2021 07 freeipa dep fix (#40)

* removed krb5_server dependency on krb5_client
* replaced the ca_certs role with tasks in tls_install_certs
* added verification for FreeIPA TLS and clients
* corrected note on ca certificates in freeipa docs

Signed-off-by: William Dyson <wdyson@cloudera.com>

Co-authored-by: William Dyson <wdyson@cloudera.com>

docs/freeipa.md

@@ -47,14 +47,6 @@ The playbook will not provision a firewall around the FreeIPA server.
 
 ## FreeIPA CA signed certificates or externally signed certificates?
 
-In both cases, you'll want to refer to each CA certificate used (particularly important if you are using a different CA) by adding entries to `tls_ca_certs` e.g. (IPA CA)
-
-```
-tls_ca_certs:
-  - path: /etc/ipa/ca.crt
-    alias: ipaca
-```
-
 ### FreeIPA CA signed certificates
 
 Here, nothing has to be done.
@@ -67,6 +59,15 @@ In this case, please set `skip_ipa_signing` to `true`.
 
 This will cause the playbook to stop after generating CSRs – identical to the non-FreeIPA case.
 
+You will also need to configure your CA certificate like so (where `/path/to/ca.crt` is a path on the controller host):
+```
+tls_ca_certs:
+  - path: /path/to/ca.crt
+    alias: clusterca
+```
+
+This will ensure that the generated truststore includes your external CA.
+
 ## AutoTLS or playbook configured?
 
 ### AutoTLS

roles/infrastructure/krb5_client/meta/main.yml

@@ -14,4 +14,5 @@
 
 ---
 dependencies:
-  - role: cloudera.cluster.infrastructure.krb5_common
+  - role: cloudera.cluster.infrastructure.krb5_common
+  - role: cloudera.cluster.infrastructure.krb5_conf

roles/infrastructure/krb5_client/tasks/freeipa.yml

@@ -23,12 +23,21 @@
     ipaclient_servers: "{{ groups['krb5_server'] }}"
   when: "krb5_kdc_type == 'Red Hat IPA' and 'krb5_server' in groups"
 
-- name: Set sssd to enumerate users and groups
+- name: Set up renew_lifetime in krb5.conf
   lineinfile:
-    path: /etc/sssd/sssd.conf
-    insertafter: "^\\[domain/.+\\]"
-    regexp: "^enumerate"
-    line: "enumerate = True"
-  when: "krb5_kdc_type == 'Red Hat IPA' and 'krb5_server' in groups"
-  notify:
-    - restart sssd
+    path: /etc/krb5.conf
+    insertafter: "^\\[libdefaults\\]"
+    regexp: "^  renew_lifetime"
+    line: "  renew_lifetime = 7d"
+  when: 
+    - krb5_kdc_type == 'Red Hat IPA'
+    - "'cluster' in group_names or 'cloudera_manager' in group_names"
+
+- name: Remove default_ccache_name in krb5.conf
+  lineinfile:
+    path: /etc/krb5.conf
+    regexp: "^  default_ccache_name"
+    state: absent
+  when: 
+    - krb5_kdc_type == 'Red Hat IPA'
+    - "'cluster' in group_names or 'cloudera_manager' in group_names"

roles/infrastructure/krb5_client/tasks/mit.yml

@@ -22,10 +22,3 @@
     lock_timeout: "{{ (ansible_os_family == 'RedHat') | ternary(60, omit) }}"
     name: "{{ krb5_packages }}"
     state: present
-
-- name: Create krb5.conf
-  template:
-    src: "{{ krb5_conf_template | default('krb5.conf.j2') }}"
-    dest: /etc/krb5.conf
-    backup: yes
-  when: not (skip_krb5_conf_distribution | default(False))

roles/infrastructure/ca_certs/meta/main.yml → roles/infrastructure/krb5_conf/meta/main.yml

@@ -14,4 +14,4 @@
 
 ---
 dependencies:
-  - role: cloudera.cluster.infrastructure.ca_common
+  - role: cloudera.cluster.infrastructure.krb5_common

roles/infrastructure/ca_certs/tasks/clean.yml → roles/infrastructure/krb5_conf/tasks/main.yml

@@ -13,7 +13,6 @@
 # limitations under the License.
 
 ---
-- name: Clean CA Certs directory
-  file:
-    name: "{{ ca_server_root_path }}"
-    state: absent
+- name: Setup MIT KRB5 Configuration
+  when: krb5_kdc_type != 'Red Hat IPA'
+  ansible.builtin.include_tasks: mit.yml

roles/infrastructure/ca_certs/tasks/fetch.yml → roles/infrastructure/krb5_conf/tasks/mit.yml

@@ -13,15 +13,10 @@
 # limitations under the License.
 
