"...node/git@gitlab.cyberbrain.pw:mirror/kubespray.git" did not exist on "e5426f74a8d65c0f6646ece0f449edf7f83e038f"
Newer
Older
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
Thomas Woerner
committed
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: ipajoin
short description: Join a machine to an IPA realm and get a keytab for the host service principal
description:
Join a machine to an IPA realm and get a keytab for the host service principal
options:
servers:
description: The FQDN of the IPA servers to connect to.
required: false
Thomas Woerner
committed
domain:
description: The primary DNS domain of an existing IPA deployment.
required: false
realm:
description: The Kerberos realm of an existing IPA deployment.
required: true
Thomas Woerner
committed
hostname:
description: The hostname of the machine to join (FQDN).
required: true
description: The name or address of the host running the KDC.
Thomas Woerner
committed
basedn:
description: The basedn of the IPA server (of the form dc=example,dc=com).
required: true
principal:
description: The authorized kerberos principal used to join the IPA realm.
required: false
password:
description: The password to use if not using Kerberos to authenticate.
required: false
keytab:
description: The path to a backed-up host keytab from previous enrollment.
required: false
ca_cert_file:
description: A CA certificate to use. Do not acquire the IPA CA certificate via automated means.
required: false
Thomas Woerner
committed
force_join:
description: Force enrolling the host even if host entry exists.
required: false
kinit_attempts:
description: Repeat the request for host Kerberos ticket X times.
required: false
Thomas Woerner
committed
debug:
description: Enable debug mode.
required: false
author:
- Thomas Woerner
'''
EXAMPLES = '''
Thomas Woerner
committed
# Join IPA to get the keytab
- name: Join IPA in force mode with maximum 5 kinit attempts
ipajoin:
servers: ["server1.example.com","server2.example.com"]
domain: example.com
realm: EXAMPLE.COM
kdc: server1.example.com
basedn: dc=example,dc=com
hostname: client1.example.com
principal: admin
password: MySecretPassword
force_join: yes
kinit_attempts: 5
# Join IPA to get the keytab using ipadiscovery return values
- name: Join IPA
ipajoin:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}"
kdc: "{{ ipadiscovery.kdc }}"
basedn: "{{ ipadiscovery.basedn }}"
hostname: "{{ ipadiscovery.hostname }}"
principal: admin
password: MySecretPassword
'''
RETURN = '''
'''
import os
import tempfile
import gssapi
from ansible.module_utils.basic import AnsibleModule
from ipalib import errors
from ipaplatform.paths import paths
from ipapython.dn import DN
from ipalib.install import sysrestore
from ipalib.install.kinit import kinit_keytab, kinit_password
from ipaclient.install.client import configure_krb5_conf, get_ca_certs, SECURE_PATH, CCACHE_FILE
from ipapython.ipautil import realm_to_suffix, run
import logging
logger = logging.getLogger("ipa-client-install")
def main():
module = AnsibleModule(
argument_spec = dict(
servers=dict(required=True, type='list'),
Thomas Woerner
committed
domain=dict(required=True),
realm=dict(required=True),
hostname=dict(required=True),
Thomas Woerner
committed
kdc=dict(required=True),
basedn=dict(required=True),
principal=dict(required=False),
Thomas Woerner
committed
password=dict(required=False, no_log=True),
keytab=dict(required=False),
ca_cert_file=dict(required=False),
Thomas Woerner
committed
force_join=dict(required=False, type='bool'),
kinit_attempts=dict(required=False, type='int'),
Thomas Woerner
committed
debug=dict(required=False, type='bool'),
Thomas Woerner
committed
required_one_of = (['principal', 'keytab'],
['password', 'keytab']),
supports_check_mode = True,
)
module._ansible_debug = True
servers = module.params.get('servers')
Thomas Woerner
committed
domain = module.params.get('domain')
realm = module.params.get('realm')
hostname = module.params.get('hostname')
Thomas Woerner
committed
basedn = module.params.get('basedn')
kdc = module.params.get('kdc')
