From 3977d4fc1c955e1263c54ab60a02c49ff7e53830 Mon Sep 17 00:00:00 2001 From: William Dyson Date: Mon, 19 Jul 2021 14:32:29 +0100 Subject: [PATCH 1/4] removed krb5_server dependency on krb5_client Signed-off-by: William Dyson --- roles/infrastructure/ca_certs/meta/main.yml | 2 +- .../infrastructure/krb5_client/meta/main.yml | 3 ++- .../krb5_client/tasks/freeipa.yml | 25 +++++++++++++------ .../infrastructure/krb5_client/tasks/mit.yml | 7 ------ .../templates/krb5.conf.j2 | 0 roles/infrastructure/krb5_conf/meta/main.yml | 17 +++++++++++++ roles/infrastructure/krb5_conf/tasks/main.yml | 18 +++++++++++++ roles/infrastructure/krb5_conf/tasks/mit.yml | 22 ++++++++++++++++ .../krb5_conf/templates/krb5.conf.j2 | 22 ++++++++++++++++ .../infrastructure/krb5_server/meta/main.yml | 3 ++- .../infrastructure/krb5_server/tasks/mit.yml | 2 +- .../krb5_server/vars/Debian.yml | 1 + .../krb5_server/vars/RedHat.yml | 1 + .../infrastructure/krb5_server/vars/Suse.yml | 4 ++- .../security/tls_install_certs/tasks/main.yml | 8 +++++- 15 files changed, 114 insertions(+), 21 deletions(-) rename roles/infrastructure/{krb5_client => krb5_common}/templates/krb5.conf.j2 (100%) create mode 100644 roles/infrastructure/krb5_conf/meta/main.yml create mode 100644 roles/infrastructure/krb5_conf/tasks/main.yml create mode 100644 roles/infrastructure/krb5_conf/tasks/mit.yml create mode 100644 roles/infrastructure/krb5_conf/templates/krb5.conf.j2 diff --git a/roles/infrastructure/ca_certs/meta/main.yml b/roles/infrastructure/ca_certs/meta/main.yml index 830dd2a1..46ffa6c4 100644 --- a/roles/infrastructure/ca_certs/meta/main.yml +++ b/roles/infrastructure/ca_certs/meta/main.yml @@ -14,4 +14,4 @@ --- dependencies: - - role: cloudera.cluster.infrastructure.ca_common \ No newline at end of file + - role: cloudera.cluster.infrastructure.ca_common diff --git a/roles/infrastructure/krb5_client/meta/main.yml b/roles/infrastructure/krb5_client/meta/main.yml index ea97a5b0..78c6a212 100644 --- a/roles/infrastructure/krb5_client/meta/main.yml +++ b/roles/infrastructure/krb5_client/meta/main.yml @@ -14,4 +14,5 @@ --- dependencies: - - role: cloudera.cluster.infrastructure.krb5_common \ No newline at end of file + - role: cloudera.cluster.infrastructure.krb5_common + - role: cloudera.cluster.infrastructure.krb5_conf diff --git a/roles/infrastructure/krb5_client/tasks/freeipa.yml b/roles/infrastructure/krb5_client/tasks/freeipa.yml index 783dc389..7621424b 100644 --- a/roles/infrastructure/krb5_client/tasks/freeipa.yml +++ b/roles/infrastructure/krb5_client/tasks/freeipa.yml @@ -23,12 +23,21 @@ ipaclient_servers: "{{ groups['krb5_server'] }}" when: "krb5_kdc_type == 'Red Hat IPA' and 'krb5_server' in groups" -- name: Set sssd to enumerate users and groups +- name: Set up renew_lifetime in krb5.conf lineinfile: - path: /etc/sssd/sssd.conf - insertafter: "^\\[domain/.