5:31 p.m.
commit d1257948c97bf9c1c246eaab23e0bc57480d2e22
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Mar 2 18:31:13 2017 +0100
Add keytab service
roles/keytab/service/defaults/main.yml | 4 +
roles/keytab/service/tasks/main.yml | 156 ++++++++++++++++++++++++++++++++
2 files changed, 160 insertions(+), 0 deletions(-)
---
diff --git a/roles/keytab/service/defaults/main.yml
b/roles/keytab/service/defaults/main.yml
new file mode 100644
index 0000000..13bd71e
--- /dev/null
+++ b/roles/keytab/service/defaults/main.yml
@@ -0,0 +1,4 @@
+owner_user: root
+owner_group: root
+host: "{{inventory_hostname }}"
+kt_location: "/etc/krb5.{{service}}_{{host}}.keytab"
diff --git a/roles/keytab/service/tasks/main.yml b/roles/keytab/service/tasks/main.yml
new file mode 100644
index 0000000..a98c896
--- /dev/null
+++ b/roles/keytab/service/tasks/main.yml
@@ -0,0 +1,156 @@
+---
+- name: Determine whether we need to get keytab
+ stat: path={{kt_location}}
+ register: keytab_status
+ check_mode: no
+ changed_when: "1 != 1"
+ tags:
+ - keytab
+ - config
+ - krb5
+
+- name: Get admin ticket
+ delegate_to: "{{ ipa_server }}"
+ shell: echo "{{ipa_admin_password}}" | kinit admin
+ check_mode: no
+ changed_when: "1 != 1"
+ tags:
+ - keytab
+ - config
+ - krb5
+ when: not keytab_status.stat.exists
+
+- name: Create host entry
+ delegate_to: "{{ ipa_server }}"
+ command: ipa host-add {{host}}
+ register: host_add_result
+ check_mode: no
+ changed_when: "'Added host' in host_add_result.stdout"
+ failed_when: "not ('Added host' in host_add_result.stdout or 'already
exists' in host_add_result.stderr)"
+ tags:
+ - keytab
+ - config
+ - krb5
+ when: not keytab_status.stat.exists
+
+- name: Create service entry
+ delegate_to: "{{ ipa_server }}"
+ command: ipa service-add {{service}}/{{host}}
+ register: service_add_result
+ check_mode: no
+ changed_when: "'Added service' in service_add_result.stdout"
+ failed_when: "not ('Added service' in service_add_result.stdout or
'already exists' in service_add_result.stderr)"
+ tags:
+ - keytab
+ - config
+ - krb5
+ when: not keytab_status.stat.exists and service != "host"
+
+- name: Grant host access to keytab
+ delegate_to: "{{ ipa_server }}"
+ command: ipa service-allow-retrieve-keytab {{service}}/{{host}}
--hosts={{inventory_hostname}}
+ register: service_perm_add_result
+ check_mode: no
+ changed_when: "'members added 1' in service_perm_add_result.stdout"
+ failed_when: "not ('members added' in
service_perm_add_result.stdout)"
+ tags:
+ - keytab
+ - config
+ - krb5
+ when: not keytab_status.stat.exists
+
+- name: Grant admin access to keytab
+ delegate_to: "{{ ipa_server }}"
+ command: ipa service-allow-retrieve-keytab {{service}}/{{host}} --users=admin
+ register: service_perm_add_result
+ check_mode: no
+ changed_when: "'members added 1' in service_perm_add_result.stdout"
+ failed_when: "not ('members added' in
service_perm_add_result.stdout)"
+ tags:
+ - keytab
+ - config
+ - krb5
+ when: not keytab_status.stat.exists
+
+- name: Retrieve keytab
+ delegate_to: "{{ ipa_server }}"
+ command: ipa-getkeytab --retrieve --server {{ipa_server}} --keytab
/tmp/{{service}}_{{host}}.kt --principal {{service}}/{{host}}
+ register: retrieve_result
+ check_mode: no
+ changed_when: "1 != 1"
+ failed_when: "not ('Keytab successfully retrieved' in
retrieve_result.stderr or 'krbPrincipalKey not found' in
retrieve_result.stderr)"
+ tags:
+ - keytab
+ - config
+ - krb5
+ when: not keytab_status.stat.exists
+
+- name: Create keytab if it did not exist
+ delegate_to: "{{ ipa_server }}"
+ command: ipa-getkeytab --server {{ipa_server}} --keytab /tmp/{{service}}_{{host}}.kt
--principal {{service}}/{{host}}
+ tags:
+ - keytab
+ - config
+ - krb5
+ when: not keytab_status.stat.exists and 'krbPrincipalKey not found' in
retrieve_result.stderr
+
+- name: Destroy admin ticket
+ delegate_to: "{{ ipa_server }}"
+ command: kdestroy -A
+ tags:
+ - keytab
+ - config
+ - krb5
+ when: not keytab_status.stat.exists
+
+- name: Get keytab
+ delegate_to: "{{ ipa_server }}"
+ command: base64 /tmp/{{service}}_{{host}}.kt
+ register: keytab
+ check_mode: no
+ tags:
+ - keytab
+ - config
+ - krb5
+ when: not keytab_status.stat.exists
+
+- name: Destroy stored keytab
+ delegate_to: "{{ ipa_server }}"
+ file: path=/tmp/{{service}}_{{host}}.kt state=absent
+ tags:
+ - keytab
+ - config
+ - krb5
+ when: not keytab_status.stat.exists
+
+- name: Deploy base64 keytab
+ copy: dest={{kt_location}}.b64
+ content={{keytab.stdout}}
+ owner={{owner_user}} group={{owner_group}} mode=0600
+ tags:
+ - keytab
+ - config
+ - krb5
+ when: not keytab_status.stat.exists
+
+- name: Base64-decode keytab
+ shell: "umask 077 && base64 -d {{kt_location}}.b64
>{{kt_location}}"
+ tags:
+ - keytab
+ - config
+ - krb5
+ when: not keytab_status.stat.exists
+
+- name: Destroy encoded keytab
+ file: path={{kt_location}}.b64 state=absent
+ tags:
+ - keytab
+ - config
+ - krb5
+
+- name: Set keytab permissions
+ file: path={{kt_location}} owner={{owner_user}} group={{owner_group}} mode=0600
state=file
+ tags:
+ - keytab
+ - config
+ - krb5