From 1a36ffd08eeaa4cf62192657d94eb789d9b82dca Mon Sep 17 00:00:00 2001 From: Paul Belanger Date: Mon, 28 Aug 2017 13:44:41 -0400 Subject: [PATCH] Add create / destory roles for AFS tokens In openstack-infra we use AFS for a lot of things, so create 2 roles to handle creating / destroying of the tokens. Change-Id: I3dee184d0b87023e7e0808372cfeda94f8337b4f Signed-off-by: Paul Belanger --- roles/create-afs-token/README.rst | 17 +++++++++++++++++ roles/create-afs-token/tasks/main.yaml | 21 +++++++++++++++++++++ roles/destroy-afs-token/README.rst | 1 + roles/destroy-afs-token/tasks/main.yaml | 5 +++++ 4 files changed, 44 insertions(+) create mode 100644 roles/create-afs-token/README.rst create mode 100644 roles/create-afs-token/tasks/main.yaml create mode 100644 roles/destroy-afs-token/README.rst create mode 100644 roles/destroy-afs-token/tasks/main.yaml diff --git a/roles/create-afs-token/README.rst b/roles/create-afs-token/README.rst new file mode 100644 index 000000000..002bfcd2f --- /dev/null +++ b/roles/create-afs-token/README.rst @@ -0,0 +1,17 @@ +Create kerberos / afs tokens + +**Role Variables** + +.. zuul:rolevar:: afs + + Complex argument which contains the information about authentication + information. It is expected this argument comes from a `Secret`. + + .. zuul:rolevar:: keytab + + Base64 encoded contents of a keytab file. We'll base64 decode before writing + it to disk as a temporary file. + + .. zuul:rolevar:: service_name + + The service name to use for kinit command. diff --git a/roles/create-afs-token/tasks/main.yaml b/roles/create-afs-token/tasks/main.yaml new file mode 100644 index 000000000..3a66b94ff --- /dev/null +++ b/roles/create-afs-token/tasks/main.yaml @@ -0,0 +1,21 @@ +- name: Create AFS keytab tempfile + tempfile: + state: file + register: afs_keytab_tmp + +- name: Create (base64 decode) AFS keytab from secret + copy: + content: "{{ afs.keytab | b64decode }}" + dest: "{{ afs_keytab_tmp.path }}" + mode: 0400 + +- name: Obtain ticket for Kerberos + command: "kinit -k -t {{ afs_keytab_tmp.path}} {{ afs.service_name }}" + +- name: Delete AFS keytab tempfile + file: + path: "{{ afs_keytab_tmp.path }}" + state: absent + +- name: Obtain authentication token for AFS + command: aklog diff --git a/roles/destroy-afs-token/README.rst b/roles/destroy-afs-token/README.rst new file mode 100644 index 000000000..f48ac0d58 --- /dev/null +++ b/roles/destroy-afs-token/README.rst @@ -0,0 +1 @@ +Destroy any active AFS / Kerberos tokens diff --git a/roles/destroy-afs-token/tasks/main.yaml b/roles/destroy-afs-token/tasks/main.yaml new file mode 100644 index 000000000..11771b706 --- /dev/null +++ b/roles/destroy-afs-token/tasks/main.yaml @@ -0,0 +1,5 @@ +- name: Destroy AFS tokens + command: unlog + +- name: Destroy Kerberos tokens + command: kdestroy