kerberos: Refactored kerberos keytab generation to use fileshare instead of templates.
This commit is contained in:
parent
67e91bb8b5
commit
f0199bfcbd
3 changed files with 76 additions and 68 deletions
66
kerberos/lib/puppet/parser/functions/keytab_generate.rb
Normal file
66
kerberos/lib/puppet/parser/functions/keytab_generate.rb
Normal file
|
|
@ -0,0 +1,66 @@
|
|||
|
||||
require 'base64'
|
||||
require 'expect'
|
||||
require 'tempfile'
|
||||
|
||||
|
||||
module Puppet::Parser::Functions
|
||||
newfunction(:keytab_generate) do |args|
|
||||
name = args[0]
|
||||
principals = args[1]
|
||||
|
||||
# get output file name
|
||||
outfile = File.join('/srv/puppet/files/generated',
|
||||
lookupvar('homename'), Base64.encode64(name)).strip
|
||||
begin
|
||||
Dir.mkdir(File.dirname(outfile))
|
||||
rescue
|
||||
nil
|
||||
end
|
||||
|
||||
# check if we have cached keytab up to date
|
||||
cached = true
|
||||
if File.exists?(outfile)
|
||||
if not check_keytab(outfile, principals)
|
||||
cached = false
|
||||
File.unlink(outfile)
|
||||
end
|
||||
else
|
||||
cached = false
|
||||
end
|
||||
|
||||
# create new keytab if cache is not up to date
|
||||
if not cached
|
||||
cmd = sprintf('kadmin -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s" 1>&2',
|
||||
lookupvar('kerberos_user'), outfile, principals.join(' '))
|
||||
output = ''
|
||||
IO.popen(cmd, mode='r') { |f|
|
||||
output = f.read
|
||||
}
|
||||
if not File.exists?(outfile)
|
||||
raise 'Failed to create keytab ' + name + ' error was: ' + output
|
||||
elsif not check_keytab(outfile, principals)
|
||||
raise 'Invalid keytab ' + name + ' created'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
||||
# function to check if keytab contains required principals
|
||||
def check_keytab(keytab, principals)
|
||||
entries = []
|
||||
IO.popen(sprintf('klist -k %s', keytab), mode='r') { |f|
|
||||
f.readlines.each do |l|
|
||||
next unless l =~ /[ ]+\d+ .*/
|
||||
entries << l.split()[1]
|
||||
end
|
||||
}
|
||||
principals.each do |p|
|
||||
if not entries.include?(p)
|
||||
return false
|
||||
end
|
||||
end
|
||||
return true
|
||||
end
|
||||
|
|
@ -244,7 +244,8 @@ class kerberos::server::ldap inherits kerberos::server {
|
|||
# principals => [ "host/testhost.foo.sh@FOO.SH" ],
|
||||
# }
|
||||
#
|
||||
define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $group = "", $mode = "0600") {
|
||||
define kerberos::keytab($principals=[], $ensure=present, $owner="root",
|
||||
$group="", $mode="0600") {
|
||||
|
||||
case $group {
|
||||
"": {
|
||||
|
|
@ -258,12 +259,15 @@ define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $g
|
|||
}
|
||||
}
|
||||
|
||||
keytab_generate($name, $principals)
|
||||
$source = base64($name)
|
||||
|
||||
file { $name:
|
||||
ensure => $ensure,
|
||||
content => template("kerberos/keytab.erb"),
|
||||
mode => $mode,
|
||||
owner => $owner,
|
||||
group => $real_group,
|
||||
ensure => $ensure,
|
||||
source => "puppet:///generated/${source}",
|
||||
mode => $mode,
|
||||
owner => $owner,
|
||||
group => $real_group,
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,62 +0,0 @@
|
|||
<%
|
||||
|
||||
require 'digest/md5'
|
||||
require 'expect'
|
||||
require 'tempfile'
|
||||
|
||||
|
||||
config = {}
|
||||
config['cachedir'] = '/var/cache/puppet'
|
||||
config['kadmin'] = '/usr/bin/kadmin'
|
||||
config['klist'] = '/usr/bin/klist'
|
||||
|
||||
|
||||
# set global vars
|
||||
cachefile = File.join(config['cachedir'],
|
||||
homename + '.' + Digest::MD5.hexdigest(name))
|
||||
|
||||
# function to check if keytab contains required principals
|
||||
def check_keytab(config, keytab, principals)
|
||||
entries = []
|
||||
IO.popen(sprintf('%s -k %s', config['klist'], keytab), mode='r') { |f|
|
||||
f.readlines.each do |l|
|
||||
next unless l =~ /[ ]+\d+ .*/
|
||||
entries << l.split()[1]
|
||||
end
|
||||
}
|
||||
principals.each do |p|
|
||||
if not entries.include?(p)
|
||||
return false
|
||||
end
|
||||
end
|
||||
return true
|
||||
end
|
||||
|
||||
|
||||
# check if we have cached keytab up to date
|
||||
cached = true
|
||||
if File.exists?(cachefile)
|
||||
if not check_keytab(config, cachefile, principals)
|
||||
cached = false
|
||||
File.unlink(cachefile)
|
||||
end
|
||||
else
|
||||
cached = false
|
||||
end
|
||||
|
||||
# create new keytab if cache is not up to date
|
||||
if not cached
|
||||
cmd = sprintf('%s -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s"',
|
||||
config['kadmin'], kerberos_user, cachefile, principals.join(' '))
|
||||
output = `#{cmd} 2>&1`
|
||||
if not File.exists?(cachefile)
|
||||
raise 'Failed to create keytab ' + name + ' error was: ' + output
|
||||
elsif not check_keytab(config, cachefile, principals)
|
||||
raise 'Invalid keytab ' + name + ' created'
|
||||
end
|
||||
end
|
||||
|
||||
# read keytab into memory
|
||||
data = File.open(cachefile).read
|
||||
|
||||
-%><%= data -%>
|
||||
Loading…
Add table
Reference in a new issue