Add sssd puppet plugin to generate sssd config data

This commit added a sssd puppet plugin to generate hieradata that will be consumed by sssd puppet class to generate a minimum sample sssd.conf to bind to the local openldap. The plugin can be later extended to generate additional data for adding/deleting /modifying extra domains to sssd.conf. The commit also updated ldap puppet plugin to store ldapadmin user's password in keyring so it can be retrieved by sssd plugin. Test Plan for Debian: PASS: packages build, image build. PASS: SX system bootstrap, unlock successfully. PASS: ldapadmin user password stored in keyring. PASS: basic sample sssd.conf configuration data generated in secure_system.yaml. PASS: existing ldap functions don't break (ldap user login on console and by ssh, ldap user creation etc.) Test Plan for CentOS: PASS: pacages build, image build. PASS: SX system bootstrap, unlock successfully. PASS: existing ldap functions don't break (ldap user login on console and by ssh, ldap user creation etc.) Story: 2009834 Task: 45836 Signed-off-by: Andy Ning <andy.ning@windriver.com> Change-Id: Ifc8b73be38cce17188e7a68a927b2c093976f4ac
2022-07-20 14:41:28 -04:00 · 2022-07-20 14:41:28 -04:00 · ca5d34cd0e
parent fb7eb9664c
commit ca5d34cd0e
3 changed files with 73 additions and 1 deletions
--- a/sysinv/sysinv/sysinv/setup.cfg
+++ b/sysinv/sysinv/sysinv/setup.cfg
@ -69,6 +69,7 @@ systemconfig.puppet_plugins =
    039_helm = sysinv.puppet.helm:HelmPuppet
    040_rook = sysinv.puppet.rook:RookPuppet
    041_certalarm = sysinv.puppet.certalarm:CertAlarmPuppet
+    042_sssd = sysinv.puppet.sssd:SssdPuppet
    099_service_parameter = sysinv.puppet.service_parameter:ServiceParamPuppet

 systemconfig.armada.manifest_ops =
--- a/sysinv/sysinv/sysinv/sysinv/puppet/ldap.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/ldap.py
@ -1,8 +1,9 @@
 #
-# Copyright (c) 2017 Wind River Systems, Inc.
+# Copyright (c) 2017-2022 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+import keyring

 from passlib.hash import ldap_salted_sha1 as hash

@ -19,6 +20,9 @@ class LdapPuppet(base.BasePuppet):
        password = self._generate_random_password()
        passhash = hash.encrypt(password)

+        # Store the ldapadmin password for client (such as sssd)
+        keyring.set_password('ldap', 'ldapadmin', password)
+
        return {
            'platform::ldap::params::admin_pw': password,
            'platform::ldap::params::admin_hashed_pw': passhash,
--- a/sysinv/sysinv/sysinv/sysinv/puppet/sssd.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/sssd.py
@ -0,0 +1,67 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+from sysinv.puppet import base
+
+
+class SssdPuppet(base.BasePuppet):
+    """Class to encapsulate puppet operations for sssd configuration"""
+
+    SERVICE_NAME = 'ldap'
+    SERVICE_USER = 'ldapadmin'
+
+    def get_secure_system_config(self):
+        config = {}
+        domains = {}
+
+        domains.update({'local': self._get_local_domain()})
+
+        config.update(
+            {
+                'platform::sssd::params::domains': domains,
+            })
+
+        return config
+
+    def _get_local_domain(self):
+        binding_pass = self._get_keyring_password(self.SERVICE_NAME,
+                self.SERVICE_USER)
+
+        # sssd support the debug levels (from sssd.conf manual page):
+        # 0, 0x0010: Fatal failures. Anything that would prevent SSSD
+        #            from starting up or causes it to cease running.
+        # 1, 0x0020: Critical failures. An error that doesn't kill
+        #            SSSD, but one that indicates that at least one
+        #            major feature is not going to work properly.
+        # 2, 0x0040: Serious failures. An error announcing that a
+        #            particular request or operation has failed.
+        # 3, 0x0080: Minor failures. These are the errors that would
+        #            percolate down to cause the operation failure
+        #            of 2.
+        # 4, 0x0100: Configuration settings.
+        # 5, 0x0200: Function data.
+        # 6, 0x0400: Trace messages for operation functions.
+        # 7, 0x1000: Trace messages for internal control functions.
+        # 8, 0x2000: Contents of function-internal variables that may
+        #            be interesting.
+        # 9, 0x4000: Extremely low-level tracing information.
+        # 10, 0x10000: Even more low-level libldb tracing information.
+        #              Almost never really required.
+        #
+        # Example: 0x3ff0, debug log includes level 0 to 8 messages.
+
+        domain_settings = {
+            'id_provider': 'ldap',
+            'ldap_uri': 'ldaps://controller/',
+            'ldap_tls_cacert': '/etc/ssl/certs/ca-certificates.crt',
+            'ldap_search_base': 'dc=cgcs,dc=local',
+            'ldap_default_bind_dn': 'CN=ldapadmin,DC=cgcs,DC=local',
+            'ldap_default_authtok_type': 'password',
+            'ldap_default_authtok': binding_pass,
+            'debug_level': '0x3ff0',
+        }
+
+        return domain_settings