Merge "Split out kerberos module"

modules.env

@@ -74,6 +74,7 @@ INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-meetbot"]=
 INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-mysql_backup"]="origin/master"
 INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-nodepool"]="origin/master"
 INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-jenkins"]="origin/master"
+INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-kerberos"]="origin/master"
 INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-pip"]="origin/master"
 INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-github"]="origin/master"
 INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-httpd"]="origin/master"

modules/kerberos/files/kadm5.acl

@@ -1,6 +0,0 @@
-# This file Is the access control list for krb5 administration.
-# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
-# One common way to set up Kerberos administration is to allow any principal
-# ending in /admin  is given full administrative rights.
-# To enable this, uncomment the following line:
-*/admin *

modules/kerberos/files/krb5-kpropd

@@ -1,123 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides:             krb5-kpropd
-# Required-Start:       $local_fs $remote_fs $network $syslog
-# Required-Stop:        $local_fs $remote_fs $network $syslog
-# X-Start-Before:       $x-display-manager
-# Default-Start:        2 3 4 5
-# Default-Stop:         0 1 6
-# Short-Description:    MIT Kerberos propagation daemon
-# Description:          Starts, stops, or restarts the MIT kpropd.
-### END INIT INFO
-
-# Author: Sam Hartman <hartmans@mit.edu>
-# Author: Russ Allbery <rra@debian.org>
-#
-# Based on the /etc/init.d/skeleton template as found in initscripts version
-# 2.86.ds1-15.
-
-PATH=/usr/sbin:/usr/bin:/sbin:/bin
-DESC="Kerberos kpropd"
-NAME=kpropd
-DAEMON=/usr/sbin/$NAME
-DAEMON_ARGS=""
-SCRIPTNAME=/etc/init.d/krb5-kpropd
-
-# Exit if the package is not installed.
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration if it is present.
-[ -r /etc/default/krb5-kpropd ] && . /etc/default/krb5-kpropd
-
-# Get the setting of VERBOSE and other rcS variables.
-[ -f /etc/default/rcS ] && . /etc/default/rcS
-
-# Define LSB log functions (requires lsb-base >= 3.0-6).
-. /lib/lsb/init-functions
-
-
-# Return
-#   0 if daemon has been started
-#   1 if daemon was already running
-#   2 if daemon could not be started
-do_start_kpropd()
-{
-    start-stop-daemon --start --quiet --startas $DAEMON --name $NAME --test \
-        > /dev/null || return 1
-    start-stop-daemon --start --quiet --startas $DAEMON --name $NAME \
-        -- $DAEMON_ARGS || return 2
-}
-
-
-# Return
-#   0 if daemon has been stopped
-#   1 if daemon was already stopped
-#   2 if daemon could not be stopped
-#   other if a failure occurred
-do_stop_kpropd()
-{
-    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --name $NAME
-    RETVAL="$?"
-    [ "$RETVAL" = 2 ] && return 2
-    return "$RETVAL"
-}
-
-case "$1" in
-  start)
-    [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
-    do_start_kpropd
-    case "$?" in
-      0|1)
-            [ "$VERBOSE" != no ] && log_end_msg 0
-        ;;
-      2)
-        [ "$VERBOSE" != no ] && log_end_msg 1
-        ;;
-    esac
-    ;;
-
-  stop)
-    [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-    do_stop_kpropd
-    case "$?" in
-      0|1)
-        [ "$VERBOSE" != no ] && log_progress_msg "krb524d"
-        ;;
-      2)
-        [ "$VERBOSE" != no ] && log_end_msg 1
-        ;;
-    esac
-    ;;
-
-  restart|force-reload)
-    log_daemon_msg "Restarting $DESC" "$NAME"
-    do_stop_kpropd
-    case "$?" in
-      0|1)
-        do_start_kpropd
-        case "$?" in
-          0)
-            log_end_msg 0
-            ;;
-          1|2)
-            log_end_msg 1
-            ;;
-        esac
-        ;;
-      *)
-        log_end_msg 1
-        ;;
-    esac
-    ;;
-
-  status)
-    status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
-    ;;
-
-  *)
-    echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2
-    exit 3
-    ;;
-esac
-
-:

modules/kerberos/manifests/client.pp

@@ -1,19 +0,0 @@
-class kerberos::client (
-  $realm,
-  $kdcs,
-  $admin_server,
-) {
-
-  include ntp
-
-  package { 'krb5-user':
-    ensure  => present,
-    require => File['/etc/krb5.conf'],
-  }
-
-  file { '/etc/krb5.conf':
-    ensure  => present,
-    replace => true,
-    content => template('kerberos/krb5.conf.erb'),
-  }
-}

