masson/core/krb5_server/configure.coffee.md

Module execution engine for cluster deployments.

## Kerberos Server Configure

*   `krb5_server.{realm}.ldap_manager_dn` (string)   
    The LDAP user with read and write access to the realm dn
    defined by the `ldap_realms_dn` property. Default to the 
    `openldap_server.krb5.manager_dn` property if you have one OpenLDAP server with 
    kerberos support declared inside the cluster by the 
    "masson/core/openldap\_server\_krb5" module, otherwise required.      
*   `krb5_server.{realm}.ldap_manager_password` (string)   
    The password of the LDAP user with read and write access to the realm dn
    defined by the `ldap_realms_dn` property. Default to the 
    `openldap_server.krb5.manager_password` property if you have one OpenLDAP server with 
    kerberos support declared inside the cluster by the 
    "masson/core/openldap\_server\_krb5" module, otherwise required.      
*   `krb5_server.{realm}.ldap_realms_dn` (string)   
    The location where to store the realms inside the LDAP tree. Default to the 
    `openldap_server.krb5.realms_dn` property if you have one OpenLDAP server with 
    kerberos support declared inside the cluster by the 
    "masson/core/openldap\_server\_krb5" module, otherwise required.   

Example:

```json
{
  "admin": {
    "HADOOP.RYBA": {
      "default_domain": "ryba",
      "kadmin_principal": "wdavidw/admin@HADOOP.RYBA",
      "kadmin_password": "test",
      "kdc_master_key": "test",
      "database_module": "mydbmodule",
      "principals": [{
        "principal": "wdavidw@HADOOP.RYBA",
        "password": "test"
      },{
        "principal": "krbtgt/HADOOP.RYBA@USERS.RYBA",
        "password": "test"
      }]
    }
  }
}
```

    export default (service) ->
      options = service.options
      options.fqdn = service.node.fqdn

## Validation

      throw new Error "Expect at least one server with action \"masson/core/openldap_server\"" if not service.deps.openldap_server or service.deps.openldap_server.length is 0

## Configuration

      options.iptables ?= service.deps.iptables and service.deps.iptables.options.action is 'start'
      # Prepare configuration for "kdc.conf"
      options.root_dn ?= service.deps.openldap_server[0].options.root_dn
      options.root_password ?= service.deps.openldap_server[0].options.root_password

## HA

High availability for the KDC is based on a master-slave architecture. If not 
declared in the configuration, the first KDC found is considered the master. To 
declare the master server, set the property "config.{realm}.master" to "true" 
on the appropriate node.
The property `ha_deploy_master` describes which host is used to initialized the realm db.
ryba will first execute operation on this host and enable the slave replication aftwerwards.


      options.ha_deploy_master ?= {}
      for realm, config of options.admin
        config.ha = service.deps.krb5_server.length > 1
        if config.ha
          master_count = service.deps.krb5_server.filter( (srv) -> srv.options.admin?[realm]?.master ).length
          options.ha_deploy_master[realm] ?= service.deps.krb5_server.filter( (srv) -> srv.options.admin?[realm]?.master )[0]?.node.fqdn if master_count is 1
          throw Error 'Invalid configuration: more than one KDC server' if master_count > 1
          if master_count is 0
            mutate service.deps.krb5_server[0].options, admin: "#{realm}": master: true
            options.ha_deploy_master[realm] ?= service.deps.krb5_server[0].node.fqdn

## kdc.conf

The kdc.conf file supplements krb5.conf for programs which are typically only 
used on a KDC, such as the krb5kdc and kadmind daemons and the kdb5_util 
program. Relations documented here may also be specified in krb5.conf; for the 
KDC programs mentioned, krb5.conf and kdc.conf will be merged into a single 
configuration profile.

