Ryan Lerch
3c41882bb0
Replaces references to shell: with ansible.builtin.shell Signed-off-by: Ryan Lerch <rlerch@redhat.com>
156 lines
4.1 KiB
YAML
156 lines
4.1 KiB
YAML
---
|
|
- name: Determine whether we need to get keytab
|
|
stat: path={{kt_location}}
|
|
register: keytab_status
|
|
check_mode: no
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
|
|
- name: Create host entry
|
|
include_role:
|
|
name: ipa/host
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: not keytab_status.stat.exists and service == "host"
|
|
|
|
- name: Create service entry
|
|
include_role:
|
|
name: ipa/service
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: not keytab_status.stat.exists and service != "host"
|
|
|
|
- name: Get admin ticket
|
|
delegate_to: "{{ ipa_server }}"
|
|
ansible.builtin.shell: echo "{{ipa_admin_password}}" | kinit admin
|
|
check_mode: no
|
|
changed_when: "1 != 1"
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: not keytab_status.stat.exists
|
|
|
|
- name: Grant host and admin access to keytab
|
|
delegate_to: "{{ ipa_server }}"
|
|
ansible.builtin.command: ipa host-allow-retrieve-keytab {{host}} --hosts={{inventory_hostname}} --users=admin
|
|
register: perm_add_result
|
|
check_mode: no
|
|
changed_when: "'members added 1' in perm_add_result.stdout or 'members added 2' in perm_add_result.stdout"
|
|
failed_when: "not ('members added' in perm_add_result.stdout)"
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: not keytab_status.stat.exists and service == "host"
|
|
|
|
- name: Grant host and admin access to keytab
|
|
delegate_to: "{{ ipa_server }}"
|
|
ansible.builtin.command: ipa service-allow-retrieve-keytab {{service}}/{{host}} --hosts={{inventory_hostname}} --users=admin
|
|
register: perm_add_result
|
|
check_mode: no
|
|
changed_when: "'members added 1' in perm_add_result.stdout or 'members added 2' in perm_add_result.stdout"
|
|
failed_when: "not ('members added' in perm_add_result.stdout)"
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: not keytab_status.stat.exists and service != "host"
|
|
|
|
- name: Retrieve keytab
|
|
delegate_to: "{{ ipa_server }}"
|
|
ansible.builtin.command: ipa-getkeytab --retrieve --server {{ipa_server}} --keytab /tmp/{{service}}_{{host}}.kt --principal {{service}}/{{host}}
|
|
register: retrieve_result
|
|
check_mode: no
|
|
changed_when: "1 != 1"
|
|
failed_when: "not ('Keytab successfully retrieved' in retrieve_result.stderr or 'krbPrincipalKey not found' in retrieve_result.stderr)"
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: not keytab_status.stat.exists
|
|
|
|
- name: Create keytab if it did not exist
|
|
delegate_to: "{{ ipa_server }}"
|
|
ansible.builtin.command: ipa-getkeytab --server {{ipa_server}} --keytab /tmp/{{service}}_{{host}}.kt --principal {{service}}/{{host}}
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: not keytab_status.stat.exists and 'krbPrincipalKey not found' in retrieve_result.stderr
|
|
|
|
- name: Destroy admin ticket
|
|
delegate_to: "{{ ipa_server }}"
|
|
ansible.builtin.command: kdestroy -A
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: not keytab_status.stat.exists
|
|
|
|
- name: Get keytab
|
|
delegate_to: "{{ ipa_server }}"
|
|
ansible.builtin.command: base64 /tmp/{{service}}_{{host}}.kt
|
|
register: keytab
|
|
check_mode: no
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: not keytab_status.stat.exists
|
|
|
|
- name: Destroy stored keytab
|
|
delegate_to: "{{ ipa_server }}"
|
|
ansible.builtin.file: path=/tmp/{{service}}_{{host}}.kt state=absent
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: not keytab_status.stat.exists
|
|
|
|
- name: Deploy base64 keytab
|
|
ansible.builtin.copy: dest={{kt_location}}.b64
|
|
content={{keytab.stdout}}
|
|
owner={{owner_user}} group={{owner_group}} mode=0600
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: not keytab_status.stat.exists
|
|
|
|
- name: Base64-decode keytab
|
|
ansible.builtin.shell: "umask 077 && base64 -d {{kt_location}}.b64 >{{kt_location}}"
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: not keytab_status.stat.exists
|
|
|
|
- name: Destroy encoded keytab
|
|
ansible.builtin.file: path={{kt_location}}.b64 state=absent
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
|
|
- name: Set keytab permissions
|
|
ansible.builtin.file: path={{kt_location}} owner={{owner_user}} group={{owner_group}} mode=0640 state=file
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
|
|
- name: Set keytab ACL
|
|
acl: name={{kt_location}} entity={{extra_acl_user}} etype=user permissions=r state=present
|
|
tags:
|
|
- keytab
|
|
- config
|
|
- krb5
|
|
when: extra_acl_user is defined
|