branch-1.2/ambari-agent/src/main/puppet/modules/hdp-kerberos/manifests/bigtop/init.pp - incubator-ambari - Git at Google

 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to You under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.

 class kerberos {
   class site {
     # The following is our interface to the world. This is what we allow
     # users to tweak from the outside (see tests/init.pp for a complete
     # example) before instantiating target classes.
     # Once we migrate to Puppet 2.6 we can potentially start using
     # parametrized classes instead.
     $domain     = $kerberos_domain     ? { '' => inline_template('<%= domain %>'),
                                            default => $kerberos_domain }
     $realm      = $kerberos_realm      ? { '' => inline_template('<%= domain.upcase %>'),
                                            default => $kerberos_realm }
     $kdc_server = $kerberos_kdc_server ? { '' => 'localhost',
                                            default => $kerberos_kdc_server }
     $kdc_port   = $kerberos_kdc_port   ? { '' => '88',
                                            default => $kerberos_kdc_port }
     $admin_port = 749 /* BUG: linux daemon packaging doesn't let us tweak this */

     $keytab_export_dir = "/var/lib/bigtop_keytabs"

     case $operatingsystem {
         'ubuntu': {
             $package_name_kdc    = 'krb5-kdc'
             $service_name_kdc    = 'krb5-kdc'
             $package_name_admin  = 'krb5-admin-server'
             $service_name_admin  = 'krb5-admin-server'
             $package_name_client = 'krb5-user'
             $exec_path           = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
             $kdc_etc_path        = '/etc/krb5kdc/'
         }
         # default assumes CentOS, Redhat 5 series (just look at how random it all looks :-()
         default: {
             $package_name_kdc    = 'krb5-server'
             $service_name_kdc    = 'krb5kdc'
             $package_name_admin  = 'krb5-libs'
             $service_name_admin  = 'kadmin'
             $package_name_client = 'krb5-workstation'
             $exec_path           = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/kerberos/sbin:/usr/kerberos/bin'
             $kdc_etc_path        = '/var/kerberos/krb5kdc/'
         }
     }

     file { "/etc/krb5.conf":
       content => template('kerberos/krb5.conf'),
       owner => "root",
       group => "root",
       mode => "0644",
     }

     @file { $keytab_export_dir:
       ensure => directory,
       owner  => "root",
       group  => "root",
     }

     # Required for SPNEGO
     @principal { "HTTP":

     }
   }

   class kdc inherits kerberos::site {
     package { $package_name_kdc:
       ensure => installed,
     }

     file { $kdc_etc_path:
     	ensure => directory,
         owner => root,
         group => root,
         mode => "0700",
         require => Package["$package_name_kdc"],
     }
     file { "${kdc_etc_path}/kdc.conf":
       content => template('kerberos/kdc.conf'),
       require => Package["$package_name_kdc"],
       owner => "root",
       group => "root",
       mode => "0644",
     }
     file { "${kdc_etc_path}/kadm5.acl":
       content => template('kerberos/kadm5.acl'),
       require => Package["$package_name_kdc"],
       owner => "root",
       group => "root",
       mode => "0644",
     }

     exec { "kdb5_util":
       path => $exec_path,
       command => "rm -f /etc/kadm5.keytab ; kdb5_util -P cthulhu -r ${realm} create -s && kadmin.local -q 'cpw -pw secure kadmin/admin'",

       creates => "${kdc_etc_path}/stash",

       subscribe => File["${kdc_etc_path}/kdc.conf"],
       # refreshonly => true,

       require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], File["/etc/krb5.conf"]],
     }

     service { $service_name_kdc:
       ensure => running,
       require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], Exec["kdb5_util"]],
       subscribe => File["${kdc_etc_path}/kdc.conf"],
       hasrestart => true,
     }


     class admin_server inherits kerberos::kdc {
       $se_hack = "setsebool -P kadmind_disable_trans  1 ; setsebool -P krb5kdc_disable_trans 1"

       package { "$package_name_admin":
         ensure => installed,
         require => Package["$package_name_kdc"],
       }

       service { "$service_name_admin":
         ensure => running,
         require => [Package["$package_name_admin"], Service["$service_name_kdc"]],
         hasrestart => true,
         restart => "${se_hack} ; service ${service_name_admin} restart",
         start => "${se_hack} ; service ${service_name_admin} start",
       }
     }
   }

   class client inherits kerberos::site {
     package { $package_name_client:
       ensure => installed,
     }
   }

   class server {
     include kerberos::client

     class { "kerberos::kdc": }
     ->
     Class["kerberos::client"]

     class { "kerberos::kdc::admin_server": }
     ->
     Class["kerberos::client"]
   }

   define principal {
     require "kerberos::client"

     realize(File[$kerberos::site::keytab_export_dir])