modules/kerberos/manifests/server.pp

@@ -1,110 +0,0 @@
-class kerberos::server (
-  $realm,
-  $kdcs = [$::fqdn],
-  $admin_server = [$::fdqn],
-  $slaves = [],
-  $slave = false,
-) {
-
-  include haveged
-
-  class { 'kerberos::client':
-    realm          => $realm,
-    kdcs           => $kdcs,
-    admin_server   => $admin_server,
-  }
-
-  $packages = [
-    'krb5-admin-server',
-    'krb5-kdc',
-  ]
-  package { $packages:
-    ensure  => present,
-  }
-
-  file { '/etc/krb5kdc/kdc.conf':
-    ensure  => present,
-    replace => true,
-    content => template('kerberos/kdc.conf.erb'),
-    require   => Package['krb5-kdc'],
-  }
-
-  file { '/etc/krb5kdc/kpropd.acl':
-    ensure  => present,
-    replace => true,
-    content => template('kerberos/kpropd.acl.erb'),
-    require   => Package['krb5-kdc'],
-  }
-
-  file { '/etc/krb5kdc/kadm5.acl':
-    ensure  => present,
-    replace => true,
-    source  => 'puppet:///modules/kerberos/kadm5.acl',
-    require => Package['krb5-admin-server'],
-  }
-
-  file { '/var/krb5kdc':
-    ensure => directory,
-  }
-
-  file { '/etc/init.d/krb5-kpropd':
-    ensure  => present,
-    replace => true,
-    source  => 'puppet:///modules/kerberos/krb5-kpropd',
-    require => Package['krb5-admin-server'],
-  }
-
-  file { '/usr/local/bin/run-kprop.sh':
-    ensure  => present,
-    replace => true,
-    mode    => 0755,
-    content => template('kerberos/run-kprop.sh.erb'),
-    require => Package['krb5-admin-server'],
-  }
-
-  if ($slave) {
-    $run_admin_server = stopped
-    $run_kadmind = 'false'
-    $run_kpropd = running
-    $kprop_cron = absent
-  } else {
-    $run_admin_server = running
-    $run_kadmind = 'true'
-    $run_kpropd = stopped
-    $kprop_cron = present
-  }
-
-  # krb5-admin-server generates this, so make sure this runs after we do
-  # things with krb5-admin-server
-  file { '/etc/default/krb5-admin-server':
-    ensure  => present,
-    replace => true,
-    content => template('kerberos/krb5-admin-server.defaults.erb'),
-    require  => Package['krb5-admin-server'],
-  }
-
-  cron { 'kprop':
-    ensure      => $kprop_cron,
-    user        => 'root',
-    minute      => '*/15',
-    command     => '/usr/local/bin/run-kprop.sh >/dev/null 2>&1',
-    environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
-  }
-
-  service { 'krb5-kpropd':
-    ensure => $run_kpropd,
-    require   => [
-      File['/etc/init.d/krb5-kpropd'],
-      Package['krb5-admin-server'],
-    ],
-  }
-
-  service { 'krb5-admin-server':
-    ensure => $run_admin_server,
-    subscribe => File['/etc/krb5kdc/kadm5.acl'],
-    require   => [
-      File['/etc/krb5kdc/kadm5.acl'],
-      Package['krb5-admin-server'],
-    ],
-  }
-}

modules/kerberos/templates/kdc.conf.erb

@@ -1,16 +0,0 @@
-[kdcdefaults]
-    kdc_ports = 750,88
-
-[realms]
-    <%= @realm %> = {
-        database_name = /var/lib/krb5kdc/principal
-        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
-        acl_file = /etc/krb5kdc/kadm5.acl
-        key_stash_file = /etc/krb5kdc/stash
-        kdc_ports = 750,88
-        max_life = 10h 0m 0s
-        max_renewable_life = 7d 0h 0m 0s
-        master_key_type = aes256-cts
-        supported_enctypes = aes256-cts:normal
-        default_principal_flags = +preauth
-    }

modules/kerberos/templates/kpropd.acl.erb

@@ -1,3 +0,0 @@
-<% @kdcs.each do |kdc| -%>
-host/<%= kdc %>@<%= @realm %>
-<% end -%>

