Puppet remctl module

Remi Ferrand remi.ferrand at cc.in2p3.fr
Fri Apr 11 11:18:46 EDT 2014


On 11/04/2014 11:10, Russ Allbery wrote:
> For example, for kadmin-remctl, our local remctl
> configuration is:
>
> kadmin change_passwd /usr/sbin/kadmin-backend logmask=3,4 \
>     ANYUSER
> kadmin check_passwd  /usr/sbin/kadmin-backend logmask=3 \
>     /etc/remctl/acl/kadmin-examine /etc/remctl/acl/its-idg
> kadmin create        /usr/sbin/kadmin-backend logmask=3 \
>     /etc/remctl/acl/kadmin-create
> kadmin delete        /usr/sbin/kadmin-backend \
>     /etc/remctl/acl/kadmin-delete
> kadmin disable       /usr/sbin/kadmin-backend \
>     /etc/remctl/acl/kadmin-enable
> kadmin enable        /usr/sbin/kadmin-backend \
>     /etc/remctl/acl/kadmin-enable
> kadmin examine       /usr/sbin/kadmin-backend \
>     /etc/remctl/acl/kadmin-examine /etc/remctl/acl/its-idg \
>     /etc/remctl/acl/security /etc/remctl/acl/data-admin \
>     /etc/remctl/acl/data-view
> kadmin help          /usr/sbin/kadmin-backend \
>     ANYUSER
> kadmin instance      /usr/sbin/kadmin-backend logmask=5 \
>     /etc/remctl/acl/kadmin-instance
> kadmin reset_passwd  /usr/sbin/kadmin-backend logmask=3 \
>     /etc/remctl/acl/kadmin-reset
> kadmin check_expire  /usr/sbin/kadmin-backend \
>     /etc/remctl/acl/kadmin-check-expire
> kadmin expiration    /usr/sbin/kadmin-backend \
>     /etc/remctl/acl/kadmin-expiration
> kadmin pwexpiration  /usr/sbin/kadmin-backend \
>     /etc/remctl/acl/kadmin-expiration

Hi Russ and thanks for your remarks !
I've just created and released version 1.1.0 (available at
https://forge.puppetlabs.com/ccin2p3/remctl).

> A few other, more minor points I noticed:
>
> * You define the remctl port in /etc/services to be whatever the port
>   parameter passed to the remctl::server class is.  I don't think this is
>   formally correct.  The only officially-registered port for remctl is
>   4373, and that's really the only thing that should be added to
>   /etc/services.  It's quite possible someone would want to run remctld on
>   a non-standard port but still have that port properly associated with
>   some other service.
>
>   Instead, I would add the remctl port to /etc/services if and only if it
>   is set to 4373, and otherwise use type = UNLISTED in the xinetd
>   configuration so that it will work without an /etc/services entry.
>   That's what our internal Puppet model does.  (It's otherwise not as
>   useful because it assumes a lot of Stanford-specific things.)

You're absolutely right, thanks for raising this, v1.1.0 should have
fixed this.

>
> * If the remctl port definition is missing from /etc/services, you
>   currently add it for both tcp and udp.  The dual registration is an
>   artifact of the IANA port registration process.  I can pretty much
>   guarantee that there will never be a remctl UDP service, so when adding
>   the service to /etc/services on systems that don't have it listed, I
>   would only bother adding TCP.


> * Just for completion's sake, it would be nice to have a remctl::client
>   class that installs the package needed for the client.  That would be
>   fairly trivial: just remctl on Red Hat and remctl-client on Debian.
>



Unfortunately I had to break our interface for class
remctl::server::command by introducing a new mandatory parameter
"command" that now allow to write any of the configuration you pasted above.

For fun', I've tried to write some of them:

# kadmin change_passwd /usr/sbin/kadmin-backend logmask=3,4 \
#     ANYUSER

# kadmin examine       /usr/sbin/kadmin-backend \
#     /etc/remctl/acl/kadmin-examine /etc/remctl/acl/its-idg \
#     /etc/remctl/acl/security /etc/remctl/acl/data-admin \
#     /etc/remctl/acl/data-view

could be obtained from this puppet manifest:

$_remctl_acl_its_idg = "file:${remctl::server::acldir}/its-idg"
$_remctl_acl_security = "file:${remctl::server::acldir}/security"

remctl::server::command { 'kadmin_change_passwd':
    command             => 'kadmin',
    subcommand          => 'change_passwd',
    executable          => '/usr/sbin/kadmin-backend',
    options             => {
        'logmask'   => '3,4'
    },
    acls                => ['ANYUSER']
}

remctl::server::command { 'kadmin_examine':
    command             => 'kadmin',
    subcommand          => 'examine',
    executable          => '/usr/sbin/kadmin-backend',
    acls                => [
        "file:${remctl::server::acldir}/kadmin-examine",
        "${_remctl_acl_its_idg}",
        "${_remctl_acl_security}",
        "file:${remctl::server::acldir}/data-admin",
        "file:${remctl::server::acldir}/data-view"
    ]
}


The way the module is coded (and also the way puppet works) makes it
more easy for me to explode every subcommand in a dedicated file.
In the example above, file "/etc/remctl/conf.d/kadmin_examine" will be
created and its content will describe "examine" subcommand of command
"kadmin".

I agree that this will result in multiple small files but:
* (for what I know) puppet handles more easily small dedicated files
(like in /etc/yum.repos.d) than one monolithic file.
* defining each subcommand as a separate "remctl::server::command"
"puppet object" allow to factorize some declarations ("subcommand_1" and
"subcommand_2" could be declared; and "subcommand_1" could be defined on
host A but not on host B for instance).

The only way I know to create a single file per command with many
subcommands would be to do something like this:

remctl::server::command { 'kadmin':
    subcommand => [
        {
            'name'            => 'change_passwd',
            'executable'    => '/usr/sbin/kadmin-backend',
            'options'          => { 'logmask' => '3,4' }
            'acls'               => ['ANYUSER']
        },

        {
            'name'            => 'examine',
            ...
        }
    ]
}

I don't like this "pass a Hash or Dict" approach because when using
puppet "defined types",  all the checks and intelligence has to be
written in templates which is something that I try to avoid.


I hope that this new version will be closer to the "remctl subcommand
model".

Cheers

Rémi



More information about the Kerberos mailing list