diff --git a/modules.env b/modules.env index 2d8c3631bf..905b70a122 100644 --- a/modules.env +++ b/modules.env @@ -74,6 +74,7 @@ INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-meetbot"]= INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-mysql_backup"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-nodepool"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-jenkins"]="origin/master" +INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-kerberos"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-pip"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-github"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-httpd"]="origin/master" diff --git a/modules/kerberos/files/kadm5.acl b/modules/kerberos/files/kadm5.acl deleted file mode 100644 index 5ad0e1e54f..0000000000 --- a/modules/kerberos/files/kadm5.acl +++ /dev/null @@ -1,6 +0,0 @@ -# This file Is the access control list for krb5 administration. -# When this file is edited run /etc/init.d/krb5-admin-server restart to activate -# One common way to set up Kerberos administration is to allow any principal -# ending in /admin is given full administrative rights. -# To enable this, uncomment the following line: -*/admin * diff --git a/modules/kerberos/files/krb5-kpropd b/modules/kerberos/files/krb5-kpropd deleted file mode 100755 index 7d39a6755d..0000000000 --- a/modules/kerberos/files/krb5-kpropd +++ /dev/null @@ -1,123 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: krb5-kpropd -# Required-Start: $local_fs $remote_fs $network $syslog -# Required-Stop: $local_fs $remote_fs $network $syslog -# X-Start-Before: $x-display-manager -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: MIT Kerberos propagation daemon -# Description: Starts, stops, or restarts the MIT kpropd. -### END INIT INFO - -# Author: Sam Hartman -# Author: Russ Allbery -# -# Based on the /etc/init.d/skeleton template as found in initscripts version -# 2.86.ds1-15. - -PATH=/usr/sbin:/usr/bin:/sbin:/bin -DESC="Kerberos kpropd" -NAME=kpropd -DAEMON=/usr/sbin/$NAME -DAEMON_ARGS="" -SCRIPTNAME=/etc/init.d/krb5-kpropd - -# Exit if the package is not installed. -[ -x "$DAEMON" ] || exit 0 - -# Read configuration if it is present. -[ -r /etc/default/krb5-kpropd ] && . /etc/default/krb5-kpropd - -# Get the setting of VERBOSE and other rcS variables. -[ -f /etc/default/rcS ] && . /etc/default/rcS - -# Define LSB log functions (requires lsb-base >= 3.0-6). -. /lib/lsb/init-functions - - -# Return -# 0 if daemon has been started -# 1 if daemon was already running -# 2 if daemon could not be started -do_start_kpropd() -{ - start-stop-daemon --start --quiet --startas $DAEMON --name $NAME --test \ - > /dev/null || return 1 - start-stop-daemon --start --quiet --startas $DAEMON --name $NAME \ - -- $DAEMON_ARGS || return 2 -} - - -# Return -# 0 if daemon has been stopped -# 1 if daemon was already stopped -# 2 if daemon could not be stopped -# other if a failure occurred -do_stop_kpropd() -{ - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - return "$RETVAL" -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start_kpropd - case "$?" in - 0|1) - [ "$VERBOSE" != no ] && log_end_msg 0 - ;; - 2) - [ "$VERBOSE" != no ] && log_end_msg 1 - ;; - esac - ;; - - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop_kpropd - case "$?" in - 0|1) - [ "$VERBOSE" != no ] && log_progress_msg "krb524d" - ;; - 2) - [ "$VERBOSE" != no ] && log_end_msg 1 - ;; - esac - ;; - - restart|force-reload) - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop_kpropd - case "$?" in - 0|1) - do_start_kpropd - case "$?" in - 0) - log_end_msg 0 - ;; - 1|2) - log_end_msg 1 - ;; - esac - ;; - *) - log_end_msg 1 - ;; - esac - ;; - - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - - *) - echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2 - exit 3 - ;; -esac - -: diff --git a/modules/kerberos/manifests/client.pp b/modules/kerberos/manifests/client.pp deleted file mode 100644 index aa35466ac4..0000000000 --- a/modules/kerberos/manifests/client.pp +++ /dev/null @@ -1,19 +0,0 @@ -class kerberos::client ( - $realm, - $kdcs, - $admin_server, -) { - - include ntp - - package { 'krb5-user': - ensure => present, - require => File['/etc/krb5.conf'], - } - - file { '/etc/krb5.conf': - ensure => present, - replace => true, - content => template('kerberos/krb5.conf.erb'), - } -} diff --git a/modules/kerberos/manifests/server.pp b/modules/kerberos/manifests/server.pp deleted file mode 100644 index c85b5b1f8c..0000000000 --- a/modules/kerberos/manifests/server.pp +++ /dev/null @@ -1,110 +0,0 @@ -class kerberos::server ( - $realm, - $kdcs = [$::fqdn], - $admin_server = [$::fdqn], - $slaves = [], - $slave = false, -) { - - include haveged - - class { 'kerberos::client': - realm => $realm, - kdcs => $kdcs, - admin_server => $admin_server, - } - - $packages = [ - 'krb5-admin-server', - 'krb5-kdc', - ] - package { $packages: - ensure => present, - } - - file { '/etc/krb5kdc/kdc.conf': - ensure => present, - replace => true, - content => template('kerberos/kdc.conf.erb'), - require => Package['krb5-kdc'], - } - - file { '/etc/krb5kdc/kpropd.acl': - ensure => present, - replace => true, - content => template('kerberos/kpropd.acl.erb'), - require => Package['krb5-kdc'], - } - - file { '/etc/krb5kdc/kadm5.acl': - ensure => present, - replace => true, - source => 'puppet:///modules/kerberos/kadm5.acl', - require => Package['krb5-admin-server'], - } - - file { '/var/krb5kdc': - ensure => directory, - } - - file { '/etc/init.d/krb5-kpropd': - ensure => present, - replace => true, - source => 'puppet:///modules/kerberos/krb5-kpropd', - require => Package['krb5-admin-server'], - } - - file { '/usr/local/bin/run-kprop.sh': - ensure => present, - replace => true, - mode => 0755, - content => template('kerberos/run-kprop.sh.erb'), - require => Package['krb5-admin-server'], - } - - if ($slave) { - $run_admin_server = stopped - $run_kadmind = 'false' - $run_kpropd = running - $kprop_cron = absent - } else { - $run_admin_server = running - $run_kadmind = 'true' - $run_kpropd = stopped - $kprop_cron = present - } - - # krb5-admin-server generates this, so make sure this runs after we do - # things with krb5-admin-server - file { '/etc/default/krb5-admin-server': - ensure => present, - replace => true, - content => template('kerberos/krb5-admin-server.defaults.erb'), - require => Package['krb5-admin-server'], - } - - cron { 'kprop': - ensure => $kprop_cron, - user => 'root', - minute => '*/15', - command => '/usr/local/bin/run-kprop.sh >/dev/null 2>&1', - environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin', - } - - service { 'krb5-kpropd': - ensure => $run_kpropd, - require => [ - File['/etc/init.d/krb5-kpropd'], - Package['krb5-admin-server'], - ], - } - - service { 'krb5-admin-server': - ensure => $run_admin_server, - subscribe => File['/etc/krb5kdc/kadm5.acl'], - require => [ - File['/etc/krb5kdc/kadm5.acl'], - Package['krb5-admin-server'], - ], - } -} diff --git a/modules/kerberos/templates/kdc.conf.erb b/modules/kerberos/templates/kdc.conf.erb deleted file mode 100644 index 4825c5ff92..0000000000 --- a/modules/kerberos/templates/kdc.conf.erb +++ /dev/null @@ -1,16 +0,0 @@ -[kdcdefaults] - kdc_ports = 750,88 - -[realms] - <%= @realm %> = { - database_name = /var/lib/krb5kdc/principal - admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab - acl_file = /etc/krb5kdc/kadm5.acl - key_stash_file = /etc/krb5kdc/stash - kdc_ports = 750,88 - max_life = 10h 0m 0s - max_renewable_life = 7d 0h 0m 0s - master_key_type = aes256-cts - supported_enctypes = aes256-cts:normal - default_principal_flags = +preauth - } diff --git a/modules/kerberos/templates/kpropd.acl.erb b/modules/kerberos/templates/kpropd.acl.erb deleted file mode 100644 index 114dc8cf09..0000000000 --- a/modules/kerberos/templates/kpropd.acl.erb +++ /dev/null @@ -1,3 +0,0 @@ -<% @kdcs.each do |kdc| -%> -host/<%= kdc %>@<%= @realm %> -<% end -%> diff --git a/modules/kerberos/templates/krb5-admin-server.defaults.erb b/modules/kerberos/templates/krb5-admin-server.defaults.erb deleted file mode 100644 index 1528defcf9..0000000000 --- a/modules/kerberos/templates/krb5-admin-server.defaults.erb +++ /dev/null @@ -1,2 +0,0 @@ -# Managed by puppet -RUN_KADMIND=<%= @run_kadmind %> diff --git a/modules/kerberos/templates/krb5.conf.erb b/modules/kerberos/templates/krb5.conf.erb deleted file mode 100644 index 7a9eb7a7fd..0000000000 --- a/modules/kerberos/templates/krb5.conf.erb +++ /dev/null @@ -1,146 +0,0 @@ -[libdefaults] - default_realm = <%= @realm %> - -# The following krb5.conf variables are only for MIT Kerberos. - krb4_config = /etc/krb.conf - krb4_realms = /etc/krb.realms - kdc_timesync = 1 - ccache_type = 4 - forwardable = true - proxiable = true - -# The following encryption type specification will be used by MIT Kerberos -# if uncommented. In general, the defaults in the MIT Kerberos code are -# correct and overriding these specifications only serves to disable new -# encryption types as they are added, creating interoperability problems. -# -# Thie only time when you might need to uncomment these lines and change -# the enctypes is if you have local software that will break on ticket -# caches containing ticket encryption types it doesn't know about (such as -# old versions of Sun Java). - -# default_tgs_enctypes = des3-hmac-sha1 -# default_tkt_enctypes = des3-hmac-sha1 -# permitted_enctypes = des3-hmac-sha1 - -# The following libdefaults parameters are only for Heimdal Kerberos. - v4_instance_resolve = false - v4_name_convert = { - host = { - rcmd = host - ftp = ftp - } - plain = { - something = something-else - } - } - fcc-mit-ticketflags = true - -[realms] - ATHENA.MIT.EDU = { - kdc = kerberos.mit.edu:88 - kdc = kerberos-1.mit.edu:88 - kdc = kerberos-2.mit.edu:88 - admin_server = kerberos.mit.edu - default_domain = mit.edu - } - MEDIA-LAB.MIT.EDU = { - kdc = kerberos.media.mit.edu - admin_server = kerberos.media.mit.edu - } - ZONE.MIT.EDU = { - kdc = casio.mit.edu - kdc = seiko.mit.edu - admin_server = casio.mit.edu - } - MOOF.MIT.EDU = { - kdc = three-headed-dogcow.mit.edu:88 - kdc = three-headed-dogcow-1.mit.edu:88 - admin_server = three-headed-dogcow.mit.edu - } - CSAIL.MIT.EDU = { - kdc = kerberos-1.csail.mit.edu - kdc = kerberos-2.csail.mit.edu - admin_server = kerberos.csail.mit.edu - default_domain = csail.mit.edu - krb524_server = krb524.csail.mit.edu - } - IHTFP.ORG = { - kdc = kerberos.ihtfp.org - admin_server = kerberos.ihtfp.org - } - GNU.ORG = { - kdc = kerberos.gnu.org - kdc = kerberos-2.gnu.org - kdc = kerberos-3.gnu.org - admin_server = kerberos.gnu.org - } - 1TS.ORG = { - kdc = kerberos.1ts.org - admin_server = kerberos.1ts.org - } - GRATUITOUS.ORG = { - kdc = kerberos.gratuitous.org - admin_server = kerberos.gratuitous.org - } - DOOMCOM.ORG = { - kdc = kerberos.doomcom.org - admin_server = kerberos.doomcom.org - } - ANDREW.CMU.EDU = { - kdc = kerberos.andrew.cmu.edu - kdc = kerberos2.andrew.cmu.edu - kdc = kerberos3.andrew.cmu.edu - admin_server = kerberos.andrew.cmu.edu - default_domain = andrew.cmu.edu - } - CS.CMU.EDU = { - kdc = kerberos.cs.cmu.edu - kdc = kerberos-2.srv.cs.cmu.edu - admin_server = kerberos.cs.cmu.edu - } - DEMENTIA.ORG = { - kdc = kerberos.dementix.org - kdc = kerberos2.dementix.org - admin_server = kerberos.dementix.org - } - stanford.edu = { - kdc = krb5auth1.stanford.edu - kdc = krb5auth2.stanford.edu - kdc = krb5auth3.stanford.edu - master_kdc = krb5auth1.stanford.edu - admin_server = krb5-admin.stanford.edu - default_domain = stanford.edu - } - UTORONTO.CA = { - kdc = kerberos1.utoronto.ca - kdc = kerberos2.utoronto.ca - kdc = kerberos3.utoronto.ca - admin_server = kerberos1.utoronto.ca - default_domain = utoronto.ca - } - <%= @realm %> = { -<% @kdcs.each do |kdc| -%> - kdc = <%= kdc %> -<% end -%> - admin_server = <%= admin_server %> - default_domain = <%= @realm.downcase %> - } - -[domain_realm] - .mit.edu = ATHENA.MIT.EDU - mit.edu = ATHENA.MIT.EDU - .media.mit.edu = MEDIA-LAB.MIT.EDU - media.mit.edu = MEDIA-LAB.MIT.EDU - .csail.mit.edu = CSAIL.MIT.EDU - csail.mit.edu = CSAIL.MIT.EDU - .whoi.edu = ATHENA.MIT.EDU - whoi.edu = ATHENA.MIT.EDU - .stanford.edu = stanford.edu - .slac.stanford.edu = SLAC.STANFORD.EDU - .toronto.edu = UTORONTO.CA - .utoronto.ca = UTORONTO.CA - -[login] - krb4_convert = true - krb4_get_tickets = false diff --git a/modules/kerberos/templates/run-kprop.sh.erb b/modules/kerberos/templates/run-kprop.sh.erb deleted file mode 100644 index 380b9a0534..0000000000 --- a/modules/kerberos/templates/run-kprop.sh.erb +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -kdclist="<% @slaves.each do |slave| -%><%= slave %> <% end -%>" -kdb5_util dump /var/krb5kdc/slave_datatrans -for kdc in $kdclist -do - kprop -f /var/krb5kdc/slave_datatrans $kdc -done