opendev/system-config
Code Issues Proposed changes

Merge "Split out kerberos module"

Browse Source
This commit is contained in:
Jenkins 2015-01-29 02:21:05 +00:00 committed by Gerrit Code Review
commit 2fa0a982e0
10 changed files with 1 additions and 432 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
modules.env
View File

@ -74,6 +74,7 @@ INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-meetbot"]=
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-mysql_backup"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-mysql_backup"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-nodepool"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-nodepool"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-jenkins"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-jenkins"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-kerberos"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-pip"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-pip"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-github"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-github"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-httpd"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-httpd"]="origin/master"

6
modules/kerberos/files/kadm5.acl
View File

@ -1,6 +0,0 @@
# This file Is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin is given full administrative rights.
# To enable this, uncomment the following line:
*/admin *

123
modules/kerberos/files/krb5-kpropd
View File

@ -1,123 +0,0 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: krb5-kpropd
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# X-Start-Before: $x-display-manager
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: MIT Kerberos propagation daemon
# Description: Starts, stops, or restarts the MIT kpropd.
### END INIT INFO
# Author: Sam Hartman <hartmans@mit.edu>
# Author: Russ Allbery <rra@debian.org>
#
# Based on the /etc/init.d/skeleton template as found in initscripts version
# 2.86.ds1-15.
PATH=/usr/sbin:/usr/bin:/sbin:/bin
DESC="Kerberos kpropd"
NAME=kpropd
DAEMON=/usr/sbin/$NAME
DAEMON_ARGS=""
SCRIPTNAME=/etc/init.d/krb5-kpropd
# Exit if the package is not installed.
[ -x "$DAEMON" ] || exit 0
# Read configuration if it is present.
[ -r /etc/default/krb5-kpropd ] && . /etc/default/krb5-kpropd
# Get the setting of VERBOSE and other rcS variables.
[ -f /etc/default/rcS ] && . /etc/default/rcS
# Define LSB log functions (requires lsb-base >= 3.0-6).
. /lib/lsb/init-functions
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
do_start_kpropd()
{
start-stop-daemon --start --quiet --startas $DAEMON --name $NAME --test \
> /dev/null || return 1
start-stop-daemon --start --quiet --startas $DAEMON --name $NAME \
-- $DAEMON_ARGS || return 2
}
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
do_stop_kpropd()
{
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
return "$RETVAL"
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start_kpropd
case "$?" in
0|1)
[ "$VERBOSE" != no ] && log_end_msg 0
;;
2)
[ "$VERBOSE" != no ] && log_end_msg 1
;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop_kpropd
case "$?" in
0|1)
[ "$VERBOSE" != no ] && log_progress_msg "krb524d"
;;
2)
[ "$VERBOSE" != no ] && log_end_msg 1
;;
esac
;;
restart|force-reload)
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop_kpropd
case "$?" in
0|1)
do_start_kpropd
case "$?" in
0)
log_end_msg 0
;;
1|2)
log_end_msg 1
;;
esac
;;
*)
log_end_msg 1
;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2
exit 3
;;
esac
:

19
modules/kerberos/manifests/client.pp
View File

@ -1,19 +0,0 @@
class kerberos::client (
$realm,
$kdcs,
$admin_server,
) {
include ntp
package { 'krb5-user':
ensure => present,
require => File['/etc/krb5.conf'],
}
file { '/etc/krb5.conf':
ensure => present,
replace => true,
content => template('kerberos/krb5.conf.erb'),
}
}

