diff --git a/roles/ipa/server/files/sweeper.py b/roles/ipa/server/files/sweeper.py new file mode 100644 index 0000000000..9bf88745d4 --- /dev/null +++ b/roles/ipa/server/files/sweeper.py @@ -0,0 +1,84 @@ +#!/usr/bin/env python3 +# Works with both python2 and python3; please preserve this property + +# Copyright (C) 2016 mod_auth_gssapi contributors - See COPYING for (C) terms + +# If one uses both sessions and unique ccache names, then the filesystem will +# become littered with ccache files unless the accessed application cleans +# them up itself. This script will minimize ccache file proliferation by +# removing any ccaches that have expired from the filesystem, and serves as an +# example of how this cleaning can be performed. + +# gssproxy note: in order to sweep credentials, the sweeper needs to connect +# to gssproxy as if it were mod_auth_gssapi. In the configuration provided +# with mod_auth_gssapi (80-httpd.conf), this just consists of matching the +# gssproxy uid - so run it as the appropriate user (i.e., apache). Custom +# configurations require careful consideration of how to match the sweeper +# connection to the correct service in gssproxy; this script is just an +# example. This script will not attempt to contact gssproxy unless -g is +# passed. + +import argparse +import os +import stat +import time + +# try importing this first to provide a more useful error message +import gssapi +del gssapi +try: + from gssapi.raw import acquire_cred_from +except ImportError: + print("Your GSSAPI does not provide cred store extension; exiting!") + exit(1) + + +# process file as a ccache and indicate whether it is expired +def should_delete(fname, t): + try: + # skip directories and other non-files + st = os.stat(fname) + if not stat.S_ISREG(st.st_mode): + return False + + # ignore files that are newer than 30 minutes + if t - st.st_mtime < 30 * 60: + return False + + creds = acquire_cred_from({b"ccache": fname.encode("UTF-8")}) + except FileNotFoundError: + # someone else did the work for us + return False + except Exception as e: + print("Not deleting %s due to error %s" % (fname, e)) + return False + + return creds.lifetime == 0 + + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description="Sweep expired ccaches") + parser.add_argument("-g", dest="gssproxy", action="store_true", + help="is gssproxy in use (default: no)") + parser.add_argument("dirs", nargs='+') + args = parser.parse_args() + + if args.gssproxy: + os.environ["GSS_USE_PROXY"] = "yes" + os.environ["GSSPROXY_BEHAVIOR"] = "REMOTE_FIRST" + + print("System looks okay; running sweeper...") + + t = time.time() + + for basedir in args.dirs: + os.chdir(basedir) + print("Sweeping %s" % basedir) + + for fname in os.listdir(basedir): + if should_delete(fname, t): + os.unlink(fname) + + print("Sweeper finished successfully!") + exit(0) + diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml index 472c67d9d9..5adc172e13 100644 --- a/roles/ipa/server/tasks/main.yml +++ b/roles/ipa/server/tasks/main.yml @@ -675,3 +675,22 @@ tags: - ipa/server - config + +- name: Copy sweeper script to /usr/local/bin/ + copy: + src: sweeper.py + dest: /usr/local/bin/sweeper + mode: 0755 + tags: + - ipa/server + - config + +- name: Set sweeper script on a cron schedule + cron: + name: "clean up mod_auth_gssapi tokens" + hour: "3" + user: root + job: "python3 sweeper" + tags: + - ipa/server + - config