+\\]" - regexp: "^enumerate" - line: "enumerate = True" - when: "krb5_kdc_type == 'Red Hat IPA' and 'krb5_server' in groups" - notify: - - restart sssd \ No newline at end of file + path: /etc/krb5.conf + insertafter: "^\\[libdefaults\\]" + regexp: "^ renew_lifetime" + line: " renew_lifetime = 7d" + when: + - krb5_kdc_type == 'Red Hat IPA' + - "'cluster' in group_names or 'cloudera_manager' in group_names" + +- name: Remove default_ccache_name in krb5.conf + lineinfile: + path: /etc/krb5.conf + regexp: "^ default_ccache_name" + state: absent + when: + - krb5_kdc_type == 'Red Hat IPA' + - "'cluster' in group_names or 'cloudera_manager' in group_names" diff --git a/roles/infrastructure/krb5_client/tasks/mit.yml b/roles/infrastructure/krb5_client/tasks/mit.yml index b6415115..5f9fcc01 100644 --- a/roles/infrastructure/krb5_client/tasks/mit.yml +++ b/roles/infrastructure/krb5_client/tasks/mit.yml @@ -22,10 +22,3 @@ lock_timeout: "{{ (ansible_os_family == 'RedHat') | ternary(60, omit) }}" name: "{{ krb5_packages }}" state: present - -- name: Create krb5.conf - template: - src: "{{ krb5_conf_template | default('krb5.conf.j2') }}" - dest: /etc/krb5.conf - backup: yes - when: not (skip_krb5_conf_distribution | default(False)) \ No newline at end of file diff --git a/roles/infrastructure/krb5_client/templates/krb5.conf.j2 b/roles/infrastructure/krb5_common/templates/krb5.conf.j2 similarity index 100% rename from roles/infrastructure/krb5_client/templates/krb5.conf.j2 rename to roles/infrastructure/krb5_common/templates/krb5.conf.j2 diff --git a/roles/infrastructure/krb5_conf/meta/main.yml b/roles/infrastructure/krb5_conf/meta/main.yml new file mode 100644 index 00000000..ea97a5b0 --- /dev/null +++ b/roles/infrastructure/krb5_conf/meta/main.yml @@ -0,0 +1,17 @@ +# Copyright 2021 Cloudera, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +dependencies: + - role: cloudera.cluster.infrastructure.krb5_common \ No newline at end of file diff --git a/roles/infrastructure/krb5_conf/tasks/main.yml b/roles/infrastructure/krb5_conf/tasks/main.yml new file mode 100644 index 00000000..9749f5bc --- /dev/null +++ b/roles/infrastructure/krb5_conf/tasks/main.yml @@ -0,0 +1,18 @@ +# Copyright 2021 Cloudera, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- name: Setup MIT KRB5 Configuration + when: krb5_kdc_type != 'Red Hat IPA' + ansible.builtin.include_tasks: mit.yml diff --git a/roles/infrastructure/krb5_conf/tasks/mit.yml b/roles/infrastructure/krb5_conf/tasks/mit.yml new file mode 100644 index 00000000..0c814276 --- /dev/null +++ b/roles/infrastructure/krb5_conf/tasks/mit.yml @@ -0,0 +1,22 @@ +# Copyright 2021 Cloudera, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- + +- name: Create krb5.conf + template: + src: "{{ krb5_conf_template | default('krb5.conf.j2') }}" + dest: /etc/krb5.conf + backup: yes + when: not (skip_krb5_conf_distribution | default(False)) diff --git a/roles/infrastructure/krb5_conf/templates/krb5.conf.j2 b/roles/infrastructure/krb5_conf/templates/krb5.conf.j2 new file mode 100644 index 00000000..f04e2a86 --- /dev/null +++ b/roles/infrastructure/krb5_conf/templates/krb5.conf.j2 @@ -0,0 +1,22 @@ +[libdefaults] +default_realm = {{ krb5_realm|upper }} +dns_lookup_kdc = false +dns_lookup_realm = false +ticket_lifetime = 1d +renew_lifetime = 7d +forwardable = true +default_tgs_enctypes = {{ krb5_enc_types }} +default_tkt_enctypes = {{ krb5_enc_types }} +permitted_enctypes = {{ krb5_enc_types }} +udp_preference_limit = 1 +kdc_timeout = 3000 + +[realms] +{{ krb5_realm|upper }} = { + kdc = {{ krb5_kdc_host | default(groups['krb5_server'][0]) }} + admin_server = {{ krb5_kdc_host | default(groups['krb5_server'][0]) }} +} + +[domain_realm] +.