From 8dc0268a5069fae4d978fabc1279d861adda8a61 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Sun, 20 Dec 2020 22:05:52 -0700 Subject: [PATCH 1/3] IPA Privileges This release adds support for privileges and roles for the initial IPA team accounts. --- ansible/playbooks/adhoc-ipagroups.yml | 1 + ansible/playbooks/adhoc-ipausers.yml | 1 + ansible/playbooks/import-rockyipaprivs.yml | 44 +++++++++++++++++++ ansible/playbooks/import-rockyusers.yml | 15 +++++++ .../playbooks/init-rocky-ipa-internal-dns.yml | 1 + ansible/playbooks/init-rocky-ipa-team.yml | 6 +++ ansible/playbooks/vars/adminusers.yml | 7 +++ ansible/playbooks/vars/ipaprivs.yml | 28 ++++++++++++ ansible/playbooks/vars/svcusers.yml | 16 +++++++ ansible/playbooks/vars/users.yml | 7 +++ ansible/roles/requirements.yml | 1 + 11 files changed, 127 insertions(+) create mode 100644 ansible/playbooks/import-rockyipaprivs.yml create mode 100644 ansible/playbooks/vars/ipaprivs.yml create mode 100644 ansible/playbooks/vars/svcusers.yml diff --git a/ansible/playbooks/adhoc-ipagroups.yml b/ansible/playbooks/adhoc-ipagroups.yml index 37bc309..0615baa 100644 --- a/ansible/playbooks/adhoc-ipagroups.yml +++ b/ansible/playbooks/adhoc-ipagroups.yml @@ -5,6 +5,7 @@ - name: Create our initial users hosts: ipaserver become: false + gather_facts: false vars_files: - vars/encpass.yml diff --git a/ansible/playbooks/adhoc-ipausers.yml b/ansible/playbooks/adhoc-ipausers.yml index 8469c02..1346302 100644 --- a/ansible/playbooks/adhoc-ipausers.yml +++ b/ansible/playbooks/adhoc-ipausers.yml @@ -5,6 +5,7 @@ - name: Create a User hosts: ipaserver become: false + gather_facts: false vars_files: - vars/encpass.yml diff --git a/ansible/playbooks/import-rockyipaprivs.yml b/ansible/playbooks/import-rockyipaprivs.yml new file mode 100644 index 0000000..c94c314 --- /dev/null +++ b/ansible/playbooks/import-rockyipaprivs.yml @@ -0,0 +1,44 @@ +--- +# Creates necessary privileges for services +- name: "Creating necessary privileges" + freeipa.ansible_freeipa.ipaprivilege: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.privilege }}" + description: "{{ item.description }}" + loop: "{{ ipaprivileges }}" + when: ipaprivileges is defined + tags: + - rbac + +- name: "Creating permissions" + freeipa.ansible_freeipa.ipaprivilege: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.privilege }}" + permission: "{{ item.permissions }}" + action: member + loop: "{{ ipaprivileges }}" + when: ipaprivileges is defined + tags: + - rbac + +- name: "Creating roles based on custom privileges" + freeipa.ansible_freeipa.iparole: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.role }}" + privilege: "{{ item.privilege }}" + user: "{{ item.user }}" + loop: "{{ ipaprivileges }}" + when: ipaprivileges is defined + tags: + - rbac + +- name: "Creating roles based on standard privileges" + freeipa.ansible_freeipa.iparole: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.role }}" + privilege: "{{ item.privileges }}" + user: "{{ item.user }}" + loop: "{{ iparoles }}" + when: iparoles is defined + tags: + - rbac diff --git a/ansible/playbooks/import-rockyusers.yml b/ansible/playbooks/import-rockyusers.yml index ab5e1be..3aed65d 100644 --- a/ansible/playbooks/import-rockyusers.yml +++ b/ansible/playbooks/import-rockyusers.yml @@ -31,3 +31,18 @@ loop: "{{ adminusers }}" tags: - users + +- name: "Creating Service Accounts" + freeipa.ansible_freeipa.ipauser: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ item.name }}" + first: "{{ item.first }}" + last: "{{ item.last }}" + email: "{{ item.email }}" + password: "{{ item.password }}" + title: "{{ item.title }}" + loginshell: "{{ item.loginshell }}" + update_password: on_create + loop: "{{ svcusers }}" + tags: + - users diff --git a/ansible/playbooks/init-rocky-ipa-internal-dns.yml b/ansible/playbooks/init-rocky-ipa-internal-dns.yml index 09de055..ee77153 100644 --- a/ansible/playbooks/init-rocky-ipa-internal-dns.yml +++ b/ansible/playbooks/init-rocky-ipa-internal-dns.yml @@ -3,6 +3,7 @@ - name: Create our initial users hosts: ipaserver become: false + gather_facts: false vars_files: - vars/encpass.yml - vars/rdns.yml diff --git a/ansible/playbooks/init-rocky-ipa-team.yml b/ansible/playbooks/init-rocky-ipa-team.yml index 939b984..56fdcac 100644 --- a/ansible/playbooks/init-rocky-ipa-team.yml +++ b/ansible/playbooks/init-rocky-ipa-team.yml @@ -3,11 +3,14 @@ - name: Create our initial users hosts: ipaserver become: false + gather_facts: false vars_files: - vars/encpass.yml - vars/users.yml - vars/adminusers.yml + - vars/svcusers.yml - vars/groups.yml + - vars/ipaprivs.yml tasks: - name: "Checking for user variables" @@ -27,3 +30,6 @@ - name: "Start sudo for admins" import_tasks: import-rockysudo.yml + + - name: "Start privileges for services" + import_tasks: import-rockyipaprivs.yml diff --git a/ansible/playbooks/vars/adminusers.yml b/ansible/playbooks/vars/adminusers.yml index c7f97d1..220a50b 100644 --- a/ansible/playbooks/vars/adminusers.yml +++ b/ansible/playbooks/vars/adminusers.yml @@ -63,3 +63,10 @@ adminusers: password: ThisIsNotMyPassword1! title: Infrastructure Manager loginshell: /bin/bash + - name: bagner2 + first: Benjamin + last: Agner + email: bagner@rockylinux.org + password: ThisIsNotMyPassword1! + title: Security Director + loginshell: /bin/bash diff --git a/ansible/playbooks/vars/ipaprivs.yml b/ansible/playbooks/vars/ipaprivs.yml new file mode 100644 index 0000000..a1a49b1 --- /dev/null +++ b/ansible/playbooks/vars/ipaprivs.yml @@ -0,0 +1,28 @@ +--- +# privileges +ipaprivileges: + - privilege: Privileges - Kerberos Managers + description: Kerberos Key Managers + permissions: + - "System: Manage Host Keytab" + - "System: Manage Host Keytab Permissions" + - "System: Manage Service Keytab" + - "System: Manage Service Keytab Permissions" + - "System: Manage User Principals" + role: Kerberos Managers + user: + - kerbman + +# Standalone Roles +iparoles: + - role: IPA Client Managers + description: IPA Client Managers + privileges: + - "DNS Administrators" + - "DNS Servers" + - "Host Administrators" + - "Host Enrollment" + - "Host Group Administrators" + - "Netgroups Administrators" + user: + - hostman diff --git a/ansible/playbooks/vars/svcusers.yml b/ansible/playbooks/vars/svcusers.yml new file mode 100644 index 0000000..8dfce8b --- /dev/null +++ b/ansible/playbooks/vars/svcusers.yml @@ -0,0 +1,16 @@ +--- +svcusers: + - name: hostman + first: Host + last: Manager + email: hostman@rockylinux.org + password: ThisIsNotMyPassword1! + title: System Account - Host Manager + loginshell: /sbin/nologin + - name: kerbman + first: Kerberos + last: Manager + email: kerbman@rockylinux.org + password: ThisIsNotMyPassword1! + title: System Account - Kerberos Key Manager + loginshell: /sbin/nologin diff --git a/ansible/playbooks/vars/users.yml b/ansible/playbooks/vars/users.yml index 