From 8291d0b0591c9ae9dcbc5fe9551afec35c1f21a1 Mon Sep 17 00:00:00 2001 From: Daniel Lanza Date: Thu, 3 Aug 2017 11:52:39 +0200 Subject: [PATCH] Provide option to remove host and realm from Kerberos principal --- manifests/init.pp | 6 +++++- manifests/params.pp | 2 ++ spec/classes/sasl_spec.rb | 36 ++++++++++++++++++++++++++++++++++++ templates/conf/zoo.cfg.erb | 6 ++++++ 4 files changed, 49 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index b46d42e..8c8b750 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -81,7 +81,9 @@ $realm = $::zookeeper::params::realm, $store_key = $::zookeeper::params::store_key, $use_keytab = $::zookeeper::params::use_keytab, - $use_ticket_cache = $::zookeeper::params::use_ticket_cache + $use_ticket_cache = $::zookeeper::params::use_ticket_cache, + $remove_host_principal = $::zookeeper::params::remove_host_principal, + $remove_realm_principal = $::zookeeper::params::remove_realm_principal, ) inherits ::zookeeper::params { # validations are not necessary on Puppet 4 @@ -92,6 +94,8 @@ validate_bool($initialize_datastore) validate_bool($manage_service) validate_bool($use_sasl_auth) + validate_bool($remove_host_principal) + validate_bool($remove_realm_principal) validate_hash($archive_checksum) validate_integer($id) validate_integer($init_limit) diff --git a/manifests/params.pp b/manifests/params.pp index b66545d..04075c8 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -145,4 +145,6 @@ $store_key = true $use_keytab = true $use_ticket_cache = false + $remove_host_principal = false + $remove_realm_principal = false } diff --git a/spec/classes/sasl_spec.rb b/spec/classes/sasl_spec.rb index e0f450a..7e71bc3 100644 --- a/spec/classes/sasl_spec.rb +++ b/spec/classes/sasl_spec.rb @@ -66,4 +66,40 @@ ).with_content(/JAVA_OPTS="\${JAVA_OPTS} -Djava.security.auth.login.config=\/etc\/zookeeper\/conf\/jaas.conf"/) end end + + context 'remove host and realm from principal' do + let(:facts) do + { + :operatingsystem => 'Debian', + :osfamily => 'Debian', + :operatingsystemmajrelease => '8', + :lsbdistcodename => 'jessie', + :puppetversion => Puppet.version, + } + end + + let :pre_condition do + 'class {"zookeeper": + use_sasl_auth => true, + remove_host_principal => true, + remove_realm_principal => true, + }' + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('zookeeper::sasl') } + + it do + should contain_file( + '/etc/zookeeper/conf/zoo.cfg' + ).with_content(/kerberos.removeHostFromPrincipal=true/) + end + + it do + should contain_file( + '/etc/zookeeper/conf/zoo.cfg' + ).with_content(/kerberos.removeRealmFromPrincipal=true/) + end + + end end diff --git a/templates/conf/zoo.cfg.erb b/templates/conf/zoo.cfg.erb index e80b8c6..d0c3738 100644 --- a/templates/conf/zoo.cfg.erb +++ b/templates/conf/zoo.cfg.erb @@ -121,4 +121,10 @@ maxSessionTimeout=<%= scope.lookupvar("zookeeper::max_session_timeout") %> # Enable SASL authentication and use the default provider/renew provided by cloudera authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000 +<% if scope.lookupvar("zookeeper::remove_host_principal") -%> +kerberos.removeHostFromPrincipal=true +<% end -%> +<% if scope.lookupvar("zookeeper::remove_realm_principal") -%> +kerberos.removeRealmFromPrincipal=true +<% end -%> <% end -%>