     $principal = "$title/$::fqdn"
     $keytab    = "$kerberos::site::keytab_export_dir/$title.keytab"

     exec { "addprinc.$title":
       path => $kerberos::site::exec_path,
       command => "kadmin -w secure -p kadmin/admin -q 'addprinc -randkey $principal'",
       unless => "kadmin -w secure -p kadmin/admin -q listprincs | grep -q $principal",
       require => Package[$kerberos::site::package_name_client],
     }
     ->
     exec { "xst.$title":
       path    => $kerberos::site::exec_path,
       command => "kadmin -w secure -p kadmin/admin -q 'xst -k $keytab $principal'",
       unless  => "klist -kt $keytab 2>/dev/null | grep -q $principal",
       require => File[$kerberos::site::keytab_export_dir],
     }
   }

   define host_keytab($princs = undef, $spnego = disabled) {
     $keytab = "/etc/$title.keytab"

     $requested_princs = $princs ? {
       undef   => [ $title ],
       default => $princs,
     }

     $internal_princs = $spnego ? {
       /(true|enabled)/ => [ 'HTTP' ],
       default          => [ ],
     }
     realize(Kerberos::Principal[$internal_princs])

     $includes = inline_template("<%=
       [requested_princs, internal_princs].flatten.map { |x|
         \"rkt $kerberos::site::keytab_export_dir/#{x}.keytab\"
       }.join(\"\n\")
     %>")

     kerberos::principal { $requested_princs:
     }

     exec { "ktinject.$title":
       path     => $kerberos::site::exec_path,
       command  => "/usr/bin/ktutil <<EOF
         $includes
         wkt $keytab
 EOF
         chown $title $keytab",
       creates => $keytab,
       require => [ Kerberos::Principal[$requested_princs],
                    Kerberos::Principal[$internal_princs] ],
     }
   }
 }
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	class kerberos {
	class site {
	# The following is our interface to the world. This is what we allow
	# users to tweak from the outside (see tests/init.pp for a complete
	# example) before instantiating target classes.
	# Once we migrate to Puppet 2.6 we can potentially start using
	# parametrized classes instead.
	$domain = $kerberos_domain ? { '' => inline_template('<%= domain %>'),
	default => $kerberos_domain }
	$realm = $kerberos_realm ? { '' => inline_template('<%= domain.upcase %>'),
	default => $kerberos_realm }
	$kdc_server = $kerberos_kdc_server ? { '' => 'localhost',
	default => $kerberos_kdc_server }
	$kdc_port = $kerberos_kdc_port ? { '' => '88',
	default => $kerberos_kdc_port }
	$admin_port = 749 /* BUG: linux daemon packaging doesn't let us tweak this */

	$keytab_export_dir = "/var/lib/bigtop_keytabs"

	case $operatingsystem {
	'ubuntu': {
	$package_name_kdc = 'krb5-kdc'
	$service_name_kdc = 'krb5-kdc'
	$package_name_admin = 'krb5-admin-server'
	$service_name_admin = 'krb5-admin-server'
	$package_name_client = 'krb5-user'
	$exec_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
	$kdc_etc_path = '/etc/krb5kdc/'
	}
	# default assumes CentOS, Redhat 5 series (just look at how random it all looks :-()
	default: {
	$package_name_kdc = 'krb5-server'
	$service_name_kdc = 'krb5kdc'
	$package_name_admin = 'krb5-libs'
	$service_name_admin = 'kadmin'
	$package_name_client = 'krb5-workstation'
	$exec_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/kerberos/sbin:/usr/kerberos/bin'
	$kdc_etc_path = '/var/kerberos/krb5kdc/'
	}
	}

	file { "/etc/krb5.conf":
	content => template('kerberos/krb5.conf'),
	owner => "root",
	group => "root",
	mode => "0644",
	}

	@file { $keytab_export_dir:
	ensure => directory,
	owner => "root",
	group => "root",
	}

