tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

kerberos: Refactored kerberos keytab generation to use fileshare instead of templates.

Browse source
This commit is contained in:
Timo Mkinen 2013-09-25 12:13:05 +03:00
parent 67e91bb8b5
commit f0199bfcbd
3 changed files with 76 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

66
kerberos/lib/puppet/parser/functions/keytab_generate.rb Normal file
View file

@ -0,0 +1,66 @@
require 'base64'
require 'expect'
require 'tempfile'
module Puppet::Parser::Functions
newfunction(:keytab_generate) do |args|
name = args[0]
principals = args[1]
# get output file name
outfile = File.join('/srv/puppet/files/generated',
lookupvar('homename'), Base64.encode64(name)).strip
begin
Dir.mkdir(File.dirname(outfile))
rescue
nil
end
# check if we have cached keytab up to date
cached = true
if File.exists?(outfile)
if not check_keytab(outfile, principals)
cached = false
File.unlink(outfile)
end
else
cached = false
end
# create new keytab if cache is not up to date
if not cached
cmd = sprintf('kadmin -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s" 1>&2',
lookupvar('kerberos_user'), outfile, principals.join(' '))
output = ''
IO.popen(cmd, mode='r') { |f|
output = f.read
}
if not File.exists?(outfile)
raise 'Failed to create keytab ' + name + ' error was: ' + output
elsif not check_keytab(outfile, principals)
raise 'Invalid keytab ' + name + ' created'
end
end
end
end
# function to check if keytab contains required principals
def check_keytab(keytab, principals)
entries = []
IO.popen(sprintf('klist -k %s', keytab), mode='r') { |f|
f.readlines.each do |l|
next unless l =~ /[ ]+\d+ .*/
entries << l.split()[1]
end
}
principals.each do |p|
if not entries.include?(p)
return false
end
end
return true
end

16
kerberos/manifests/init.pp
View file

@ -244,7 +244,8 @@ class kerberos::server::ldap inherits kerberos::server {
# principals => [ "host/testhost.foo.sh@FOO.SH" ], # principals => [ "host/testhost.foo.sh@FOO.SH" ],
# } # }
# #
define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $group = "", $mode = "0600") { define kerberos::keytab($principals=[], $ensure=present, $owner="root",
$group="", $mode="0600") {
case $group { case $group {
"": { "": {
@ -258,12 +259,15 @@ define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $g
} }
} }
keytab_generate($name, $principals)
$source = base64($name)
file { $name: file { $name:
ensure => $ensure, ensure => $ensure,
content => template("kerberos/keytab.erb"), source => "puppet:///generated/${source}",
mode => $mode, mode => $mode,
owner => $owner, owner => $owner,
group => $real_group, group => $real_group,
} }
} }

62
kerberos/templates/keytab.erb
View file

@ -1,62 +0,0 @@
<%
require 'digest/md5'
require 'expect'
require 'tempfile'
config = {}
config['cachedir'] = '/var/cache/puppet'
config['kadmin'] = '/usr/bin/kadmin'
config['klist'] = '/usr/bin/klist'
# set global vars
cachefile = File.join(config['cachedir'],
homename + '.' + Digest::MD5.hexdigest(name))
# function to check if keytab contains required principals
def check_keytab(config, keytab, principals)
entries = []
IO.popen(sprintf('%s -k %s', config['klist'], keytab), mode='r') { |f|
f.readlines.each do |l|
next unless l =~ /[ ]+\d+ .*/
entries << l.split()[1]
end
}
principals.each do |p|
if not entries.include?(p)
return false
end
end
return true
end
# check if we have cached keytab up to date
cached = true
if File.exists?(cachefile)
if not check_keytab(config, cachefile, principals)
cached = false
File.unlink(cachefile)
end
else
cached = false
end
# create new keytab if cache is not up to date
if not cached
cmd = sprintf('%s -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s"',
config['kadmin'], kerberos_user, cachefile, principals.join(' '))
output = `#{cmd} 2>&1`
if not File.exists?(cachefile)
raise 'Failed to create keytab ' + name + ' error was: ' + output
elsif not check_keytab(config, cachefile, principals)
raise 'Invalid keytab ' + name + ' created'
end
end
# read keytab into memory
data = File.open(cachefile).read
-%><%= data -%>