[36026] in Kerberos
Re: Puppet remctl module
daemon@ATHENA.MIT.EDU (Remi Ferrand)
Fri Apr 11 11:19:07 2014
Message-ID: <534807D6.5090702@cc.in2p3.fr>
Date: Fri, 11 Apr 2014 17:18:46 +0200
From: Remi Ferrand <remi.ferrand@cc.in2p3.fr>
MIME-Version: 1.0
To: Russ Allbery <eagle@eyrie.org>
In-Reply-To: <87ha6044fp.fsf@windlord.stanford.edu>
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============0034214345=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============0034214345==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms030004000708070004020805"
This is a cryptographically signed message in MIME format.
--------------ms030004000708070004020805
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 11/04/2014 11:10, Russ Allbery wrote:
> For example, for kadmin-remctl, our local remctl
> configuration is:
>
> kadmin change_passwd /usr/sbin/kadmin-backend logmask=3D3,4 \
> ANYUSER
> kadmin check_passwd /usr/sbin/kadmin-backend logmask=3D3 \
> /etc/remctl/acl/kadmin-examine /etc/remctl/acl/its-idg
> kadmin create /usr/sbin/kadmin-backend logmask=3D3 \
> /etc/remctl/acl/kadmin-create
> kadmin delete /usr/sbin/kadmin-backend \
> /etc/remctl/acl/kadmin-delete
> kadmin disable /usr/sbin/kadmin-backend \
> /etc/remctl/acl/kadmin-enable
> kadmin enable /usr/sbin/kadmin-backend \
> /etc/remctl/acl/kadmin-enable
> kadmin examine /usr/sbin/kadmin-backend \
> /etc/remctl/acl/kadmin-examine /etc/remctl/acl/its-idg \
> /etc/remctl/acl/security /etc/remctl/acl/data-admin \
> /etc/remctl/acl/data-view
> kadmin help /usr/sbin/kadmin-backend \
> ANYUSER
> kadmin instance /usr/sbin/kadmin-backend logmask=3D5 \
> /etc/remctl/acl/kadmin-instance
> kadmin reset_passwd /usr/sbin/kadmin-backend logmask=3D3 \
> /etc/remctl/acl/kadmin-reset
> kadmin check_expire /usr/sbin/kadmin-backend \
> /etc/remctl/acl/kadmin-check-expire
> kadmin expiration /usr/sbin/kadmin-backend \
> /etc/remctl/acl/kadmin-expiration
> kadmin pwexpiration /usr/sbin/kadmin-backend \
> /etc/remctl/acl/kadmin-expiration
Hi Russ and thanks for your remarks !
I've just created and released version 1.1.0 (available at
https://forge.puppetlabs.com/ccin2p3/remctl).
> A few other, more minor points I noticed:
>
> * You define the remctl port in /etc/services to be whatever the port
> parameter passed to the remctl::server class is. I don't think this =
is
> formally correct. The only officially-registered port for remctl is
> 4373, and that's really the only thing that should be added to
> /etc/services. It's quite possible someone would want to run remctld=
on
> a non-standard port but still have that port properly associated with=
> some other service.
>
> Instead, I would add the remctl port to /etc/services if and only if =
it
> is set to 4373, and otherwise use type =3D UNLISTED in the xinetd
> configuration so that it will work without an /etc/services entry.
> That's what our internal Puppet model does. (It's otherwise not as
> useful because it assumes a lot of Stanford-specific things.)
You're absolutely right, thanks for raising this, v1.1.0 should have
fixed this.
>
> * If the remctl port definition is missing from /etc/services, you
> currently add it for both tcp and udp. The dual registration is an
> artifact of the IANA port registration process. I can pretty much
> guarantee that there will never be a remctl UDP service, so when addi=
ng
> the service to /etc/services on systems that don't have it listed, I
> would only bother adding TCP.
> * Just for completion's sake, it would be nice to have a remctl::client=
> class that installs the package needed for the client. That would be=
> fairly trivial: just remctl on Red Hat and remctl-client on Debian.
>
Unfortunately I had to break our interface for class
remctl::server::command by introducing a new mandatory parameter
"command" that now allow to write any of the configuration you pasted abo=
ve.
For fun', I've tried to write some of them:
# kadmin change_passwd /usr/sbin/kadmin-backend logmask=3D3,4 \
# ANYUSER
# kadmin examine /usr/sbin/kadmin-backend \
# /etc/remctl/acl/kadmin-examine /etc/remctl/acl/its-idg \
# /etc/remctl/acl/security /etc/remctl/acl/data-admin \
# /etc/remctl/acl/data-view
could be obtained from this puppet manifest:
$_remctl_acl_its_idg =3D "file:${remctl::server::acldir}/its-idg"
$_remctl_acl_security =3D "file:${remctl::server::acldir}/security"
remctl::server::command { 'kadmin_change_passwd':
command =3D> 'kadmin',
subcommand =3D> 'change_passwd',
executable =3D> '/usr/sbin/kadmin-backend',
options =3D> {
'logmask' =3D> '3,4'
},
acls =3D> ['ANYUSER']
}
remctl::server::command { 'kadmin_examine':
command =3D> 'kadmin',
subcommand =3D> 'examine',
executable =3D> '/usr/sbin/kadmin-backend',
acls =3D> [
"file:${remctl::server::acldir}/kadmin-examine",
"${_remctl_acl_its_idg}",
"${_remctl_acl_security}",
"file:${remctl::server::acldir}/data-admin",
"file:${remctl::server::acldir}/data-view"
]
}
The way the module is coded (and also the way puppet works) makes it
more easy for me to explode every subcommand in a dedicated file.
In the example above, file "/etc/remctl/conf.d/kadmin_examine" will be
created and its content will describe "examine" subcommand of command
"kadmin".
I agree that this will result in multiple small files but:
* (for what I know) puppet handles more easily small dedicated files
(like in /etc/yum.repos.d) than one monolithic file.
* defining each subcommand as a separate "remctl::server::command"
"puppet object" allow to factorize some declarations ("subcommand_1" and
"subcommand_2" could be declared; and "subcommand_1" could be defined on
host A but not on host B for instance).
The only way I know to create a single file per command with many
subcommands would be to do something like this:
remctl::server::command { 'kadmin':
subcommand =3D> [
{
'name' =3D> 'change_passwd',
'executable' =3D> '/usr/sbin/kadmin-backend',
'options' =3D> { 'logmask' =3D> '3,4' }
'acls' =3D> ['ANYUSER']
},
{
'name' =3D> 'examine',
...
}
]
}
I don't like this "pass a Hash or Dict" approach because when using
puppet "defined types", all the checks and intelligence has to be
written in templates which is something that I try to avoid.
I hope that this new version will be closer to the "remctl subcommand
model".
Cheers
R=E9mi
--------------ms030004000708070004020805--
--===============0034214345==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0034214345==--