{{ ansible_domain }} = {{ krb5_realm|upper }} +{{ ansible_domain }} = {{ krb5_realm|upper }} diff --git a/roles/infrastructure/krb5_server/meta/main.yml b/roles/infrastructure/krb5_server/meta/main.yml index 87f7147e..78c6a212 100644 --- a/roles/infrastructure/krb5_server/meta/main.yml +++ b/roles/infrastructure/krb5_server/meta/main.yml @@ -14,4 +14,5 @@ --- dependencies: - - role: cloudera.cluster.infrastructure.krb5_client + - role: cloudera.cluster.infrastructure.krb5_common + - role: cloudera.cluster.infrastructure.krb5_conf diff --git a/roles/infrastructure/krb5_server/tasks/mit.yml b/roles/infrastructure/krb5_server/tasks/mit.yml index be2153f2..7429b238 100644 --- a/roles/infrastructure/krb5_server/tasks/mit.yml +++ b/roles/infrastructure/krb5_server/tasks/mit.yml @@ -49,4 +49,4 @@ state: restarted enabled: yes with_items: - - "{{ krb5_services }}" \ No newline at end of file + - "{{ krb5_services }}" diff --git a/roles/infrastructure/krb5_server/vars/Debian.yml b/roles/infrastructure/krb5_server/vars/Debian.yml index 45522874..5f5c2c1f 100644 --- a/roles/infrastructure/krb5_server/vars/Debian.yml +++ b/roles/infrastructure/krb5_server/vars/Debian.yml @@ -18,6 +18,7 @@ krb5_kdc_database: /var/lib/krb5kdc/principal krb5_packages: - krb5-kdc - krb5-admin-server + - krb5-user krb5_services: - krb5-kdc - krb5-admin-server diff --git a/roles/infrastructure/krb5_server/vars/RedHat.yml b/roles/infrastructure/krb5_server/vars/RedHat.yml index 1a11fe10..45287b8a 100644 --- a/roles/infrastructure/krb5_server/vars/RedHat.yml +++ b/roles/infrastructure/krb5_server/vars/RedHat.yml @@ -18,6 +18,7 @@ krb5_kdc_database: "{{ krb5_kdc_state_directory }}/principal" krb5_packages: - krb5-libs - krb5-server + - krb5-workstation krb5_services: - krb5kdc - kadmin diff --git a/roles/infrastructure/krb5_server/vars/Suse.yml b/roles/infrastructure/krb5_server/vars/Suse.yml index e7f1e9ba..befda1d1 100644 --- a/roles/infrastructure/krb5_server/vars/Suse.yml +++ b/roles/infrastructure/krb5_server/vars/Suse.yml @@ -13,4 +13,6 @@ # limitations under the License. --- -krb5_packages: krb5-server +krb5_packages: + - krb5-server + - krb5-client diff --git a/roles/security/tls_install_certs/tasks/main.yml b/roles/security/tls_install_certs/tasks/main.yml index ff4f48a9..a575f22c 100644 --- a/roles/security/tls_install_certs/tasks/main.yml +++ b/roles/security/tls_install_certs/tasks/main.yml @@ -24,7 +24,13 @@ path: "{{ tls_signed_certs_dir }}/cluster_intca.pem" - alias: cluster_rootca path: "{{ tls_signed_certs_dir }}/cluster_rootca.pem" - when: tls_ca_certs is not defined + when: tls_ca_certs is not defined and 'ca_server' in groups + +- set_fact: + tls_ca_certs: + - alias: cluster_ca + path: "{{ tls_signed_certs_dir }}/cluster_ca.pem" + when: tls_ca_certs is not defined and krb5_kdc_type | defaut(None) == 'Red Hat IPA' - name: Check if signed cert is available become: no From b595f6c88b3db7b5eb6000cf6e32d68ae157fc86 Mon Sep 17 00:00:00 2001 From: William Dyson Date: Thu, 30 Sep 2021 