Puppet Class: profile::kerberos::kadminserver
- Defined in:
- modules/profile/manifests/kerberos/kadminserver.pp
Overview
SPDX-License-Identifier: Apache-2.0
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 |
# File 'modules/profile/manifests/kerberos/kadminserver.pp', line 2
class profile::kerberos::kadminserver (
Stdlib::Fqdn $krb_realm_name = lookup('kerberos_realm_name'),
Stdlib::Fqdn $krb_kadmin_primary = lookup('kerberos_kadmin_server_primary'),
Stdlib::Fqdn $krb_kadmin_keytabs_repo = lookup('kerberos_kadmin_keytabs_repo'),
Array[String] $rsync_secrets_file_auth_users = lookup('profile::kerberos::kadminserver', { 'default_value' => ['kerb'] }),
Optional[Boolean] $enable_replication = lookup('profile::kerberos::kadminserver::enable_replication', {'default_value' => false} ),
Optional[Boolean] $monitoring_enabled = lookup('profile::kerberos::kadminserver::monitoring_enabled', { 'default_value' => false }),
) {
package { 'krb5-admin-server':
ensure => present,
}
package { 'python3-pexpect':
ensure => present,
}
$is_krb_master = $facts['fqdn'] == $krb_kadmin_primary
if $is_krb_master {
$ensure_motd = 'absent'
# The kadmin server shutsdown by itself if
# not running on the master/primary node.
service { 'krb5-admin-server':
ensure => running,
require => Package['krb5-admin-server'],
}
} else {
$ensure_motd = 'present'
}
motd::script { 'inactive_warning':
ensure => $ensure_motd,
priority => 1,
content => template('profile/kerberos/kadminserver/inactive.motd.erb'),
}
ferm::service { 'kerberos_kpasswd_tcp':
proto => 'tcp',
port => [464],
srange => '$DOMAIN_NETWORKS',
}
ferm::service { 'kerberos_kpasswd_udp':
proto => 'udp',
port => [464],
srange => '$DOMAIN_NETWORKS',
}
# Util script to help generating keytabs
file{ '/usr/local/sbin/generate_keytabs.py':
ensure => file,
mode => '0550',
owner => 'root',
group => 'root',
source => 'puppet:///modules/profile/kerberos/generate_keytabs.py',
}
file{ '/usr/local/sbin/manage_principals.py':
ensure => file,
mode => '0550',
owner => 'root',
group => 'root',
source => 'puppet:///modules/profile/kerberos/manage_principals.py',
}
# Keytabs will be generated manually, via a script that uses kadmin.local,
# under /srv/kerberos/keytabs
file{ '/srv/kerberos':
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0755',
}
file{ '/srv/kerberos/keytabs':
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0750',
}
# Add the rsync server configuration only to the active kerberos host.
# This allows the Puppet server holding the private repository to rsync
# the keytab files in order to be able to add them to the private repository.
# This way the puppet master will not need to be a kerberos client.
if $is_krb_master {
$ensure_rsync = 'present'
$ensure_rsync_secrets_file = 'present'
} else {
$ensure_rsync = 'absent'
$ensure_rsync_secrets_file = 'absent'
}
if $is_krb_master {
class { 'rsync::server': }
}
$rsync_secrets_file = '/srv/kerberos/rsync_secrets_file'
file { $rsync_secrets_file:
ensure => $ensure_rsync_secrets_file,
owner => 'root',
group => 'root',
mode => '0400',
content => secret('kerberos/rsync_secrets_file'),
show_diff => false,
require => File['/srv/kerberos']
}
rsync::server::module { 'srv-keytabs':
ensure => $ensure_rsync,
path => '/srv/kerberos/keytabs',
read_only => 'yes',
hosts_allow => [$krb_kadmin_keytabs_repo],
auto_firewall => true,
auth_users => $rsync_secrets_file_auth_users,
secrets_file => $rsync_secrets_file,
require => File[$rsync_secrets_file],
}
if $enable_replication {
include ::profile::kerberos::replication
}
if $monitoring_enabled and $is_krb_master {
nrpe::monitor_service { 'krb-kadmin-server':
ensure => absent,
description => 'Kerberos KAdmin daemon',
nrpe_command => '/usr/lib/nagios/plugins/check_procs -c 1:1 -a "/usr/sbin/kadmind"',
contact_group => 'admins,team-data-platform',
require => Service['krb5-admin-server'],
notes_url => 'https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos#Daemons_and_their_roles',
}
}
}
|