Puppet Class: krb5::kdc::auto_keytabs

Inherits:
krb5::kdc
Defined in:
manifests/kdc/auto_keytabs.pp

Summary

Provides a mechanism for auto-generating keytabs on the KDC as well as provisioning those keytabs for distribution via Puppet if possible.

Overview

**NOTE: THIS IS A [PRIVATE](github.com/puppetlabs/puppetlabs-stdlib#assert_private) CLASS**

The keytabs will be collected in a directory that is, by default, located at ‘/var/kerberos/krb5kdc/generated_keytabs`.

The target directory will have subdirectories created, one per ‘host/fqdn@REALM` principal that match the `fqdn` of the host.

Each of those directories will have a krb5.keytab file created that contains all discovered keytabs for the principal, *regardless of REALM*.

Note:

If this is enabled on a Puppet server, and ‘$introspect` is `true`, it will attempt to install the keytabs into the `$environmentpath/$environment/site_files/$module_name_files/files/keytabs` directory.

It will also attempt to automatically create host keytabs for any hosts in one of the following two directories:

* `${environmentpath}/${environment}/keydist`
* `${environmentpath}/${environment}/site_files/pki_files/files/keydist`

@note For any of the above, if `$environmentpath` is empty, or does not
  exist, then `$confdir` will be substituted for
  `${environmentpath}/${environment}`

Parameters:

  • introspect (Boolean) (defaults to: true)

    If set, attempt to discover, and create all relevant keytabs from data on the Puppet server. @note This has no effect if you aren’t running on a Puppet server.

  • output_dir (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    The directory into which to install the keytabs.

  • all_known (Boolean) (defaults to: false)

    If set, generate keytabs for any ‘host/.*’ entries known to the KDC.

  • user (String) (defaults to: 'root')

    The user that should own the keytab files.

  • group (String) (defaults to: 'puppet')

    The group that should own the keytab files.

  • realms (String) (defaults to: simplib::lookup('krb5::kdc::auto_realm', { 'default_value' => $facts['networking']['domain'] }))

    The REALMs into which the hosts should be added unless otherwise specified in the ‘$hosts` Hash. Will be auto-upcased.

  • global_services (Array[String]) (defaults to: [])

    An Array of Kerberos services that should be added to all hosts.

  • hosts (Hash[String, Struct[{'ensure' => Enum['absent','present'], Optional['realms'] => Array[String], Optional['services'] => Array[String] }] ]) (defaults to: {})

    A Hash of hosts for which keytabs should be generated, and kept in the KDC by Puppet. This is done as a Hash so that you don’t end up with thousands of Puppet resources in your catalog. @note The Hash should be formatted as follows:

    {
  'fqdn' =>
    'ensure'   => ('absent'|'present') # Required
    'realms'   => ['REALM1', 'REALM2'] # Optional. Will be auto upcased.
    'services' => ['svc1','svc2']      # Optional
}

    @note This will be combined with the auto-generated hosts if $auto_generate

    is `true`
  • purge (Boolean) (defaults to: true)

    If set, purge any keytab directories for systems that we don’t know about.

Author:

  • Trevor Vaughan <tvaughan@onyxpoint.com>



60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
 
# File 'manifests/kdc/auto_keytabs.pp', line 60

class krb5::kdc::auto_keytabs (
  Boolean                        $introspect      = true,
  Optional[Stdlib::Absolutepath] $output_dir      = undef,
  Boolean                        $all_known       = false,
  String                         $user            = 'root',
  String                         $group           = 'puppet',
  String                         $realms          = simplib::lookup('krb5::kdc::auto_realm', { 'default_value' => $facts['networking']['domain'] }),
  Array[String]                  $global_services = [],
  Boolean                        $purge           = true,
  Hash[String,
    Struct[{'ensure'             => Enum['absent','present'],
            Optional['realms']   => Array[String],
            Optional['services'] => Array[String]
    }]
  ]                              $hosts           = {}
) inherits krb5::kdc {

  assert_private()

  if $output_dir {
    $_output_dir = $output_dir
  }
  else {
    $_output_dir = '__default__'
  }

  krb5kdc_auto_keytabs { $_output_dir:
    introspect      => $introspect,
    all_known       => $all_known,
    user            => $user,
    group           => $group,
    realms          => $realms,
    global_services => $global_services,
    hosts           => $hosts,
    purge           => $purge
  }
}