mono-infrastructure/ansible/playbooks/adhoc-ipagetkeytab.yml

---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# Special thanks to @remyabel for assisting in improving this playbook with
# extended security posture
# What: Pulls keytabs for a kerberos service
# What is expected:
#  -> host: The host in the inventory, this MUST be FQDN.
#  -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG
#     Note: This service MUST exist
#  -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
#  -> ipa_server: This needs to be one of the IPA servers
#  -> ipa_owner: If applicable, the local account that can read this keytab (eg apache)
#  -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)
#  -> ipaadmin_password: This should be the password of the admin user

- name: Pull keytab from IPA
  hosts: "{{ host }}"
  become: true
  gather_facts: false
  vars_files:
    - vars/vaults/kerbman.yml

  tasks:
    - name: "Checking for user variables"
      assert:
        that:
          - ipa_admin | mandatory
          - ipaadmin_password | mandatory
          - ipa_service | mandatory
          - ipa_keytab_fullpath | mandatory
          - ipa_server | mandatory
        success_msg: "Required variables provided"
        fail_msg: "We are missing required information"

    - name: "Check that a keytab doesn't already exist"
      stat:
        path: "{{ ipa_keytab_fullpath }}"
      register: keytab_status
      check_mode: false
      changed_when: "1 != 1"

    - name: "Verify keytab existence"
      assert:
        that:
          - "not keytab_status.stat.exists"
        success_msg: "Keytab doesn't exist, moving on..."
        fail_msg: "Keytab with that name already exists, skipping."

    - name: "Grant {{ host }} and {{ ipa_admin }} access to the service keytab"
      delegate_to: "{{ ipa_server }}"
      freeipa.ansible_freeipa.ipaservice:
        ipaadmin_principal: "{{ ipa_admin }}"
        ipaadmin_password: "{{ ipaadmin_password }}"
        name: "{{ ipa_service }}"
        allow_retrieve_keytab_user:
          - "{{ ipa_admin }}"
        allow_retrieve_keytab_host:
          - "{{ host }}"
        action: member

    - name: "Grant {{ host }} and {{ ipa_admin }} access to the host keytab"
      delegate_to: "{{ ipa_server }}"
      freeipa.ansible_freeipa.ipahost:
        ipaadmin_principal: "{{ ipa_admin }}"
        ipaadmin_password: "{{ ipaadmin_password }}"
        name: "{{ host }}"
        state: present
        allow_retrieve_keytab_user:
          - "{{ ipa_admin }}"
        managedby_host: "{{ host }}"
        action: member

    - name: "Get kerberos ticket"
      delegate_to: "{{ ipa_server }}"
      shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
      check_mode: false
      changed_when: "1 != 1"
      when: not keytab_status.stat.exists

    - name: "Attempt to retrieve keytab"
      delegate_to: "{{ ipa_server }}"
      command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
      register: ret_result
      check_mode: false
      changed_when: "1 != 1"
      failed_when: "not ('Keytab successfully retrieved' in ret_result.stderr or 'krbPrincipalKey not found' in ret_result.stderr)"

    - name: "Create keytab if it didn't exist, based on the last task"
      delegate_to: "{{ ipa_server }}"
      command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"
      when: "'krbPrincipalKey not found' in ret_result.stderr"

    - name: "Destroy admin ticket"
      delegate_to: "{{ ipa_server }}"
      command: "kdestroy -A"
      register: kdestroy_result
      changed_when: "kdestroy_result.rc == 0"

    - name: "Put the keytab into a register"
      delegate_to: "{{ ipa_server }}"
      command: "base64 /tmp/{{ host }}.kt"
      register: keytab
      check_mode: false
      changed_when: "keytab.rc == 0"

    - name: "Destroy local keytab"
      delegate_to: "{{ ipa_server }}"
      file:
        path: "/tmp/{{ host }}.kt"
        state: absent

    - name: "Deploy keytab to {{ host }} from register"
      copy:
        dest: "{{ ipa_keytab_fullpath }}.b64"
        content: "{{ keytab.stdout }}"
        owner: "{{ ipa_owner|default('root') }}"
        group: "{{ ipa_owner|default('root') }}"
        mode: '0600'

    - name: "Decode keytab"
      shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"
      changed_when: "1 != 1"

    - name: "Destroy encoded keytab"
      file:
        path: "{{ ipa_keytab_fullpath }}.b64"
        state: absent

