From 1a36ffd08eeaa4cf62192657d94eb789d9b82dca Mon Sep 17 00:00:00 2001
From: Paul Belanger <pabelanger@redhat.com>
Date: Mon, 28 Aug 2017 13:44:41 -0400
Subject: [PATCH] Add create / destory roles for AFS tokens

In openstack-infra we use AFS for a lot of things, so create 2 roles
to handle creating / destroying of the tokens.

Change-Id: I3dee184d0b87023e7e0808372cfeda94f8337b4f
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
---
 roles/create-afs-token/README.rst       | 17 +++++++++++++++++
 roles/create-afs-token/tasks/main.yaml  | 21 +++++++++++++++++++++
 roles/destroy-afs-token/README.rst      |  1 +
 roles/destroy-afs-token/tasks/main.yaml |  5 +++++
 4 files changed, 44 insertions(+)
 create mode 100644 roles/create-afs-token/README.rst
 create mode 100644 roles/create-afs-token/tasks/main.yaml
 create mode 100644 roles/destroy-afs-token/README.rst
 create mode 100644 roles/destroy-afs-token/tasks/main.yaml

diff --git a/roles/create-afs-token/README.rst b/roles/create-afs-token/README.rst
new file mode 100644
index 000000000..002bfcd2f
--- /dev/null
+++ b/roles/create-afs-token/README.rst
@@ -0,0 +1,17 @@
+Create kerberos / afs tokens
+
+**Role Variables**
+
+.. zuul:rolevar:: afs
+
+  Complex argument which contains the information about authentication
+  information. It is expected this argument comes from a `Secret`.
+
+  .. zuul:rolevar:: keytab
+
+    Base64 encoded contents of a keytab file. We'll base64 decode before writing
+    it to disk as a temporary file.
+
+  .. zuul:rolevar:: service_name
+
+    The service name to use for kinit command.
diff --git a/roles/create-afs-token/tasks/main.yaml b/roles/create-afs-token/tasks/main.yaml
new file mode 100644
index 000000000..3a66b94ff
--- /dev/null
+++ b/roles/create-afs-token/tasks/main.yaml
@@ -0,0 +1,21 @@
+- name: Create AFS keytab tempfile
+  tempfile:
+    state: file
+  register: afs_keytab_tmp
+
+- name: Create (base64 decode) AFS keytab from secret
+  copy:
+    content: "{{ afs.keytab | b64decode }}"
+    dest: "{{ afs_keytab_tmp.path }}"
+    mode: 0400
+
+- name: Obtain ticket for Kerberos
+  command: "kinit -k -t {{ afs_keytab_tmp.path}} {{ afs.service_name }}"
+
+- name: Delete AFS keytab tempfile
+  file:
+    path: "{{ afs_keytab_tmp.path }}"
+    state: absent
+
+- name: Obtain authentication token for AFS
+  command: aklog
diff --git a/roles/destroy-afs-token/README.rst b/roles/destroy-afs-token/README.rst
new file mode 100644
index 000000000..f48ac0d58
--- /dev/null
+++ b/roles/destroy-afs-token/README.rst
@@ -0,0 +1 @@
+Destroy any active AFS / Kerberos tokens
diff --git a/roles/destroy-afs-token/tasks/main.yaml b/roles/destroy-afs-token/tasks/main.yaml
new file mode 100644
index 000000000..11771b706
--- /dev/null
+++ b/roles/destroy-afs-token/tasks/main.yaml
@@ -0,0 +1,5 @@
+- name: Destroy AFS tokens
+  command: unlog
+
+- name: Destroy Kerberos tokens
+  command: kdestroy