      # Default values
      options.kdc_conf ?= {}
      options.kdc_conf = merge
        'libdefaults': {}
        'kdcdefaults':
          'kdc_ports': '88'
          'kdc_tcp_ports': '88'
        'realms': {}
        'logging':
            'kdc': 'FILE:/var/log/kdc.log'
      , options.kdc_conf
      # throw Error 'Required option: kdc_conf.libdefaults.default_realm' unless options.kdc_conf.libdefaults.default_realm
      for realm, config of options.admin
        config.admin_server ?= service.node.fqdn
        config.realm ?= realm
        options.kdc_conf.realms[realm] ?= {}
        options.kdc_conf.libdefaults.default_realm ?= realm
      for realm, config of options.kdc_conf.realms
        admin = options.admin[realm]
        # DB module
        options.kdc_conf.dbmodules ?= {}
        options.kdc_conf.dbmodules[admin.database_module] = merge
          'db_library': 'kldap'
          'ldap_kerberos_container_dn': service.deps.openldap_server[0].options.krb5.kerberos_dn
          'ldap_kdc_dn': service.deps.openldap_server[0].options.krb5.kdc_user.dn
          'ldap_kdc_password': service.deps.openldap_server[0].options.krb5.kdc_user.userPassword
           # this object needs to have read rights on
           # the realm container, principal container and realm sub-trees
          'ldap_kadmind_dn': service.deps.openldap_server[0].options.krb5.krbadmin_user.dn
          'ldap_kadmind_password': service.deps.openldap_server[0].options.krb5.krbadmin_user.userPassword
           # this object needs to have read and write rights on
           # the realm container, principal container and realm sub-trees
          'ldap_service_password_file': "/etc/krb5.d/#{admin.database_module}.stash.keyfile"
          # 'ldap_servers': 'ldapi:///'
          'ldap_servers': service.deps.openldap_server.map((srv) -> srv.options.uri).join ' '
          'ldap_conns_per_server': 5
          'kdc_master_key': admin.kdc_master_key
        , options.kdc_conf.dbmodules[admin.database_module]
        # Default realm configuration
        config = options.kdc_conf.realms[realm] = merge
          'kadmind_port': 749
          # 'kpasswd_port': 464 # http://www.opensource.apple.com/source/Kerberos/Kerberos-47/KerberosFramework/Kerberos5/Documentation/kadmin/kpasswd.protocol
          'max_life': '10h 0m 0s'
          'max_renewable_life': '7d 0h 0m 0s'
          #'master_key_type': 'aes256-cts'
          'master_key_type': 'aes256-cts-hmac-sha1-96'
          'default_principal_flags': '+preauth, +renewable, +forwardable'
          'acl_file': '/var/kerberos/krb5kdc/kadm5.acl'
          'dict_file': '/usr/share/dict/words'
          'admin_keytab': '/var/kerberos/krb5kdc/kadm5.keytab'
          #'supported_enctypes': 'aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal'
          'supported_enctypes': 'aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-hmac-sha1:normal arcfour-hmac-md5:normal'
        , options.kdc_conf.realms[realm]
        # Check if realm point to a database_module
        if config.database_module
          # Make sure this db module is registered
          dbmodules = Object.keys(options.kdc_conf.dbmodules).join ','
          valid = options.kdc_conf.dbmodules[config.database_module]?
          throw new Error "Property database_module: \"#{config.database_module}\" not in list: \"#{}\"" unless valid
        else if Object.keys(options.kdc_conf.dbmodules).length is 1
          database_module = Object.keys(options.kdc_conf.dbmodules)[0]
          config.database_module = admin.database_module
        else
          throw Error "Cannot associate realm with a database_module"
        config.principals ?= []
      # Now that we have db_modules and realms, filter and validate the used db_modules
      database_modules = for realm, config of options.kdc_conf.realms
        config.database_module
      for name, config of options.kdc_conf.dbmodules
        # Filter
        if database_modules.indexOf(name) is -1
          delete options.kdc_conf.dbmodules[name]
          continue
        # Validate
        throw new Error "Kerberos property `dbmodules.#{name}.kdc_master_key` is required" unless config.kdc_master_key
        throw new Error "Kerberos property `dbmodules.#{name}.ldap_kerberos_container_dn` is required" unless config.ldap_kerberos_container_dn
        throw new Error "Kerberos property `dbmodules.#{name}.ldap_kdc_dn` is required" unless config.ldap_kdc_dn
        throw new Error "Kerberos property `dbmodules.#{name}.ldap_kadmind_dn` is required" unless config.ldap_kadmind_dn

## Wait
    
      options.wait_ldap_client = service.deps.openldap_client.options.wait
      options.wait = {}
      options.wait.kadmin = for realm, config of options.kdc_conf.realms
        host: service.node.fqdn
        port: config.kadmind_port

## Dependencies

    {merge, mutate} = require 'mixme'