11:45:55 +0100 Subject: [PATCH 2/4] replaced the ca_certs role with tasks in tls_install_certs Signed-off-by: William Dyson --- roles/infrastructure/ca_certs/meta/main.yml | 17 ---------- roles/infrastructure/ca_certs/tasks/clean.yml | 19 ----------- roles/infrastructure/ca_certs/tasks/fetch.yml | 27 --------------- .../security/tls_install_certs/tasks/main.yml | 34 +++++++++++++++---- 4 files changed, 28 insertions(+), 69 deletions(-) delete mode 100644 roles/infrastructure/ca_certs/meta/main.yml delete mode 100644 roles/infrastructure/ca_certs/tasks/clean.yml delete mode 100644 roles/infrastructure/ca_certs/tasks/fetch.yml diff --git a/roles/infrastructure/ca_certs/meta/main.yml b/roles/infrastructure/ca_certs/meta/main.yml deleted file mode 100644 index 46ffa6c4..00000000 --- a/roles/infrastructure/ca_certs/meta/main.yml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2021 Cloudera, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -dependencies: - - role: cloudera.cluster.infrastructure.ca_common diff --git a/roles/infrastructure/ca_certs/tasks/clean.yml b/roles/infrastructure/ca_certs/tasks/clean.yml deleted file mode 100644 index bc16179e..00000000 --- a/roles/infrastructure/ca_certs/tasks/clean.yml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2021 Cloudera, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -- name: Clean CA Certs directory - file: - name: "{{ ca_server_root_path }}" - state: absent \ No newline at end of file diff --git a/roles/infrastructure/ca_certs/tasks/fetch.yml b/roles/infrastructure/ca_certs/tasks/fetch.yml deleted file mode 100644 index c5dfd8db..00000000 --- a/roles/infrastructure/ca_certs/tasks/fetch.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2021 Cloudera, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -- name: Fetch CA Certs - fetch: - src: "{{ cert.src }}" - dest: "{{ cert.dest }}" - flat: yes - loop: - - src: "{{ ca_server_root_cert_path }}" - dest: "{{ local_temp_dir }}/certs/cluster_rootca.pem" - - src: "{{ ca_server_intermediate_cert_path }}" - dest: "{{ local_temp_dir }}/certs/cluster_intca.pem" - loop_control: - loop_var: cert diff --git a/roles/security/tls_install_certs/tasks/main.yml b/roles/security/tls_install_certs/tasks/main.yml index a575f22c..e15ba342 100644 --- a/roles/security/tls_install_certs/tasks/main.yml +++ b/roles/security/tls_install_certs/tasks/main.yml @@ -18,19 +18,36 @@ tls_signed_certs_dir: "{{ local_certs_dir }}" when: tls_signed_certs_dir is not defined +# remote certificates for ca_server ca - set_fact: tls_ca_certs: - - alias: cluster_intca - path: "{{ tls_signed_certs_dir }}/cluster_intca.pem" - alias: cluster_rootca - path: "{{ tls_signed_certs_dir }}/cluster_rootca.pem" + path: "{{ ca_server_root_cert_path }}" + remote_host: "{{ groups.ca_server | first }}" + - alias: cluster_intca + path: "{{ ca_server_intermediate_cert_path }}" + remote_host: "{{ groups.ca_server | first }}" when: tls_ca_certs is not defined and 'ca_server' in groups +# remote certificates for freeipa ca - set_fact: tls_ca_certs: - alias: cluster_ca - path: "{{ tls_signed_certs_dir }}/cluster_ca.pem" - when: tls_ca_certs is not defined and krb5_kdc_type | defaut(None) == 