force_join = module.params.get('force_join')
principal = module.params.get('principal')
password = module.params.get('password')
keytab = module.params.get('keytab')
ca_cert_file = module.params.get('ca_cert_file')
kinit_attempts = module.params.get('kinit_attempts')
Thomas Woerner
committed
debug = module.params.get('debug')
client_domain = hostname[hostname.find(".")+1:]
nolog = tuple()
env = {'PATH': SECURE_PATH}
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
host_principal = 'host/%s@%s' % (hostname, realm)
sssd = True
class Object(object):
pass
options = Object()
options.ca_cert_file = ca_cert_file
options.unattended = True
options.principal = principal
options.force = False
Thomas Woerner
committed
options.password = password
try:
(krb_fd, krb_name) = tempfile.mkstemp()
os.close(krb_fd)
configure_krb5_conf(
cli_realm=realm,
cli_domain=domain,
cli_server=servers,
cli_kdc=kdc,
dnsok=False,
filename=krb_name,
client_domain=client_domain,
client_hostname=hostname,
configure_sssd=sssd,
force=False)
env['KRB5_CONFIG'] = krb_name
ccache_dir = tempfile.mkdtemp(prefix='krbcc')
ccache_name = os.path.join(ccache_dir, 'ccache')
join_args = [paths.SBIN_IPA_JOIN,
"-s", servers[0],
"-b", str(realm_to_suffix(realm)),
"-h", hostname]
Thomas Woerner
committed
if debug:
join_args.append("-d")
env['XMLRPC_TRACE_CURL'] = 'yes'
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
if force_join:
join_args.append("-f")
if principal:
if principal.find('@') == -1:
principal = '%s@%s' % (principal, realm)
try:
kinit_password(principal, password, ccache_name,
config=krb_name)
except RuntimeError as e:
module.fail_json(
msg="Kerberos authentication failed: {}".format(e))
elif keytab:
join_args.append("-f")
if os.path.exists(keytab):
try:
kinit_keytab(host_principal,
keytab,
ccache_name,
config=krb_name,
attempts=kinit_attempts)
except gssapi.exceptions.GSSError as e:
module.fail_json(
msg="Kerberos authentication failed: {}".format(e))
else:
module.fail_json(
msg="Keytab file could not be found: {}".format(keytab))
elif password:
join_args.append("-w")
join_args.append(password)
Thomas Woerner
committed
nolog = (password,)
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name
# Get the CA certificate
try:
os.environ['KRB5_CONFIG'] = env['KRB5_CONFIG']
get_ca_certs(fstore, options, servers[0], basedn, realm)
del os.environ['KRB5_CONFIG']
except errors.FileError as e:
module.fail_json(msg='%s' % e)
except Exception as e:
module.fail_json(msg="Cannot obtain CA certificate\n%s" % e)
# Now join the domain
result = run(
join_args, raiseonerr=False, env=env, nolog=nolog,
capture_error=True)
stderr = result.error_output
if result.returncode != 0:
module.fail_json(msg="Joining realm failed: %s" % stderr)
else:
module.log("Enrolled in IPA realm %s" % realm)
start = stderr.find('Certificate subject base is: ')
if start >= 0:
start = start + 29
subject_base = stderr[start:]
subject_base = subject_base.strip()
subject_base = DN(subject_base)
Thomas Woerner
committed
if principal:
run(["kdestroy"], raiseonerr=False, env=env)
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
# Obtain the TGT. We do it with the temporary krb5.conf, so that
# only the KDC we're installing under is contacted.
# Other KDCs might not have replicated the principal yet.
# Once we have the TGT, it's usable on any server.
try:
kinit_keytab(host_principal, paths.KRB5_KEYTAB, CCACHE_FILE,
config=krb_name,
attempts=kinit_attempts)
env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE
except gssapi.exceptions.GSSError as e:
# failure to get ticket makes it impossible to login and bind
# from sssd to LDAP, abort installation and rollback changes
module.fail_json(msg="Failed to obtain host TGT: %s" % e)
finally:
try:
os.remove(krb_name)
except OSError:
module.fail_json(msg="Could not remove %s" % krb_name)
try:
os.rmdir(ccache_dir)
except OSError:
pass
try:
os.remove(krb_name + ".ipabkp")
except OSError:
module.fail_json(msg="Could not remove %s.ipabkp" % krb_name)
Thomas Woerner
committed
module.exit_json(changed=True)
if __name__ == '__main__':
main()