Puppet Class: profile::kerberos::kadminserver
- Defined in:
- modules/profile/manifests/kerberos/kadminserver.pp
Overview
SPDX-License-Identifier: Apache-2.0
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 |
# File 'modules/profile/manifests/kerberos/kadminserver.pp', line 2
class profile::kerberos::kadminserver (
Stdlib::Fqdn $krb_realm_name = lookup('kerberos_realm_name'),
Stdlib::Fqdn $krb_kadmin_primary = lookup('kerberos_kadmin_server_primary'),
Array[Stdlib::Fqdn] $krb_kadmin_keytabs_repo = lookup('kerberos_kadmin_keytabs_repo'),
Array[String] $rsync_secrets_file_auth_users = lookup('profile::kerberos::kadminserver', { 'default_value' => ['kerb'] }),
Optional[Boolean] $enable_replication = lookup('profile::kerberos::kadminserver::enable_replication', {'default_value' => false} ),
) {
package { 'krb5-admin-server':
ensure => present,
}
package { 'python3-pexpect':
ensure => present,
}
$is_krb_master = $facts['fqdn'] == $krb_kadmin_primary
if $is_krb_master {
$ensure_motd = 'absent'
# The kadmin server shutsdown by itself if
# not running on the master/primary node.
service { 'krb5-admin-server':
ensure => running,
require => Package['krb5-admin-server'],
}
profile::auto_restarts::service { 'krb5-admin-server':
ensure => stdlib::ensure($is_krb_master)
}
} else {
$ensure_motd = 'present'
}
motd::script { 'inactive_warning':
ensure => $ensure_motd,
priority => 1,
content => template('profile/kerberos/kadminserver/inactive.motd.erb'),
}
firewall::service { 'kerberos_kpasswd_tcp':
proto => 'tcp',
port => 464,
src_sets => ['DOMAIN_NETWORKS'],
}
firewall::service { 'kerberos_kpasswd_udp':
proto => 'udp',
port => 464,
src_sets => ['DOMAIN_NETWORKS'],
}
# Util script to help generating keytabs
file{ '/usr/local/sbin/generate_keytabs.py':
ensure => file,
mode => '0550',
owner => 'root',
group => 'root',
source => 'puppet:///modules/profile/kerberos/generate_keytabs.py',
}
file{ '/usr/local/sbin/manage_principals.py':
ensure => file,
mode => '0550',
owner => 'root',
group => 'root',
source => 'puppet:///modules/profile/kerberos/manage_principals.py',
}
# Keytabs will be generated manually, via a script that uses kadmin.local,
# under /srv/kerberos/keytabs
file{ '/srv/kerberos':
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0755',
}
file{ '/srv/kerberos/keytabs':
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0750',
}
# Add the rsync server configuration only to the active kerberos host.
# This allows the Puppet server holding the private repository to rsync
# the keytab files in order to be able to add them to the private repository.
# This way the puppet master will not need to be a kerberos client.
if $is_krb_master {
$ensure_rsync = 'present'
$ensure_rsync_secrets_file = 'present'
} else {
$ensure_rsync = 'absent'
$ensure_rsync_secrets_file = 'absent'
}
if $is_krb_master {
class { 'rsync::server': }
}
$rsync_secrets_file = '/srv/kerberos/rsync_secrets_file'
file { $rsync_secrets_file:
ensure => $ensure_rsync_secrets_file,
owner => 'root',
group => 'root',
mode => '0400',
content => secret('kerberos/rsync_secrets_file'),
show_diff => false,
require => File['/srv/kerberos']
}
rsync::server::module { 'srv-keytabs':
ensure => $ensure_rsync,
path => '/srv/kerberos/keytabs',
read_only => 'yes',
hosts_allow => $krb_kadmin_keytabs_repo,
auto_firewall => true,
auth_users => $rsync_secrets_file_auth_users,
secrets_file => $rsync_secrets_file,
require => File[$rsync_secrets_file],
}
if $enable_replication {
include ::profile::kerberos::replication
}
}
|