Merge pull request #88 from ccin2p3/kerberos_parameters

Kerberos auth support in security config

README.md

@@ -14,8 +14,9 @@ Puppetforge: https://forge.puppetlabs.com/HEPPuppet/htcondor
 2. [Module Description - What does the module do?](#module-description)
 3. [Setup - The basics of getting started with htcondor](#setup)
 4. [Singularity container support](#singularity)
-5. [Limitations - OS compatibility, etc.](#limitations)
-6. [Development - Guide for contributing to the module](#development)
+5. [Kerberos authentication support](#kerberos)
+6. [Limitations - OS compatibility, etc.](#limitations)
+7. [Development - Guide for contributing to the module](#development)
 	* [Contributing to the htcondor module](#contributing)
     * [Running tests - A quick guide](#running-tests)
 
@@ -95,6 +96,20 @@ The same holds for setting `SINGULARITY_HOME`: This ensures non-interactive jobs
 
 The Image may also be an expression to allow for user configuration, more details on that are provided in the [HTCondor documentation](https://research.cs.wisc.edu/htcondor/manual/latest/3_17Singularity_Support.html).
 
+## Kerberos
+The module provides support for Kerberos auth, to the extent to which this is implemented in HTCondor.
+
+Example configuration parameters could be:
+```
+use_kerberos_auth => true,
+krb_srv_keytab    => '/etc/condor/condor.keytab',
+krb_srv_principal => 'condor-daemon/$(FULL_HOSTNAME)@MYREALM',
+krb_srv_user      => 'condor-daemon',
+use_krb_map_file  => true,
+krb_mapfile_entries => {'REALM1' =>'realm1', 'REALM2' => 'realm2'},
+```
+This will deploy a map file containing the entries listed in the `krb_mapfile_entries` hash. The keytab, however, is not deployed through this module and has to be placed to a path corresponding to `krb_srv_keytab`, with the appropriate owner and mode.
+
 ## Limitations
 ### General
 

manifests/config/security.pp

@@ -1,4 +1,12 @@
-class htcondor::config::security {
+class htcondor::config::security (
+  $krb_srv_keytab      = $htcondor::krb_srv_keytab,
+  $krb_srv_principal   = $htcondor::krb_srv_principal,
+  $krb_srv_user        = $htcondor::krb_srv_user,
+  $krb_srv_service     = $htcondor::krb_srv_service,
+  $krb_client_keytab   = $htcondor::krb_client_keytab,
+  $krb_mapfile_entries = $htcondor::krb_mapfile_entries,
+)
+{
   # general - manifest or 1 or more configs
   $condor_user                  = $htcondor::condor_user
   $condor_group                 = $htcondor::condor_group
@@ -21,7 +29,7 @@
 
   $use_krb_map_file             = $htcondor::use_krb_map_file
   $krb_map_file                 = $htcondor::krb_map_file
-  $krb_map_file_source          = $htcondor::krb_map_file_source
+  $krb_map_file_template        = $htcondor::krb_map_file_template
 
   $ssl_server_keyfile           = $htcondor::ssl_server_keyfile
   $ssl_client_keyfile           = $htcondor::ssl_client_keyfile
@@ -108,10 +116,10 @@
   if $use_kerberos_auth {
     if $use_krb_map_file {
       file { $krb_map_file:
-        ensure => present,
-        source => $krb_map_file_source,
-        owner  => $condor_user,
-        group  => $condor_group,
+        ensure  => present,
+        content => template($krb_map_file_template),
+        owner   => $condor_user,
+        group   => $condor_group,
       }
     }
   }

manifests/init.pp

@@ -197,7 +197,13 @@
   $cert_map_file                  = $htcondor::params::cert_map_file,
   $cert_map_file_source           = $htcondor::params::cert_map_file_source,
   $krb_map_file                   = $htcondor::params::krb_map_file,
-  $krb_map_file_source            = $htcondor::params::krb_map_file_source,
+  $krb_map_file_template          = $htcondor::params::krb_map_file_template,
+  $krb_srv_keytab                 = undef,
+  $krb_srv_principal              = undef,
+  $krb_srv_user                   = undef,
+  $krb_srv_service                = undef,
+  $krb_client_keytab              = undef,
+  $krb_mapfile_entries            = {},
   $ssl_server_keyfile             = $htcondor::params::ssl_server_keyfile,
   $ssl_client_keyfile             = $htcondor::params::ssl_client_keyfile,
   $ssl_server_certfile            = $htcondor::params::ssl_server_certfile,

manifests/params.pp

@@ -119,7 +119,7 @@
   )
   $krb_map_file                   = hiera('krb_map_file', '/etc/condor/kerberos_mapfile'
   )
-  $krb_map_file_source            = hiera('krb_map_file_source', "puppet:///modules/${module_name}/kerberos_mapfile"
+  $krb_map_file_template          = hiera('krb_map_file_template', "${module_name}/mapfile.kmap.erb"
   )
   $machine_list_prefix            = hiera('machine_list_prefix', 'condor_pool@$(UID_DOMAIN)/'
   )

templates/10_security.config.erb

@@ -97,6 +97,21 @@ SEC_ENABLE_MATCH_PASSWORD_AUTHENTICATION = True
 <% if @use_krb_map_file then -%>
 KERBEROS_MAP_FILE = <%= @krb_map_file %>
 <% end -%>
+<% if (defined?(@krb_srv_keytab)) then -%>
+KERBEROS_SERVER_KEYTAB = <%= @krb_srv_keytab %>
+<% end -%>
+<% if (defined?(@krb_srv_principal)) then -%>
+KERBEROS_SERVER_PRINCIPAL = <%= @krb_srv_principal %>
+<% end -%>
+<% if (defined?(@krb_srv_user)) then -%>
+KERBEROS_SERVER_USER = <%= @krb_srv_user %>
+<% end -%>
+<% if (defined?(@krb_srv_service)) then -%>
+KERBEROS_SERVER_SERVICE = <%= @krb_srv_service %>
+<% end -%>
+<% if (defined?(@krb_client_keytab)) then -%>
+KERBEROS_CLIENT_KEYTAB = <%= @krb_client_keytab %>
+<% end -%>
 <% end -%>
 <% if @use_password_auth then -%>
 SEC_PASSWORD_FILE = /etc/condor/pool_password

templates/mapfile.kmap.erb

@@ -0,0 +1,5 @@
+<% if @krb_mapfile_entries.any? -%>
+<% @krb_mapfile_entries.each do |realm, domain| -%>
+<%=realm -%> = <%=domain %>
+<% end -%>
+<% end -%>