'Red Hat IPA' + path: "/etc/ipa/ca.crt" + remote_host: "{{ groups.krb5_server | first | default(omit) }}" + when: tls_ca_certs is not defined and krb5_kdc_type | default(None) == 'Red Hat IPA' + +- name: Fetch the remote CA certs + fetch: + src: "{{ cert.path }}" + dest: "{{ tls_signed_certs_dir }}/{{ cert.alias }}.pem" + flat: yes + run_once: yes + delegate_to: "{{ cert.remote_host }}" + loop: "{{ tls_ca_certs }}" + loop_control: + loop_var: cert + when: cert.remote_host is defined - name: Check if signed cert is available become: no @@ -61,7 +78,12 @@ - name: Copy CA certs to hosts copy: - src: "{{ cacert.path }}" + src: >- + {{ + tls_signed_certs_dir ~ '/' ~ cacert.alias ~ '.pem' + if cacert.remote_host is defined + else cacert.path + }} dest: "{{ base_dir_security_pki }}/{{ cacert.alias }}.pem" mode: 0644 loop: "{{ tls_ca_certs }}" From 611142153213e3781f1a45cacbe3a80a2a16be81 Mon Sep 17 00:00:00 2001 From: William Dyson Date: Tue, 8 Feb 2022 18:55:18 +0000 Subject: [PATCH 3/4] added verification for FreeIPA TLS and clients Signed-off-by: William Dyson --- roles/verify/inventory/tasks/main.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/roles/verify/inventory/tasks/main.yml b/roles/verify/inventory/tasks/main.yml index 36da2737..26af2c35 100644 --- a/roles/verify/inventory/tasks/main.yml +++ b/roles/verify/inventory/tasks/main.yml @@ -32,3 +32,18 @@ not ( 'ca_server' in groups and krb5_kdc_type == "Red Hat IPA") }} + +- block: + - set_fact: + cluster_hosts: >- + {{ groups.cluster | default([]) + | union(groups.cloudera_manager | default([])) + }} + + - name: Ensure that all hosts requiring TLS certificates have a FreeIPA client + assert: + that: >- + {{ groups.tls | difference(cluster_hosts) | length == 0 }} + when: + - krb5_kdc_type == "Red Hat IPA" + - not (skip_ipa_signing | default(false)) From 9d69201795ec63c13d16e384e8c504cb52c7accc Mon Sep 17 00:00:00 2001 From: William Dyson Date: Fri, 15 Jul 2022 10:20:25 +0100 Subject: [PATCH 4/4] corrected note on ca certificates in freeipa docs Signed-off-by: William Dyson --- docs/freeipa.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/freeipa.md b/docs/freeipa.md index 4efcac14..d466a40d 100644 --- a/docs/freeipa.md +++ b/docs/freeipa.md @@ -47,14 +47,6 @@ The playbook will not provision a firewall around the FreeIPA server. ## FreeIPA CA signed certificates or externally signed certificates? -In both cases, you'll want to refer to each CA certificate used (particularly important if you are using a different CA) by adding entries to `tls_ca_certs` e.g. (IPA CA) - -``` -tls_ca_certs: - - path: /etc/ipa/ca.crt - alias: ipaca -``` - ### FreeIPA CA signed certificates Here, nothing has to be done. @@ -67,6 +59,15 @@ In this case, please set `skip_ipa_signing` to `true`. This will cause the playbook to stop after generating CSRs – identical to the non-FreeIPA case. +You will also need to configure your CA certificate like so (where `/path/to/ca.crt` is a path on the controller host): +``` +tls_ca_certs: + - path: /path/to/ca.crt + alias: clusterca +``` + +This will ensure that the generated truststore includes your external CA. + ## AutoTLS or playbook configured? ### AutoTLS