UNPKG

masson

Version:

Module execution engine for cluster deployments.

github.com/wdavidw/node-masson

wdavidw/node-masson

248 lines (201 loc) 8.42 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
--- title: SSSD module: masson/core/sssd layout: module --- # SSSD The System Security Services Daemon (SSSD) provides access to different identity and authentication providers. crypto = require 'crypto' each = require 'each' module.exports = [] module.exports.push 'masson/bootstrap/' module.exports.push 'masson/core/yum' module.exports.push 'masson/core/openldap_client' Option includes: * `sssd.certificates` (array) List of certificates to be uploaded to the server. * `sssd.merge` Merge the configuration with the one already present on the server, default to false. * `sssd.force_check` Force check commands to be executed on each run, default to false * `sssd.config` * `sssd.certificates` * `sssd.services` (array|string) List of services to install, default to `['sssd', 'sssd-client', 'pam_krb5', 'pam_ldap']` * `sssd.test_user` Example: ```json { "sssd": { "test_user": "test" "force_check": true "config": "domain/my_domain": "cache_credentials": "True" "ldap_search_base": "ou=users,dc=adaltas,dc=com" "ldap_group_search_base": "ou=groups,dc=adaltas,dc=com" "id_provider": "ldap" "auth_provider": "ldap" "chpass_provider": "ldap" "ldap_uri": "ldaps://master3.hadoop:636" "ldap_tls_cacertdir": "/etc/openldap/cacerts" "ldap_default_bind_dn": "cn=Manager,dc=adaltas,dc=com" "ldap_default_authtok": "test" "ldap_id_use_start_tls": "False" "sssd": "config_file_version": "2" "reconnection_retries": "3" "sbus_timeout": "30" "services": "nss, pam" "domains": "my_domain" "nss": "filter_groups": "root" "filter_users": "root" "reconnection_retries": "3" "entry_cache_timeout": "300" "entry_cache_nowait_percentage": "75" "pam": "reconnection_retries": "3" "offline_credentials_expiration": "2" "offline_failed_login_attempts": "3" "offline_failed_login_delay": "5" "certificates": [ "#{__dirname}/certs-master3/master3.hadoop.ca.cer" ] } } ``` module.exports.push (ctx) -> ctx.config.sssd ?= {} ctx.config.sssd.certificates ?= [] ctx.config.sssd.merge ?= false ctx.config.sssd.force_check ?= false ctx.config.sssd.config ?= {} ctx.config.sssd.services ?= ['sssd', 'sssd-client', 'pam_krb5', 'pam_ldap'] #, 'sssd-tools' ctx.config.sssd.services = ctx.config.sssd.services.split ' ' if typeof ctx.config.sssd.services is 'string' ctx.config.sssd.test_user ?= null ## Install Install the services defined by the "sssd.services" property. By default, the following service: "sssd", "sssd-client", "pam\_krb5", "pam\_ldap" and "sssd-tools". It also ensures SSSD is marked as a startup service. module.exports.push name: 'SSSD # Install', timeout: -1, callback: (ctx, next) -> {services} = ctx.config.sssd services = for name in services then name: name modified = true do_install = -> ctx.service services, (err, serviced) -> return next err if err modified = true if serviced do_startup() do_startup = -> ctx.service name: 'sssd' startup: true , (err, serviced) -> return next err if err modified = true if serviced do_end() do_end = -> next null, if modified then ctx.OK else ctx.PASS do_install() ## Certificates Certificates are temporarily uploaded to the "/tmp" folder and registered with the command `authconfig --update --ldaploadcacert={file}`. module.exports.push name: 'SSSD # Certificates', callback: (ctx, next) -> {certificates} = ctx.config.sssd modified = false each(certificates) .on 'item', (certificate, next) -> hash = crypto.createHash('md5').update(certificate).digest('hex') ctx.upload source: certificate destination: "/tmp/#{hash}" , (err) -> return next err if err ctx.execute # openssh is executed remotely cmd: "openssl x509 -noout -hash -in /tmp/#{hash}; rm -rf /tmp/#{hash}" , (err, _, stdout) -> return next err if err stdout = stdout.trim() ctx.upload source: certificate destination: "/etc/openldap/cacerts/#{stdout}.0" , (err, uploaded) -> return next err if err modified = true if uploaded next() .on 'both', (err) -> next err, if modified then ctx.OK else ctx.PASS ## Configure Update the SSSD configuration file present in "/etc/sssd/sssd.conf" with the values defined in the "sssd.config" property. The destination file is by default overwritten unless the "sssd.merge" is `true`. module.exports.push name: 'SSSD # Configure', timeout: -1, callback: (ctx, next) -> {merge, config} = ctx.config.sssd ctx.ini content: config destination: '/etc/sssd/sssd.conf' merge: merge mode: 0o600 , (err, written) -> # return next err, ctx.PASS unless written options = # Configures the password, shadow, group, and netgroups services maps to use the SSSD module # https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/Configuration_Options-NSS_Configuration_Options.html sssd: true # Create home directories for users on their first login mkhomedir: true # To use an LDAP identity store, use the --enableldap. To use LDAP as the authentication source, use --enableldapauth. # https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Configuring_Authentication.html#sect-The_Authentication_Configuration_Tool-Command_Line_Version ldap: false ldapauth: false # Enable SSSD for system authentication # https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/Configuration_Options-PAM_Configuration_Options.html sssdauth: false # Update configuration files with changed settings cmd = 'authconfig --update' for k, v of options cmd += if v then " --enable#{k}" else " --disable#{k}" {ldap_uri, ldap_search_base} = config['domain/default']? cmd += "--ldapserver=#{ldap_uri}" if ldap_uri cmd += "--ldapbasedn=#{ldap_search_base}" if ldap_search_base ctx.execute cmd: cmd , (err, executed) -> return next err if err ctx.service name: 'sssd' action: 'restart' , (err, restarted) -> next err, if written then ctx.OK else ctx.PASS ## Check NSS Check if NSS is correctly configured by executing the command `getent passwd $user`. The command is only executed if a test user is defined by the "sssd.test_user" property. module.exports.push name: 'SSSD # Check NSS', callback: (ctx, next) -> {test_user, force_check} = ctx.config.sssd return next() unless test_user ctx.fs.exists '/var/db/masson/sssd_getent_passwd', (err, exists) -> # return next err, ctx.PASS if (err or exists) and not force_check ctx.execute cmd: "getent passwd #{test_user}" , (err, executed, stdout, stderr) -> return next err if err ctx.touch destination: '/var/db/masson/sssd_getent_passwd' , (err, written) -> next err, ctx.OK ## Check PAM Check if PAM is correctly configured by executing the command `sh -l $user -c 'touch .masson_check_pam'`. This is only executed if a test user is defined by the "sssd.test_user" property. module.exports.push name: 'SSSD # Check PAM', callback: (ctx, next) -> {test_user, force_check} = ctx.config.sssd return next() unless test_user ctx.execute cmd: "su -l #{test_user} -c 'touch .masson_check_pam'" # not_if_exists: if force_check then null else "/home/#{test_user}/.masson_check_pam" , (err, executed, stdout, stderr) -> return next err, if executed then ctx.OK else ctx.PASS