    - name: "Set ownership if applicable, otherwise it's root owned"
      file:
        path: "{{ ipa_keytab_fullpath }}"
        owner: "{{ ipa_owner|default('root') }}"
        group: "{{ ipa_owner|default('root') }}"
        mode: '0600'
        state: file
      tags:
        - keytab
...
Add ipa-getkeytab playbook 2020-12-21 05:45:55 +00:00			`---`
			`# This playbook is meant to be used with callable variables, like adhoc or AWX.`
Ansible 2.7+ Best Practices and GetKeyTab Fixes -> Changed specific pieces that are recommended to be changed in Ansible 2.7 and higher (such as using fail_msg and success_msg, not just msg for assertions -> Improved the getkeytab adhoc playbook for flexibility and delegations against a IPA server, as well as forcing the choice of the user with permissions that can perform the action rather than the default "admin" user in FreeIPA as a security fix. 2021-01-02 03:14:24 +00:00			`# Special thanks to @remyabel for assisting in improving this playbook with`
			`# extended security posture`
Add ipa-getkeytab playbook 2020-12-21 05:45:55 +00:00			`# What: Pulls keytabs for a kerberos service`
			`# What is expected:`
Ansible 2.7+ Best Practices and GetKeyTab Fixes -> Changed specific pieces that are recommended to be changed in Ansible 2.7 and higher (such as using fail_msg and success_msg, not just msg for assertions -> Improved the getkeytab adhoc playbook for flexibility and delegations against a IPA server, as well as forcing the choice of the user with permissions that can perform the action rather than the default "admin" user in FreeIPA as a security fix. 2021-01-02 03:14:24 +00:00			`# -> host: The host in the inventory, this MUST be FQDN.`
			`# -> ipa_service: using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG`
			`# Note: This service MUST exist`
adding kojihub 2020-12-23 10:52:34 +00:00			`# -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab`
			`# -> ipa_server: This needs to be one of the IPA servers`
Ansible 2.7+ Best Practices and GetKeyTab Fixes -> Changed specific pieces that are recommended to be changed in Ansible 2.7 and higher (such as using fail_msg and success_msg, not just msg for assertions -> Improved the getkeytab adhoc playbook for flexibility and delegations against a IPA server, as well as forcing the choice of the user with permissions that can perform the action rather than the default "admin" user in FreeIPA as a security fix. 2021-01-02 03:14:24 +00:00			`# -> ipa_owner: If applicable, the local account that can read this keytab (eg apache)`
			`# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)`
			`# -> ipaadmin_password: This should be the password of the admin user`
Add ipa-getkeytab playbook 2020-12-21 05:45:55 +00:00
			`- name: Pull keytab from IPA`
			`hosts: "{{ host }}"`
Ansible 2.7+ Best Practices and GetKeyTab Fixes -> Changed specific pieces that are recommended to be changed in Ansible 2.7 and higher (such as using fail_msg and success_msg, not just msg for assertions -> Improved the getkeytab adhoc playbook for flexibility and delegations against a IPA server, as well as forcing the choice of the user with permissions that can perform the action rather than the default "admin" user in FreeIPA as a security fix. 2021-01-02 03:14:24 +00:00			`become: true`
Add ipa-getkeytab playbook 2020-12-21 05:45:55 +00:00			`gather_facts: false`
			`vars_files:`
service accounts 2021-01-23 22:51:55 +00:00			`- vars/vaults/kerbman.yml`
Add ipa-getkeytab playbook 2020-12-21 05:45:55 +00:00
			`tasks:`
			`- name: "Checking for user variables"`
			`assert:`
			`that:`
service accounts 2021-01-23 22:51:55 +00:00			`- ipa_admin \| mandatory`
Add ipa-getkeytab playbook 2020-12-21 05:45:55 +00:00			`- ipaadmin_password \| mandatory`
adding kojihub 2020-12-23 10:52:34 +00:00			`- ipa_service \| mandatory`
			`- ipa_keytab_fullpath \| mandatory`
			`- ipa_server \| mandatory`
Add ipa-getkeytab playbook 2020-12-21 05:45:55 +00:00			`success_msg: "Required variables provided"`
			`fail_msg: "We are missing required information"`

Ansible 2.7+ Best Practices and GetKeyTab Fixes -> Changed specific pieces that are recommended to be changed in Ansible 2.7 and higher (such as using fail_msg and success_msg, not just msg for assertions -> Improved the getkeytab adhoc playbook for flexibility and delegations against a IPA server, as well as forcing the choice of the user with permissions that can perform the action rather than the default "admin" user in FreeIPA as a security fix. 2021-01-02 03:14:24 +00:00			`- name: "Check that a keytab doesn't already exist"`
			`stat:`
			`path: "{{ ipa_keytab_fullpath }}"`
			`register: keytab_status`
			`check_mode: false`
			`changed_when: "1 != 1"`

			`- name: "Verify keytab existence"`
			`assert:`
			`that:`
			`- "not keytab_status.stat.exists"`
			`success_msg: "Keytab doesn't exist, moving on..."`
			`fail_msg: "Keytab with that name already exists, skipping."`

			`- name: "Grant {{ host }} and {{ ipa_admin }} access to the service keytab"`
			`delegate_to: "{{ ipa_server }}"`
			`freeipa.ansible_freeipa.ipaservice:`
			`ipaadmin_principal: "{{ ipa_admin }}"`
			`ipaadmin_password: "{{ ipaadmin_password }}"`
			`name: "{{ ipa_service }}"`
			`allow_retrieve_keytab_user:`
			`- "{{ ipa_admin }}"`
			`allow_retrieve_keytab_host:`
			`- "{{ host }}"`
			`action: member`

