UNPKG

masson

Version:

Module execution engine for cluster deployments.

github.com/adaltas/node-masson

adaltas/node-masson

313 lines (282 loc) 13.1 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
# Kerberos Server Install Install the MIT Kerberos server with an OpenLDAP Back-End. Usefull server commands: * Backup the db: `kdb5_util dump /path/to/dumpfile` * Initialize realm: `kdb5_ldap_util -D "cn=Manager,dc=adaltas,dc=com" -w test create -subtrees "ou=kerberos,ou=services,dc=adaltas,dc=com" -r ADALTAS.COM -s -P test` * Load the db: `kdb5_util load -update /path/to/dumpfile` * Stash password: `kdb5_ldap_util -D "cn=Manager,dc=adaltas,dc=com" -w test stashsrvpw -f /etc/krb5.d/stash.keyfile cn=krbadmin,ou=users,dc=adaltas,dc=com` Resources: * [Kerberos with LDAP backend on centos](http://itdavid.blogspot.fr/2012/05/howto-centos-62-kerberos-kdc-with.html) * [Propagation](http://www-old.grantcohoe.com/guides/services/krb5-kdc) * [Replication](http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/server-replication.html) * [Kerberos with LDAP backend on ubuntu](http://labs.opinsys.com/blog/2010/02/05/setting-up-openldap-kerberos-on-ubuntu-10-04-lucid/) * [On Load Balancers and Kerberos](https://ssimo.org/blog/id_019.html) * [Kerberos With LDAP on centos 7](http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php) export default header: 'Kerberos Server Install', handler: ({options}) -> ## IPTables | Service | Port | Proto | Parameter | |------------|------|-------|--------------------------------------| | kadmin | 749 | tcp | `kdc_conf.kdcdefaults.kadmind_port` | | krb5kdc | 88 | upd | `kdc_conf.kdcdefaults.kdc_ports` | | krb5kdc | 88 | tcp | `kdc_conf.kdcdefaults.kdc_tcp_ports` | IPTables rules are only inserted if the parameter "iptables.action" is set to "start" (default value). rules = [] add_default_kadmind_port = false add_default_kdc_ports = false add_default_kdc_tcp_ports = false for realm, config of options.kdc_conf.realms if config.kadmind_port rules.push chain: 'INPUT', jump: 'ACCEPT', dport: config.kadmind_port, protocol: 'tcp', state: 'NEW', comment: "Kerberos administration server (kadmind daemon)" else add_default_kadmind_port = true if config.kdc_ports for port in config.kdc_ports.split /\s,/ rules.push chain: 'INPUT', jump: 'ACCEPT', dport: port, protocol: 'udp', state: 'NEW', comment: "Kerberos Authentication Service and Key Distribution Center (krb5kdc daemon)" else add_default_kdc_ports = true if config.kdc_tcp_ports kdc_tcp_ports = true for port in config.kdc_ports.split /\s,/ rules.push chain: 'INPUT', jump: 'ACCEPT', dport: port, protocol: 'tcp', state: 'NEW', comment: "Kerberos Authentication Service and Key Distribution Center (krb5kdc daemon)" else add_default_kdc_tcp_ports = true if add_default_kadmind_port port = options.kdc_conf.kdcdefaults.kadmind_port or '749' rules.push chain: 'INPUT', jump: 'ACCEPT', dport: port, protocol: 'tcp', state: 'NEW', comment: "Kerberos administration server (kadmind daemon)" if add_default_kdc_ports for port in (options.kdc_conf.kdcdefaults.kdc_ports or '88').split /\s,/ rules.push chain: 'INPUT', jump: 'ACCEPT', dport: port, protocol: 'udp', state: 'NEW', comment: "Kerberos Authentication Service and Key Distribution Center (krb5kdc daemon)" if add_default_kdc_tcp_ports for port in (options.kdc_conf.kdcdefaults.kdc_tcp_ports or '88').split /\s,/ rules.push chain: 'INPUT', jump: 'ACCEPT', dport: port, protocol: 'tcp', state: 'NEW', comment: "Kerberos Authentication Service and Key Distribution Center (krb5kdc