313cbc5..2c90cee 100644 --- a/ansible/playbooks/vars/users.yml +++ b/ansible/playbooks/vars/users.yml @@ -63,3 +63,10 @@ users: password: ThisIsNotMyPassword1! title: Infrastructure Manager loginshell: /bin/bash + - name: bagner + first: Benjamin + last: Agner + email: bagner@rockylinux.org + password: ThisIsNotMyPassword1! + title: Security Director + loginshell: /bin/bash diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml index 9645938..6745378 100644 --- a/ansible/roles/requirements.yml +++ b/ansible/roles/requirements.yml @@ -17,3 +17,4 @@ collections: - name: community.general - name: community.mysql - name: ansible.posix + - name: ktdreyer.koji_ansible From 4a15dfc0936052ce1f22cfa69a5dff949d153d8b Mon Sep 17 00:00:00 2001 From: nazunalika Date: Sun, 20 Dec 2020 22:34:55 -0700 Subject: [PATCH 2/3] Adding in missing adhoc playbook --- ansible/playbooks/adhoc-ipaservice.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 ansible/playbooks/adhoc-ipaservice.yml diff --git a/ansible/playbooks/adhoc-ipaservice.yml b/ansible/playbooks/adhoc-ipaservice.yml new file mode 100644 index 0000000..45af9a1 --- /dev/null +++ b/ansible/playbooks/adhoc-ipaservice.yml @@ -0,0 +1,26 @@ +--- +# This playbook is meant to be used with callable variables, like adhoc or AWX. +# What: Creates kerberos services in the idm infrastructure based on the variables provided + +- name: Create Services + hosts: ipaserver + become: false + gather_facts: false + vars_files: + - vars/encpass.yml + + tasks: + - name: "Checking for user variables" + assert: + that: + - ipaadmin_password | mandatory + - ipaService | mandatory + success_msg: "Required variables provided" + fail_msg: "We are missing required information" + + - name: "Creating Kerberos Service" + freeipa.ansible_freeipa.ipaservice: + ipaadmin_password: "{{ ipaadmin_password }}" + name: "{{ ipaService }}" + tags: + - services From 8c1a54dafbcdb87fa1681e3eb96be584a09caf50 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Sun, 20 Dec 2020 22:45:55 -0700 Subject: [PATCH 3/3] Add ipa-getkeytab playbook --- ansible/playbooks/adhoc-ipagetkeytab.yml | 33 ++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 ansible/playbooks/adhoc-ipagetkeytab.yml diff --git a/ansible/playbooks/adhoc-ipagetkeytab.yml b/ansible/playbooks/adhoc-ipagetkeytab.yml new file mode 100644 index 0000000..3863661 --- /dev/null +++ b/ansible/playbooks/adhoc-ipagetkeytab.yml @@ -0,0 +1,33 @@ +--- +# This playbook is meant to be used with callable variables, like adhoc or AWX. +# What: Pulls keytabs for a kerberos service +# What is expected: +# -> ipaService, using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG +# -> ipaKeytabFullPath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab +# -> ipaServer: This needs to be one of the IPA servers + +- name: Pull keytab from IPA + hosts: "{{ host }}" + become: false + gather_facts: false + vars_files: + - vars/encpass.yml + + tasks: + - name: "Checking for user variables" + assert: + that: + - ipaadmin_password | mandatory + - ipaService | mandatory + - ipaKeytabFullPath | mandatory + - ipaServer | mandatory + success_msg: "Required variables provided" + fail_msg: "We are missing required information" + + - name: "Pulling keytab" + command: "ipa-getkeytab -s {{ ipaServer }} -p {{ ipaService }} -k {{ ipaKeytabFullPath }}" + register: ipakeytab_result + changed_when: + - ipakeytab_result.rc == 0 + tags: + - keytab