			`- name: "Grant {{ host }} and {{ ipa_admin }} access to the host keytab"`
			`delegate_to: "{{ ipa_server }}"`
			`freeipa.ansible_freeipa.ipahost:`
			`ipaadmin_principal: "{{ ipa_admin }}"`
			`ipaadmin_password: "{{ ipaadmin_password }}"`
			`name: "{{ host }}"`
			`state: present`
			`allow_retrieve_keytab_user:`
			`- "{{ ipa_admin }}"`
			`managedby_host: "{{ host }}"`
			`action: member`

			`- name: "Get kerberos ticket"`
			`delegate_to: "{{ ipa_server }}"`
			`shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" \| kinit {{ ipa_admin }}"`
			`check_mode: false`
			`changed_when: "1 != 1"`
			`when: not keytab_status.stat.exists`

			`- name: "Attempt to retrieve keytab"`
			`delegate_to: "{{ ipa_server }}"`
			`command: "ipa-getkeytab -r -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"`
			`register: ret_result`
			`check_mode: false`
			`changed_when: "1 != 1"`
			`failed_when: "not ('Keytab successfully retrieved' in ret_result.stderr or 'krbPrincipalKey not found' in ret_result.stderr)"`

			`- name: "Create keytab if it didn't exist, based on the last task"`
			`delegate_to: "{{ ipa_server }}"`
			`command: "ipa-getkeytab -s {{ ipa_server }} -p {{ ipa_service }} -k /tmp/{{ host }}.kt"`
			`when: "'krbPrincipalKey not found' in ret_result.stderr"`

			`- name: "Destroy admin ticket"`
			`delegate_to: "{{ ipa_server }}"`
			`command: "kdestroy -A"`
			`register: kdestroy_result`
			`changed_when: "kdestroy_result.rc == 0"`

			`- name: "Put the keytab into a register"`
			`delegate_to: "{{ ipa_server }}"`
			`command: "base64 /tmp/{{ host }}.kt"`
			`register: keytab`
			`check_mode: false`
			`changed_when: "keytab.rc == 0"`

			`- name: "Destroy local keytab"`
			`delegate_to: "{{ ipa_server }}"`
			`file:`
			`path: "/tmp/{{ host }}.kt"`
			`state: absent`

			`- name: "Deploy keytab to {{ host }} from register"`
			`copy:`
			`dest: "{{ ipa_keytab_fullpath }}.b64"`
			`content: "{{ keytab.stdout }}"`
			`owner: "{{ ipa_owner\|default('root') }}"`
			`group: "{{ ipa_owner\|default('root') }}"`
			`mode: '0600'`

			`- name: "Decode keytab"`
			`shell: "umask 077 && base64 -d {{ ipa_keytab_fullpath }}.b64 > {{ ipa_keytab_fullpath }}"`
			`changed_when: "1 != 1"`

			`- name: "Destroy encoded keytab"`
			`file:`
			`path: "{{ ipa_keytab_fullpath }}.b64"`
			`state: absent`
adding kojihub 2020-12-23 10:52:34 +00:00
Ansible 2.7+ Best Practices and GetKeyTab Fixes -> Changed specific pieces that are recommended to be changed in Ansible 2.7 and higher (such as using fail_msg and success_msg, not just msg for assertions -> Improved the getkeytab adhoc playbook for flexibility and delegations against a IPA server, as well as forcing the choice of the user with permissions that can perform the action rather than the default "admin" user in FreeIPA as a security fix. 2021-01-02 03:14:24 +00:00			`- name: "Set ownership if applicable, otherwise it's root owned"`
adding kojihub 2020-12-23 10:52:34 +00:00			`file:`
			`path: "{{ ipa_keytab_fullpath }}"`
Ansible 2.7+ Best Practices and GetKeyTab Fixes -> Changed specific pieces that are recommended to be changed in Ansible 2.7 and higher (such as using fail_msg and success_msg, not just msg for assertions -> Improved the getkeytab adhoc playbook for flexibility and delegations against a IPA server, as well as forcing the choice of the user with permissions that can perform the action rather than the default "admin" user in FreeIPA as a security fix. 2021-01-02 03:14:24 +00:00			`owner: "{{ ipa_owner\|default('root') }}"`
			`group: "{{ ipa_owner\|default('root') }}"`
adding kojihub 2020-12-23 10:52:34 +00:00			`mode: '0600'`
			`state: file`
			`tags:`
			`- keytab`
Linting and Formatting This commit appends the README.md to state that yaml files should start with `---` and end with `...`. This also addresses some linting warnings that were not appearing during pre-commit on local system. 2021-08-30 05:02:24 +00:00			`...`