modules/kerberos/templates/krb5-admin-server.defaults.erb

@@ -1,2 +0,0 @@
-# Managed by puppet
-RUN_KADMIND=<%= @run_kadmind %>

modules/kerberos/templates/krb5.conf.erb

@@ -1,146 +0,0 @@
-[libdefaults]
-    default_realm = <%= @realm %>
-
-# The following krb5.conf variables are only for MIT Kerberos.
-    krb4_config = /etc/krb.conf
-    krb4_realms = /etc/krb.realms
-    kdc_timesync = 1
-    ccache_type = 4
-    forwardable = true
-    proxiable = true
-
-# The following encryption type specification will be used by MIT Kerberos
-# if uncommented.  In general, the defaults in the MIT Kerberos code are
-# correct and overriding these specifications only serves to disable new
-# encryption types as they are added, creating interoperability problems.
-#
-# Thie only time when you might need to uncomment these lines and change
-# the enctypes is if you have local software that will break on ticket
-# caches containing ticket encryption types it doesn't know about (such as
-# old versions of Sun Java).
-
-#    default_tgs_enctypes = des3-hmac-sha1
-#    default_tkt_enctypes = des3-hmac-sha1
-#    permitted_enctypes = des3-hmac-sha1
-
-# The following libdefaults parameters are only for Heimdal Kerberos.
-    v4_instance_resolve = false
-    v4_name_convert = {
-        host = {
-            rcmd = host
-            ftp = ftp
-        }
-        plain = {
-            something = something-else
-        }
-    }
-    fcc-mit-ticketflags = true
-
-[realms]
-    ATHENA.MIT.EDU = {
-        kdc = kerberos.mit.edu:88
-        kdc = kerberos-1.mit.edu:88
-        kdc = kerberos-2.mit.edu:88
-        admin_server = kerberos.mit.edu
-        default_domain = mit.edu
-    }
-    MEDIA-LAB.MIT.EDU = {
-        kdc = kerberos.media.mit.edu
-        admin_server = kerberos.media.mit.edu
-    }
-    ZONE.MIT.EDU = {
-        kdc = casio.mit.edu
-        kdc = seiko.mit.edu
-        admin_server = casio.mit.edu
-    }
-    MOOF.MIT.EDU = {
-        kdc = three-headed-dogcow.mit.edu:88
-        kdc = three-headed-dogcow-1.mit.edu:88
-        admin_server = three-headed-dogcow.mit.edu
-    }
-    CSAIL.MIT.EDU = {
-        kdc = kerberos-1.csail.mit.edu
-        kdc = kerberos-2.csail.mit.edu
-        admin_server = kerberos.csail.mit.edu
-        default_domain = csail.mit.edu
-        krb524_server = krb524.csail.mit.edu
-    }
-    IHTFP.ORG = {
-        kdc = kerberos.ihtfp.org
-        admin_server = kerberos.ihtfp.org
-    }
-    GNU.ORG = {
-        kdc = kerberos.gnu.org
-        kdc = kerberos-2.gnu.org
-        kdc = kerberos-3.gnu.org
-        admin_server = kerberos.gnu.org
-    }
-    1TS.ORG = {
-        kdc = kerberos.1ts.org
-        admin_server = kerberos.1ts.org
-    }
-    GRATUITOUS.ORG = {
-        kdc = kerberos.gratuitous.org
-        admin_server = kerberos.gratuitous.org
-    }
-    DOOMCOM.ORG = {
-        kdc = kerberos.doomcom.org
-        admin_server = kerberos.doomcom.org
-    }
-    ANDREW.CMU.EDU = {
-        kdc = kerberos.andrew.cmu.edu
-        kdc = kerberos2.andrew.cmu.edu
-        kdc = kerberos3.andrew.cmu.edu
-        admin_server = kerberos.andrew.cmu.edu
-        default_domain = andrew.cmu.edu
-    }
-    CS.CMU.EDU = {
-        kdc = kerberos.cs.cmu.edu
-        kdc = kerberos-2.srv.cs.cmu.edu
-        admin_server = kerberos.cs.cmu.edu
-    }
-    DEMENTIA.ORG = {
-        kdc = kerberos.dementix.org
-        kdc = kerberos2.dementix.org
-        admin_server = kerberos.dementix.org
-    }
-    stanford.edu = {
-        kdc = krb5auth1.stanford.edu
-        kdc = krb5auth2.stanford.edu
-        kdc = krb5auth3.stanford.edu
-        master_kdc = krb5auth1.stanford.edu
-        admin_server = krb5-admin.stanford.edu
-        default_domain = stanford.edu
-    }
-    UTORONTO.CA = {
-        kdc = kerberos1.utoronto.ca
-        kdc = kerberos2.utoronto.ca
-        kdc = kerberos3.utoronto.ca
-        admin_server = kerberos1.utoronto.ca
-        default_domain = utoronto.ca
-    }
-    <%= @realm %> = {
-<% @kdcs.each do |kdc| -%>
-        kdc = <%= kdc %>
-<% end -%>
-        admin_server = <%= admin_server %>
-        default_domain = <%= @realm.downcase %>
-    }
-
-[domain_realm]
-    .mit.edu = ATHENA.MIT.EDU
-    mit.edu = ATHENA.MIT.EDU
-    .media.mit.edu = MEDIA-LAB.MIT.EDU
-    media.mit.edu = MEDIA-LAB.MIT.EDU
-    .csail.mit.edu = CSAIL.MIT.EDU
-    csail.mit.edu = CSAIL.MIT.EDU
-    .whoi.edu = ATHENA.MIT.EDU
-    whoi.edu = ATHENA.MIT.EDU
-    .stanford.edu = stanford.edu
-    .slac.stanford.edu = SLAC.STANFORD.EDU
-        .toronto.edu = UTORONTO.CA
-        .utoronto.ca = UTORONTO.CA
-
-[login]
-    krb4_convert = true
-    krb4_get_tickets = false

modules/kerberos/templates/run-kprop.sh.erb

@@ -1,7 +0,0 @@
-#!/bin/sh
-kdclist="<% @slaves.each do |slave| -%><%= slave %> <% end -%>"
-kdb5_util dump /var/krb5kdc/slave_datatrans
-for kdc in $kdclist
-do
-    kprop -f /var/krb5kdc/slave_datatrans $kdc
-done