daemon)" @tools.iptables header: 'IPTables' if: options.iptables rules: rules ## Package @service name: 'krb5-pkinit-openssl' @service name: 'krb5-server-ldap' startup: true chk_name: 'krb5kdc' @service name: 'krb5-server-ldap' startup: true chk_name: 'kadmin' @service name: 'krb5-workstation' ## Configuration The following files are updated: * "/etc/krb5.conf" client configuration * "/var/kerberos/krb5kdc/kadm5.acl" acl definition * "/var/kerberos/krb5kdc/kdc.conf" kdc server configuration * "/etc/sysconfig/kadmin" kadmin default realm * "/etc/sysconfig/krb5kdc" kdc default realm @call header: 'Configuration', -> any_realm = Object.keys(options.kdc_conf.realms)[0] @file write: for realm of options.kdc_conf.realms match: ///^\*/\w+@#{misc.regexp.escape realm}\s+\*///mg replace: "*/admin@#{realm} *" append: true target: '/var/kerberos/krb5kdc/kadm5.acl' backup: true @file.ini content: options.kdc_conf target: '/var/kerberos/krb5kdc/kdc.conf' stringify: misc.ini.stringify_brackets_then_curly backup: true @file target: '/etc/sysconfig/kadmin' match: /^KRB5REALM=.*$/mg replace: "KRB5REALM=#{any_realm}" backup: true @file target: '/etc/sysconfig/krb5kdc' match: /^KRB5REALM=.*$/mg replace: "KRB5REALM=#{any_realm}" backup: true @call if: -> @status() , -> @call 'masson/core/openldap_client/wait', options.wait_ldap_client @service srv_name: 'krb5kdc' state: 'restarted' @service srv_name: 'kadmin' state: 'restarted' ## Wait @call 'masson/core/openldap_client/wait' ## Ldap Krb5 entries @call header: 'LDAP DN', -> for realm, config of options.kdc_conf.realms continue unless config.database_module {kdc_master_key, ldap_kerberos_container_dn, ldap_servers} = options.kdc_conf.dbmodules[config.database_module] ldap_server = ldap_servers.split(' ')[0] @wait.execute header: 'Wait DN Access' cmd: """ ldapsearch -x -LLL \ -H #{ldap_server} -D \"#{options.root_dn}\" -w #{options.root_password} \ -b \"#{ldap_kerberos_container_dn}\" """ code_skipped: 32 @system.execute header: 'Realm Detection' shy: true cmd: """ ldapsearch -x \ -H #{ldap_server} -D \"#{options.root_dn}\" -w #{options.root_password} \ -b \"cn=#{realm},#{ldap_kerberos_container_dn}\" """ code_skipped: 32 # Note, kdb5_ldap_util is using /etc/krb5.conf (server version) @system.execute header: 'Realm Initialization' if: not options.admin[realm].ha or options.admin[realm].master cmd: """ kdb5_ldap_util \ -D \"#{options.root_dn}\" -w #{options.root_password} \ create -subtrees \"#{ldap_kerberos_container_dn}\" -r #{realm} -s -P #{kdc_master_key} """ unless: -> @status -1 @call header: 'LDAP Stash password', -> ssh = @ssh options.ssh for name, dbmodule of options.kdc_conf.dbmodules then do(name, dbmodule) => @log message: "Stash key file is: #{dbmodule.ldap_service_password_file}" keyfileContent = null @call (_, callback) -> @log message: 'Read current keyfile if it exists' @fs.readFile target: "#{dbmodule.ldap_service_password_file}" encoding: 'utf8' , (err, {data}) -> return callback null, true if err and err.code is 'ENOENT' return callback err if err keyfileContent = data callback null, false @system.mkdir target: path.dirname(dbmodule.ldap_service_password_file) if: -> @status -1 @call (_, callback) -> @log message: 'Stash password into local file for kadmin dn' ssh.shell (err, stream) => return callback err if err cmd = "#{if options.sudo then 'sudo'} kdb5_ldap_util -D \"#{options.root_dn}\" -w #{options.root_password} stashsrvpw -f #{dbmodule.ldap_service_password_file} #{dbmodule.ldap_kadmind_dn}" @log message: "Run `#{cmd}`" reentered = done = false stream.write "#{cmd}\n" stream.on 'data', (data, stderr) => # @log[if stderr then 'err' else 'out'].write data data = data.toString() if /Password for/.test data @log "Enter Password", level: 'INFO' stream.write "#{dbmodule.ldap_kadmind_password}\n" else if /Re-enter password for/.test data @log "Re-enter Password", level: 'INFO' stream.write "#{dbmodule.ldap_kadmind_password}\n\n" reentered = true else if reentered and not done done = true stream.end 'exit\n' stream.on 'exit', -> callback() @call (_, callback) -> return callback null, true unless keyfileContent @fs.readFile target: "#{dbmodule.ldap_service_password_file}" encoding: 'utf8' , (err, {data}) -> return callback err if err modified = if keyfileContent is data then false else true callback null, keyfileContent isnt data @call header: 'HA', -> {ha_deploy_master, root, ssh, sudo} = options @each options.admin, ({options}, next) -> realm_data = '' config = options.value return next() unless config.ha and not config.master @call (_, next_cb) -> node = nikita() @log message: "Delegate to: #{ha_deploy_master[config.realm]}" node.ssh.open host: ha_deploy_master[config.realm], ssh node.wait.exist target: "/var/kerberos/krb5kdc/.k5.#{config.realm}" node.call (_, cb) -> node.fs.readFile "/var/kerberos/krb5kdc/.k5.#{config.realm}", sudo: sudo, (err, {data}) => realm_data = data node.next cb node.ssh.close() node.next next_cb @call -> @fs.writeFile target: "/var/kerberos/krb5kdc/.k5.#{config.realm}" content: realm_data @next next @call header: 'Log', -> @file.touch target: '/var/log/krb5kdc.log' uid: 'root' @file.touch target: '/var/log/kadmind.log' uid: 'root' @file target: '/etc/rsyslog.conf' write: [ match: /.*krb5kdc.*/mg replace: 'if $programname == \'krb5kdc\' then /var/log/krb5kdc.log' append: '### RULES ###' , match: /.*kadmind.*/mg replace: 'if $programname == \'kadmind\' then /var/log/kadmind.log' append: '### RULES ###' ] @service.start name: 'krb5kdc' if: -> @status -1 @service.start name: 'kadmin' if: -> @status -2 @service srv_name: 'rsyslog' state: 'restarted' if: -> @status -3 @call header: 'Admin principal', -> for realm, admin of options.admin @krb5.addprinc if: admin.kadmin_principal # TODO: remove once krb5 client & server configs are splitted realm: realm principal: admin.kadmin_principal password: admin.kadmin_password @call header: 'Principals', -> for realm, config of options.kdc_conf.realms admin = options.admin[realm] # continue unless config.kadmin_principal # TODO: remove once krb5 client & server configs are splitted for principal in admin.principals @krb5.addprinc principal # TODO: no time to work on this, the idea is to modified kadmin startup # script to handle multiple kadmin server. Note, for `killproc` to stop # all instances, it seems that we need to set multiple pid files, here # a exemple: `/usr/sbin/kadmind -r USERS.ADALTAS.COM -P /var/run/kadmind1.pid` # write = [] # write.push match: /^(\s+)(daemon\s+.*)/mg, replace: "$1#$2" # for realm, _ of options.kdc_conf # replace: " daemon ${kadmind} -r" # append: /\s+#daemon\s+.*/ # @file # target: '/etc/init.d/kadmin' # write: write ## Dependencies fs = require 'ssh2-fs' path = require('path').posix each = require 'each' misc = require '@nikitajs/core/lib/misc' nikita = require 'nikita' mixme = require 'mixme' ## Notes Renewable tickets is per default disallowed in the most linux distributions. This can be done per: ```bash kadmin.local: modprinc -maxrenewlife 7day krbtgt/YOUR_REALM kadmin.local: modprinc -maxrenewlife 7day +allow_renewable hue/FQRN ```