| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| class kerberos { |
| class site { |
| # The following is our interface to the world. This is what we allow |
| # users to tweak from the outside (see tests/init.pp for a complete |
| # example) before instantiating target classes. |
| # Once we migrate to Puppet 2.6 we can potentially start using |
| # parametrized classes instead. |
| $domain = $kerberos_domain ? { '' => inline_template('<%= domain %>'), |
| default => $kerberos_domain } |
| $realm = $kerberos_realm ? { '' => inline_template('<%= domain.upcase %>'), |
| default => $kerberos_realm } |
| $kdc_server = $kerberos_kdc_server ? { '' => 'localhost', |
| default => $kerberos_kdc_server } |
| $kdc_port = $kerberos_kdc_port ? { '' => '88', |
| default => $kerberos_kdc_port } |
| $admin_port = 749 /* BUG: linux daemon packaging doesn't let us tweak this */ |
| |
| $keytab_export_dir = "/var/lib/bigtop_keytabs" |
| |
| case $operatingsystem { |
| 'ubuntu': { |
| $package_name_kdc = 'krb5-kdc' |
| $service_name_kdc = 'krb5-kdc' |
| $package_name_admin = 'krb5-admin-server' |
| $service_name_admin = 'krb5-admin-server' |
| $package_name_client = 'krb5-user' |
| $exec_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' |
| $kdc_etc_path = '/etc/krb5kdc/' |
| } |
| # default assumes CentOS, Redhat 5 series (just look at how random it all looks :-() |
| default: { |
| $package_name_kdc = 'krb5-server' |
| $service_name_kdc = 'krb5kdc' |
| $package_name_admin = 'krb5-libs' |
| $service_name_admin = 'kadmin' |
| $package_name_client = 'krb5-workstation' |
| $exec_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/kerberos/sbin:/usr/kerberos/bin' |
| $kdc_etc_path = '/var/kerberos/krb5kdc/' |
| } |
| } |
| |
| file { "/etc/krb5.conf": |
| content => template('kerberos/krb5.conf'), |
| owner => "root", |
| group => "root", |
| mode => "0644", |
| } |
| |
| @file { $keytab_export_dir: |
| ensure => directory, |
| owner => "root", |
| group => "root", |
| } |
| |
| # Required for SPNEGO |
| @principal { "HTTP": |
| |
| } |
| } |
| |
| class kdc inherits kerberos::site { |
| package { $package_name_kdc: |
| ensure => installed, |
| } |
| |
| file { $kdc_etc_path: |
| ensure => directory, |
| owner => root, |
| group => root, |
| mode => "0700", |
| require => Package["$package_name_kdc"], |
| } |
| file { "${kdc_etc_path}/kdc.conf": |
| content => template('kerberos/kdc.conf'), |
| require => Package["$package_name_kdc"], |
| owner => "root", |
| group => "root", |
| mode => "0644", |
| } |
| file { "${kdc_etc_path}/kadm5.acl": |
| content => template('kerberos/kadm5.acl'), |
| require => Package["$package_name_kdc"], |
| owner => "root", |
| group => "root", |
| mode => "0644", |
| } |
| |
| exec { "kdb5_util": |
| path => $exec_path, |
| command => "rm -f /etc/kadm5.keytab ; kdb5_util -P cthulhu -r ${realm} create -s && kadmin.local -q 'cpw -pw secure kadmin/admin'", |
| |
| creates => "${kdc_etc_path}/stash", |
| |
| subscribe => File["${kdc_etc_path}/kdc.conf"], |
| # refreshonly => true, |
| |
| require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], File["/etc/krb5.conf"]], |
| } |
| |
| service { $service_name_kdc: |
| ensure => running, |
| require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], Exec["kdb5_util"]], |
| subscribe => File["${kdc_etc_path}/kdc.conf"], |
| hasrestart => true, |
| } |
| |
| |
| class admin_server inherits kerberos::kdc { |
| $se_hack = "setsebool -P kadmind_disable_trans 1 ; setsebool -P krb5kdc_disable_trans 1" |
| |
| package { "$package_name_admin": |
| ensure => installed, |
| require => Package["$package_name_kdc"], |
| } |
| |
| service { "$service_name_admin": |
| ensure => running, |
| require => [Package["$package_name_admin"], Service["$service_name_kdc"]], |
| hasrestart => true, |
| restart => "${se_hack} ; service ${service_name_admin} restart", |
| start => "${se_hack} ; service ${service_name_admin} start", |
| } |
| } |
| } |
| |
| class client inherits kerberos::site { |
| package { $package_name_client: |
| ensure => installed, |
| } |
| } |
| |
| class server { |
| include kerberos::client |
| |
| class { "kerberos::kdc": } |
| -> |
| Class["kerberos::client"] |
| |
| class { "kerberos::kdc::admin_server": } |
| -> |
| Class["kerberos::client"] |
| } |
| |
| define principal { |
| require "kerberos::client" |
| |
| realize(File[$kerberos::site::keytab_export_dir]) |
| |
| $principal = "$title/$::fqdn" |
| $keytab = "$kerberos::site::keytab_export_dir/$title.keytab" |
| |
| exec { "addprinc.$title": |
| path => $kerberos::site::exec_path, |
| command => "kadmin -w secure -p kadmin/admin -q 'addprinc -randkey $principal'", |
| unless => "kadmin -w secure -p kadmin/admin -q listprincs | grep -q $principal", |
| require => Package[$kerberos::site::package_name_client], |
| } |
| -> |
| exec { "xst.$title": |
| path => $kerberos::site::exec_path, |
| command => "kadmin -w secure -p kadmin/admin -q 'xst -k $keytab $principal'", |
| unless => "klist -kt $keytab 2>/dev/null | grep -q $principal", |
| require => File[$kerberos::site::keytab_export_dir], |
| } |
| } |
| |
| define host_keytab($princs = undef, $spnego = disabled) { |
| $keytab = "/etc/$title.keytab" |
| |
| $requested_princs = $princs ? { |
| undef => [ $title ], |
| default => $princs, |
| } |
| |
| $internal_princs = $spnego ? { |
| /(true|enabled)/ => [ 'HTTP' ], |
| default => [ ], |
| } |
| realize(Kerberos::Principal[$internal_princs]) |
| |
| $includes = inline_template("<%= |
| [requested_princs, internal_princs].flatten.map { |x| |
| \"rkt $kerberos::site::keytab_export_dir/#{x}.keytab\" |
| }.join(\"\n\") |
| %>") |
| |
| kerberos::principal { $requested_princs: |
| } |
| |
| exec { "ktinject.$title": |
| path => $kerberos::site::exec_path, |
| command => "/usr/bin/ktutil <<EOF |
| $includes |
| wkt $keytab |
| EOF |
| chown $title $keytab", |
| creates => $keytab, |
| require => [ Kerberos::Principal[$requested_princs], |
| Kerberos::Principal[$internal_princs] ], |
| } |
| } |
| } |