110
modules/kerberos/manifests/server.pp
View File

@ -1,110 +0,0 @@
class kerberos::server (
$realm,
$kdcs = [$::fqdn],
$admin_server = [$::fdqn],
$slaves = [],
$slave = false,
) {
include haveged
class { 'kerberos::client':
realm => $realm,
kdcs => $kdcs,
admin_server => $admin_server,
}
$packages = [
'krb5-admin-server',
'krb5-kdc',
]
package { $packages:
ensure => present,
}
file { '/etc/krb5kdc/kdc.conf':
ensure => present,
replace => true,
content => template('kerberos/kdc.conf.erb'),
require => Package['krb5-kdc'],
}
file { '/etc/krb5kdc/kpropd.acl':
ensure => present,
replace => true,
content => template('kerberos/kpropd.acl.erb'),
require => Package['krb5-kdc'],
}
file { '/etc/krb5kdc/kadm5.acl':
ensure => present,
replace => true,
source => 'puppet:///modules/kerberos/kadm5.acl',
require => Package['krb5-admin-server'],
}
file { '/var/krb5kdc':
ensure => directory,
}
file { '/etc/init.d/krb5-kpropd':
ensure => present,
replace => true,
source => 'puppet:///modules/kerberos/krb5-kpropd',
require => Package['krb5-admin-server'],
}
file { '/usr/local/bin/run-kprop.sh':
ensure => present,
replace => true,
mode => 0755,
content => template('kerberos/run-kprop.sh.erb'),
require => Package['krb5-admin-server'],
}
if ($slave) {
$run_admin_server = stopped
$run_kadmind = 'false'
$run_kpropd = running
$kprop_cron = absent
} else {
$run_admin_server = running
$run_kadmind = 'true'
$run_kpropd = stopped
$kprop_cron = present
}
# krb5-admin-server generates this, so make sure this runs after we do
# things with krb5-admin-server
file { '/etc/default/krb5-admin-server':
ensure => present,
replace => true,
content => template('kerberos/krb5-admin-server.defaults.erb'),
require => Package['krb5-admin-server'],
}
cron { 'kprop':
ensure => $kprop_cron,
user => 'root',
minute => '*/15',
command => '/usr/local/bin/run-kprop.sh >/dev/null 2>&1',
environment => 'PATH=/usr/bin:/bin:/usr/sbin:/sbin',
}
service { 'krb5-kpropd':
ensure => $run_kpropd,
require => [
File['/etc/init.d/krb5-kpropd'],
Package['krb5-admin-server'],
],
}
service { 'krb5-admin-server':
ensure => $run_admin_server,
subscribe => File['/etc/krb5kdc/kadm5.acl'],
require => [
File['/etc/krb5kdc/kadm5.acl'],
Package['krb5-admin-server'],
],
}
}

16
modules/kerberos/templates/kdc.conf.erb
View File

@ -1,16 +0,0 @@
[kdcdefaults]
kdc_ports = 750,88
[realms]
<%= @realm %> = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts
supported_enctypes = aes256-cts:normal
default_principal_flags = +preauth
}

3
modules/kerberos/templates/kpropd.acl.erb
View File

@ -1,3 +0,0 @@
<% @kdcs.each do |kdc| -%>
host/<%= kdc %>@<%= @realm %>
<% end -%>

2
modules/kerberos/templates/krb5-admin-server.defaults.erb
View File

@ -1,2 +0,0 @@
# Managed by puppet
RUN_KADMIND=<%= @run_kadmind %>

146
modules/kerberos/templates/krb5.conf.erb
View File

@ -1,146 +0,0 @@
[libdefaults]
default_realm = <%= @realm %>
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
<%= @realm %> = {
<% @kdcs.each do |kdc| -%>
kdc = <%= kdc %>
<% end -%>
admin_server = <%= admin_server %>
default_domain = <%= @realm.downcase %>
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
[login]
krb4_convert = true
krb4_get_tickets = false

7
modules/kerberos/templates/run-kprop.sh.erb
View File

@ -1,7 +0,0 @@
#!/bin/sh
kdclist="<% @slaves.each do |slave| -%><%= slave %> <% end -%>"
kdb5_util dump /var/krb5kdc/slave_datatrans
for kdc in $kdclist
do
kprop -f /var/krb5kdc/slave_datatrans $kdc
done