSAIL.MIT.EDU = { + kdc = kerberos-1.csail.mit.edu + kdc = kerberos-2.csail.mit.edu + admin_server = kerberos.csail.mit.edu + default_domain = csail.mit.edu + krb524_server = krb524.csail.mit.edu + } + IHTFP.ORG = { + kdc = kerberos.ihtfp.org + admin_server = kerberos.ihtfp.org + } + GNU.ORG = { + kdc = kerberos.gnu.org + kdc = kerberos-2.gnu.org + kdc = kerberos-3.gnu.org + admin_server = kerberos.gnu.org + } + 1TS.ORG = { + kdc = kerberos.1ts.org + admin_server = kerberos.1ts.org + } + GRATUITOUS.ORG = { + kdc = kerberos.gratuitous.org + admin_server = kerberos.gratuitous.org + } + DOOMCOM.ORG = { + kdc = kerberos.doomcom.org + admin_server = kerberos.doomcom.org + } + ANDREW.CMU.EDU = { + kdc = kerberos.andrew.cmu.edu + kdc = kerberos2.andrew.cmu.edu + kdc = kerberos3.andrew.cmu.edu + admin_server = kerberos.andrew.cmu.edu + default_domain = andrew.cmu.edu + } + CS.CMU.EDU = { + kdc = kerberos.cs.cmu.edu + kdc = kerberos-2.srv.cs.cmu.edu + admin_server = kerberos.cs.cmu.edu + } + DEMENTIA.ORG = { + kdc = kerberos.dementix.org + kdc = kerberos2.dementix.org + admin_server = kerberos.dementix.org + } + stanford.edu = { + kdc = krb5auth1.stanford.edu + kdc = krb5auth2.stanford.edu + kdc = krb5auth3.stanford.edu + master_kdc = krb5auth1.stanford.edu + admin_server = krb5-admin.stanford.edu + default_domain = stanford.edu + } + UTORONTO.CA = { + kdc = kerberos1.utoronto.ca + kdc = kerberos2.utoronto.ca + kdc = kerberos3.utoronto.ca + admin_server = kerberos1.utoronto.ca + default_domain = utoronto.ca + } + {{ kerberos_realm }} = { + {% for kdc in kerberos_kdcs %} + kdc = {{ kdc }} + {% endfor %} + admin_server = {{ kerberos_admin_server }} + default_domain = {{ kerberos_realm|lower }} + } + +[domain_realm] + .mit.edu = ATHENA.MIT.EDU + mit.edu = ATHENA.MIT.EDU + .media.mit.edu = MEDIA-LAB.MIT.EDU + media.mit.edu = MEDIA-LAB.MIT.EDU + .csail.mit.edu = CSAIL.MIT.EDU + csail.mit.edu = CSAIL.MIT.EDU + .whoi.edu = ATHENA.MIT.EDU + whoi.edu = ATHENA.MIT.EDU + .stanford.edu = stanford.edu + .slac.stanford.edu = SLAC.STANFORD.EDU + .toronto.edu = UTORONTO.CA + .utoronto.ca = UTORONTO.CA + +[login] + krb4_convert = true + krb4_get_tickets = false diff --git a/roles/kerberos-client/vars/Debian.yaml b/roles/kerberos-client/vars/Debian.yaml new file mode 100644 index 0000000000..86f425e212 --- /dev/null +++ b/roles/kerberos-client/vars/Debian.yaml @@ -0,0 +1,3 @@ +kerberos_client_packages: + - krb5-user + - kstart diff --git a/roles/kerberos-client/vars/RedHat.yaml b/roles/kerberos-client/vars/RedHat.yaml new file mode 100644 index 0000000000..764bf347fb --- /dev/null +++ b/roles/kerberos-client/vars/RedHat.yaml @@ -0,0 +1,3 @@ +kerberos_client_packages: + - krb5-workstation + - kstart diff --git a/roles/kerberos-client/vars/default.yaml b/roles/kerberos-client/vars/default.yaml new file mode 100644 index 0000000000..b9b9f3ac04 --- /dev/null +++ b/roles/kerberos-client/vars/default.yaml @@ -0,0 +1 @@ +kerberos_client_package: None