 ---
-- name: Fetch CA Certs
-  fetch:
-    src: "{{ cert.src }}"
-    dest: "{{ cert.dest }}"
-    flat: yes
-  loop:
-    - src: "{{ ca_server_root_cert_path }}"
-      dest: "{{ local_temp_dir }}/certs/cluster_rootca.pem"
-    - src: "{{ ca_server_intermediate_cert_path }}"
-      dest: "{{ local_temp_dir }}/certs/cluster_intca.pem"
-  loop_control:
-    loop_var: cert
+
+- name: Create krb5.conf
+  template:
+    src: "{{ krb5_conf_template | default('krb5.conf.j2') }}"
+    dest: /etc/krb5.conf
+    backup: yes
+  when: not (skip_krb5_conf_distribution | default(False))

roles/infrastructure/krb5_conf/templates/krb5.conf.j2

@@ -0,0 +1,22 @@
+[libdefaults]
+default_realm = {{ krb5_realm|upper }}
+dns_lookup_kdc = false
+dns_lookup_realm = false
+ticket_lifetime = 1d
+renew_lifetime = 7d
+forwardable = true
+default_tgs_enctypes = {{ krb5_enc_types }}
+default_tkt_enctypes = {{ krb5_enc_types }}
+permitted_enctypes = {{ krb5_enc_types }}
+udp_preference_limit = 1
+kdc_timeout = 3000
+
+[realms]
+{{ krb5_realm|upper }} = {
+  kdc = {{ krb5_kdc_host | default(groups['krb5_server'][0]) }}
+  admin_server = {{ krb5_kdc_host | default(groups['krb5_server'][0]) }}
+}
+
+[domain_realm]
+.{{ ansible_domain }} = {{ krb5_realm|upper }}
+{{ ansible_domain }} = {{ krb5_realm|upper }}

roles/infrastructure/krb5_server/meta/main.yml

@@ -14,4 +14,5 @@
 
 ---
 dependencies:
-  - role: cloudera.cluster.infrastructure.krb5_client
+  - role: cloudera.cluster.infrastructure.krb5_common
+  - role: cloudera.cluster.infrastructure.krb5_conf

roles/infrastructure/krb5_server/tasks/mit.yml

@@ -49,4 +49,4 @@
     state: restarted
     enabled: yes
   with_items:
-    - "{{ krb5_services }}"
+    - "{{ krb5_services }}"

roles/infrastructure/krb5_server/vars/Debian.yml

@@ -18,6 +18,7 @@ krb5_kdc_database: /var/lib/krb5kdc/principal
 krb5_packages:
   - krb5-kdc
   - krb5-admin-server
+  - krb5-user
 krb5_services:
   - krb5-kdc
   - krb5-admin-server

roles/infrastructure/krb5_server/vars/RedHat.yml

@@ -18,6 +18,7 @@ krb5_kdc_database: "{{ krb5_kdc_state_directory }}/principal"
 krb5_packages:
   - krb5-libs
   - krb5-server
+  - krb5-workstation
 krb5_services:
   - krb5kdc
   - kadmin

roles/infrastructure/krb5_server/vars/Suse.yml

@@ -13,4 +13,6 @@
 # limitations under the License.
 
 ---
-krb5_packages: krb5-server
+krb5_packages:
+  - krb5-server
+  - krb5-client

roles/security/tls_install_certs/tasks/main.yml

@@ -18,13 +18,36 @@
     tls_signed_certs_dir: "{{ local_certs_dir }}"
   when: tls_signed_certs_dir is not defined
 
+# remote certificates for ca_server ca
 - set_fact:
     tls_ca_certs:
-      - alias: cluster_intca
-        path: "{{ tls_signed_certs_dir }}/cluster_intca.pem"
       - alias: cluster_rootca
-        path: "{{ tls_signed_certs_dir }}/cluster_rootca.pem"
-  when: tls_ca_certs is not defined
+        path: "{{ ca_server_root_cert_path }}"
+        remote_host: "{{ groups.ca_server | first }}"
+      - alias: cluster_intca
+        path: "{{ ca_server_intermediate_cert_path }}"
+        remote_host: "{{ groups.ca_server | first }}"
+  when: tls_ca_certs is not defined and 'ca_server' in groups
+
+# remote certificates for freeipa ca
+- set_fact:
+    tls_ca_certs:
+      - alias: cluster_ca
+        path: "/etc/ipa/ca.crt"
+        remote_host: "{{ groups.krb5_server | first | default(omit) }}"
+  when: tls_ca_certs is not defined and krb5_kdc_type | default(None) == 'Red Hat IPA'
+
+- name: Fetch the remote CA certs
+  fetch:
+    src: "{{ cert.path }}"
+    dest: "{{ tls_signed_certs_dir }}/{{ cert.alias }}.pem"
+    flat: yes
+  run_once: yes
+  delegate_to: "{{ cert.remote_host }}"
+  loop: "{{ tls_ca_certs }}"
+  loop_control:
+    loop_var: cert
+  when: cert.remote_host is defined
 
 - name: Check if signed cert is available
   become: no
@@ -55,7 +78,12 @@
 
 - name: Copy CA certs to hosts
   copy:
-    src: "{{ cacert.path }}"
+    src: >-
+      {{
+        tls_signed_certs_dir ~ '/' ~ cacert.alias ~ '.pem'
+        if cacert.remote_host is defined
+        else cacert.path
+      }}
     dest: "{{ base_dir_security_pki }}/{{ cacert.alias }}.pem"
     mode: 0644
   loop: "{{ tls_ca_certs }}"

roles/verify/inventory/tasks/main.yml

@@ -32,3 +32,18 @@
       not (
       'ca_server' in groups and krb5_kdc_type == "Red Hat IPA")
       }}
+
+- block:
+    - set_fact:
+          cluster_hosts: >-
+            {{ groups.cluster | default([])
+               | union(groups.cloudera_manager | default([]))
+            }}
+
+    - name: Ensure that all hosts requiring TLS certificates have a FreeIPA client
+      assert:
+        that: >-
+          {{ groups.tls | difference(cluster_hosts) | length == 0 }}
+  when:
+    - krb5_kdc_type == "Red Hat IPA"
+    - not (skip_ipa_signing | default(false))