Puppet Class: profile::kerberos::client

Defined in:
modules/profile/manifests/kerberos/client.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • krb_realm_name (Stdlib::Fqdn) (defaults to: lookup('kerberos_realm_name'))
  • krb_kdc_servers (Array[Stdlib::Fqdn]) (defaults to: lookup('kerberos_kdc_servers_to_clients'))
  • krb_kadmin_primary (Stdlib::Fqdn) (defaults to: lookup('kerberos_kadmin_server_primary'))
  • dns_canonicalize_hostname (Boolean) (defaults to: lookup('profile::kerberos::client::dns_canonicalize_hostname', { 'default_value' => true}))
  • use_new_ccache (Optional[Boolean]) (defaults to: lookup('profile::kerberos::client::use_new_ccache', { 'default_value' => false}))
  • skip_wrapper (Boolean) (defaults to: lookup('profile::kerberos::client::skip_wrapper', { 'default_value' => false }))
  • show_krb_ticket_info (Boolean) (defaults to: lookup('profile::kerberos::client::show_krb_ticket_info', { 'default_value' => false }))
  • enable_autorenew (Boolean) (defaults to: lookup('profile::kerberos::client::enable_autorenew', { 'default_value' => false }))
  • prefer_tcp (Boolean) (defaults to: lookup('profile::kerberos::client::prefer_tcp', { 'default_value' => false }))


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# File 'modules/profile/manifests/kerberos/client.pp', line 2

class profile::kerberos::client (
    Stdlib::Fqdn $krb_realm_name = lookup('kerberos_realm_name'),
    Array[Stdlib::Fqdn] $krb_kdc_servers = lookup('kerberos_kdc_servers_to_clients'),
    Stdlib::Fqdn $krb_kadmin_primary = lookup('kerberos_kadmin_server_primary'),
    Boolean $dns_canonicalize_hostname = lookup('profile::kerberos::client::dns_canonicalize_hostname', { 'default_value' => true}),
    Optional[Boolean] $use_new_ccache = lookup('profile::kerberos::client::use_new_ccache', { 'default_value' => false}),
    Boolean $skip_wrapper = lookup('profile::kerberos::client::skip_wrapper', { 'default_value' => false }),
    Boolean $show_krb_ticket_info = lookup('profile::kerberos::client::show_krb_ticket_info', { 'default_value' => false }),
    Boolean $enable_autorenew = lookup('profile::kerberos::client::enable_autorenew', { 'default_value' => false }),
    Boolean $prefer_tcp = lookup('profile::kerberos::client::prefer_tcp', { 'default_value' => false }),
) {

    class { 'kerberos::wrapper':
        skip_wrapper => $skip_wrapper,
    }

    $run_command_script = $::kerberos::wrapper::kerberos_run_command_script

    # Java doesn't support a different default_ccache_name value
    # from the default one, since it is hardcoded in its code
    # (see Openjdk's FileCredentialsCache.java#L448-L456).
    # It does support the KRB5CCNAME env variable override.
    if $use_new_ccache {
        $default_ccache_name = '/run/user/%{uid}/krb_cred'
        file { '/etc/profile.d/java_KRB5CCNAME.sh':
            content => 'export KRB5CCNAME=/run/user/$(id -u)/krb_cred',
        }
    }

    file { '/etc/krb5.conf':
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => template('profile/kerberos/krb.conf.erb')
    }

    file { '/var/log/kerberos':
        ensure => directory,
        owner  => 'root',
        group  => 'root',
        mode   => '0750',
    }

    # Create the keytabs directory and remove any unmanaged files.
    # See T294124 for further detail.
    file { '/etc/security/keytabs':
        ensure  => directory,
        owner   => 'root',
        group   => 'root',
        mode    => '0755',
        recurse => true,
        purge   => true,
    }

    motd::message { '01_kerberos-client-info':
        priority => 90,  # We set this high so it appears at the end
        message  => 'This host is capable of Kerberos authentication in the WIKIMEDIA realm.',
        color    => 'yellow',
    }
    motd::message { '02_kerberos-addtional-info':
        priority => 90,  # We set this high so it appears at the end
        message  => 'For more info: https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos/UserGuide',
    }

    # Use original ticket info script only if not automatically renewing
    $ensure_krb_info = ($show_krb_ticket_info and !$enable_autorenew) ? {
        true    => 'present',
        default => 'absent',
    }

    if $show_krb_ticket_info {
        file {'/etc/profile.d/kerberos_ticket_info.sh':
            ensure => $ensure_krb_info,
            owner  => 'root',
            group  => 'root',
            mode   => '0444',
            source => 'puppet:///modules/profile/kerberos/client/kerberos_ticket_info.sh',
        }
    }

    file {'/etc/profile.d/kerberos_autorenew.sh':
        ensure => stdlib::ensure($enable_autorenew, 'file'),
        owner  => 'root',
        group  => 'root',
        mode   => '0444',
        source => 'puppet:///modules/profile/kerberos/client/kerberos_autorenew.sh',
    }

    ensure_packages (['krb5-user'])

    $ensure_kstart = $enable_autorenew ? {
        true    => 'present',
        default => 'absent',
    }

    ensure_packages (['kstart'], {'ensure' => $ensure_kstart})
}