	# Required for SPNEGO
	@principal { "HTTP":

	}
	}

	class kdc inherits kerberos::site {
	package { $package_name_kdc:
	ensure => installed,
	}

	file { $kdc_etc_path:
	ensure => directory,
	owner => root,
	group => root,
	mode => "0700",
	require => Package["$package_name_kdc"],
	}
	file { "${kdc_etc_path}/kdc.conf":
	content => template('kerberos/kdc.conf'),
	require => Package["$package_name_kdc"],
	owner => "root",
	group => "root",
	mode => "0644",
	}
	file { "${kdc_etc_path}/kadm5.acl":
	content => template('kerberos/kadm5.acl'),
	require => Package["$package_name_kdc"],
	owner => "root",
	group => "root",
	mode => "0644",
	}

	exec { "kdb5_util":
	path => $exec_path,
	command => "rm -f /etc/kadm5.keytab ; kdb5_util -P cthulhu -r ${realm} create -s && kadmin.local -q 'cpw -pw secure kadmin/admin'",

	creates => "${kdc_etc_path}/stash",

	subscribe => File["${kdc_etc_path}/kdc.conf"],
	# refreshonly => true,

	require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], File["/etc/krb5.conf"]],
	}

	service { $service_name_kdc:
	ensure => running,
	require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], Exec["kdb5_util"]],
	subscribe => File["${kdc_etc_path}/kdc.conf"],
	hasrestart => true,
	}


	class admin_server inherits kerberos::kdc {
	$se_hack = "setsebool -P kadmind_disable_trans 1 ; setsebool -P krb5kdc_disable_trans 1"

	package { "$package_name_admin":
	ensure => installed,
	require => Package["$package_name_kdc"],
	}

	service { "$service_name_admin":
	ensure => running,
	require => [Package["$package_name_admin"], Service["$service_name_kdc"]],
	hasrestart => true,
	restart => "${se_hack} ; service ${service_name_admin} restart",
	start => "${se_hack} ; service ${service_name_admin} start",
	}
	}
	}

	class client inherits kerberos::site {
	package { $package_name_client:
	ensure => installed,
	}
	}

	class server {
	include kerberos::client

	class { "kerberos::kdc": }
	->
	Class["kerberos::client"]

	class { "kerberos::kdc::admin_server": }
	->
	Class["kerberos::client"]
	}

	define principal {
	require "kerberos::client"

	realize(File[$kerberos::site::keytab_export_dir])

	$principal = "$title/$::fqdn"
	$keytab = "$kerberos::site::keytab_export_dir/$title.keytab"

	exec { "addprinc.$title":
	path => $kerberos::site::exec_path,
	command => "kadmin -w secure -p kadmin/admin -q 'addprinc -randkey $principal'",
	unless => "kadmin -w secure -p kadmin/admin -q listprincs \| grep -q $principal",
	require => Package[$kerberos::site::package_name_client],
	}
	->
	exec { "xst.$title":
	path => $kerberos::site::exec_path,
	command => "kadmin -w secure -p kadmin/admin -q 'xst -k $keytab $principal'",
	unless => "klist -kt $keytab 2>/dev/null \| grep -q $principal",
	require => File[$kerberos::site::keytab_export_dir],
	}
	}

	define host_keytab($princs = undef, $spnego = disabled) {
	$keytab = "/etc/$title.keytab"

	$requested_princs = $princs ? {
	undef => [ $title ],
	default => $princs,
	}

	$internal_princs = $spnego ? {
	/(true\|enabled)/ => [ 'HTTP' ],
	default => [ ],
	}
	realize(Kerberos::Principal[$internal_princs])

	$includes = inline_template("<%=
	[requested_princs, internal_princs].flatten.map { \|x\|
	\"rkt $kerberos::site::keytab_export_dir/#{x}.keytab\"
	}.join(\"\n\")
	%>")

	kerberos::principal { $requested_princs:
	}

	exec { "ktinject.$title":
	path => $kerberos::site::exec_path,
	command => "/usr/bin/ktutil <<EOF
	$includes
	wkt $keytab
	EOF
	chown $title $keytab",
	creates => $keytab,
	require => [ Kerberos::Principal[$requested_princs],
	Kerberos::Principal[$internal_princs] ],
	}
	}
	}