Puppet Class: profile::base::cuminunpriv

Defined in:
modules/profile/manifests/base/cuminunpriv.pp

Overview

Parameters:

  • unpriv_cumin_masters (Array[Stdlib::IP::Address]) (defaults to: lookup('unpriv_cumin_masters', {default_value => []}))


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# File 'modules/profile/manifests/base/cuminunpriv.pp', line 8

class profile::base::cuminunpriv(
    Array[Stdlib::IP::Address] $unpriv_cumin_masters = lookup('unpriv_cumin_masters', {default_value => []}),
) {
    include profile::kerberos::client

    if !defined(File['/etc/security/keytabs/host']) {
        file { '/etc/security/keytabs/host':
            ensure  => 'directory',
            owner   => 'root',
            group   => 'root',
            mode    => '0550',
            require => File['/etc/security/keytabs']
        }
    }

    file { '/etc/security/keytabs/host/host.keytab':
        ensure    => 'present',
        owner     => 'root',
        group     => 'root',
        mode      => '0440',
        content   => secret("kerberos/keytabs/${::fqdn}/host/host.keytab"),
        show_diff => false,
        require   => File['/etc/security/keytabs/host']
    }

    $cumin_hosts_ferm = join($unpriv_cumin_masters, ' ')
    ferm::service { 'ssh-from-unprivcumin-masters':
        proto  => 'tcp',
        port   => '22',
        srange => "(${cumin_hosts_ferm})",
    }

    # OpenSSH searches for the host keytab in /etc/keytab. We deploy all keytabs
    # centrally via Puppet in /etc/security/keytabs, so add a symlink as a fallback
    file { '/etc/krb5.keytab':
        ensure => link,
        target => '/etc/security/keytabs/host/host.keytab',
    }
}