Puppet Class: profile::kerberos::replication

Defined in:
modules/profile/manifests/kerberos/replication.pp

Overview

SPDX-License-Identifier: Apache-2.0 Class: profile::kerberos::replication

Configure the current Kerberos master/primary and its slaves to replicate the KDC database periodically. There are two options: 1) the host is the current Kerberos master/primary, so it needs to

run a script (via systemd timer) that periodically dumps the KDC database
and replicate it via kprop to all the Kerberos slaves.

2) the host is a Kerberos slave, so it needs to run the kpropd daemon, to be

able to receive updates from the master (via kprop) when available.
Only the slaves needs to be configured with a specific kpropd.acl config file.

This profile requires to run on a host with a KDC running, and it also needs the kprop tool that is provided by the krb5-admin-server package.

Parameters:

  • krb_realm_name (Stdlib::Fqdn) (defaults to: lookup('kerberos_realm_name'))
  • krb_kdc_servers (Array[Stdlib::Fqdn]) (defaults to: lookup('kerberos_kdc_servers'))
  • krb_kadmin_primary (Stdlib::Fqdn) (defaults to: lookup('kerberos_kadmin_server_primary'))
  • monitoring_enabled (Optional[Boolean]) (defaults to: lookup('profile::kerberos::replication::monitoring_enabled', { 'default_value' => false }))


17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# File 'modules/profile/manifests/kerberos/replication.pp', line 17

class profile::kerberos::replication (
    Stdlib::Fqdn $krb_realm_name = lookup('kerberos_realm_name'),
    Array[Stdlib::Fqdn] $krb_kdc_servers = lookup('kerberos_kdc_servers'),
    Stdlib::Fqdn $krb_kadmin_primary = lookup('kerberos_kadmin_server_primary'),
    Optional[Boolean] $monitoring_enabled = lookup('profile::kerberos::replication::monitoring_enabled', { 'default_value' => false }),
) {

    $is_krb_master = $facts['fqdn'] == $krb_kadmin_primary

    if $is_krb_master == false {
        package { 'krb5-kpropd':
            ensure => present,
        }

        firewall::service { 'kerberos_kpropd_tcp':
            proto  => 'tcp',
            port   => 754,
            srange => [$krb_kadmin_primary],
        }

        file { '/etc/krb5kdc/kpropd.acl':
            owner   => 'root',
            group   => 'root',
            mode    => '0444',
            content => template('profile/kerberos/kpropd.acl.erb'),
            before  => Package['krb5-kpropd'],
        }

        service { 'krb5-kpropd':
            ensure  => running,
            require => Package['krb5-kpropd'],
        }

        profile::auto_restarts::service { 'krb5-kpropd':
            ensure => present,
        }

        $ensure_replication_timer = 'absent'

        if $monitoring_enabled {
            nrpe::monitor_service { 'krb-kpropd':
                ensure        => absent,
                description   => 'Kerberos Kpropd daemon',
                nrpe_command  => '/usr/lib/nagios/plugins/check_procs -c 1:1 -a "/usr/sbin/kpropd"',
                contact_group => 'admins,team-data-platform',
                require       => Service['krb5-kpropd'],
                notes_url     => 'https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos#Daemons_and_their_roles',
            }
        }

    } else {
        package { 'krb5-kpropd':
            ensure => absent,
        }

        service { 'krb5-kpropd':
            ensure => stopped,
        }

        profile::auto_restarts::service { 'krb5-kpropd':
            ensure => absent,
        }

        file { '/etc/krb5kdc/kpropd.acl':
            ensure => absent,
        }

        $ensure_replication_timer = 'present'
    }

    $krb_kdc_slave_servers = $krb_kdc_servers.filter |$krb_kdc_server| { $krb_kdc_server != $krb_kadmin_primary }
    file { '/usr/local/sbin/replicate_krb_database':
        ensure  => $ensure_replication_timer,
        owner   => 'root',
        group   => 'root',
        mode    => '0550',
        content => template('profile/kerberos/replicate_krb_database.erb'),
    }

    systemd::timer::job { 'replicate-krb-database':
        ensure             => $ensure_replication_timer,
        description        => 'Replication of the KDC database to the Kerberos slaves',
        command            => '/usr/local/sbin/replicate_krb_database',
        interval           => {
            'start'    => 'OnCalendar',
            'interval' => '*-*-* *:00:00'
        },
        user               => 'root',
        monitoring_enabled => $monitoring_enabled,
        logging_enabled    => false,
        require            => [
            File['/usr/local/sbin/replicate_krb_database'],
            File['/srv/backup'],
        ],
    }
}