Skip to content

Commit

Permalink
Set mode of keytab
Browse files Browse the repository at this point in the history
  • Loading branch information
cmd-ntrf committed Oct 18, 2024
1 parent 9bb9878 commit 7ad69b6
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 15 deletions.
3 changes: 3 additions & 0 deletions data/common.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,9 @@ jupyterhub::jupyterhub_config_hash:
choices: ['notebook', 'lab', 'terminal', 'code-server', 'desktop']
def: 'lab'

LocalFreeIPAAuthenticator:
principal: "jupyterhub/jupyterhub"

selinux::mode: 'permissive'
# selinux::type: 'targeted'

Expand Down
1 change: 1 addition & 0 deletions data/site.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ magic_castle::site::tags:
- profile::cvmfs::alien_cache
proxy:
- profile::jupyterhub::hub
- profile::jupyterhub::hub::keytab
- profile::reverse_proxy
efa:
- profile::efa
44 changes: 29 additions & 15 deletions site/profile/manifests/jupyterhub.pp
Original file line number Diff line number Diff line change
Expand Up @@ -31,18 +31,30 @@
source => 'puppet:///modules/profile/freeipa/kinit_wrapper',
mode => '0755',
}
}

class profile::jupyterhub::node {
if lookup('jupyterhub::node::prefix', String, undef, '') !~ /^\/cvmfs.*/ {
include jupyterhub::node
if lookup('jupyterhub::kernel::setup') == 'venv' and lookup('jupyterhub::kernel::venv::python') =~ /^\/cvmfs.*/ {
Class['profile::software_stack'] -> Class['jupyterhub::kernel::venv']
}
}
}

class profile::jupyterhub::hub::keytab {
$domain_name = lookup('profile::freeipa::base::domain_name')
$int_domain_name = "int.${domain_name}"
$fqdn = "${facts['networking']['hostname']}.${int_domain_name}"
$service_name = "jupyterhub/${fqdn}"
$service_register_script = @("EOF")
api.Command.batch(
{ 'method': 'service_add', 'params': [['${service_name}'], {}]},
{ 'method': 'role_add', 'params': [['JupyterHub'], {'description' : 'JupyterHub User management'}]},
{ 'method': 'role_add_privilege', 'params': [['JupyterHub'], {'privilege' : 'Group Administrator'}]},
{ 'method': 'role_add_privilege', 'params': [['JupyterHub'], {'privilege' : 'User Administrators'}]},
{ 'method': 'role_add_member', 'params': [['JupyterHub'], {'service' : '${service_name}'}]},
{ 'method': 'service_add', 'params': [['${service_name}'], {}]},
{ 'method': 'service_add_principal', 'params': [['${service_name}', 'jupyterhub/jupyterhub'], {}]},
{ 'method': 'role_add', 'params': [['JupyterHub'], {'description' : 'JupyterHub User management'}]},
{ 'method': 'role_add_privilege', 'params': [['JupyterHub'], {'privilege' : 'Group Administrator'}]},
{ 'method': 'role_add_privilege', 'params': [['JupyterHub'], {'privilege' : 'User Administrators'}]},
{ 'method': 'role_add_member', 'params': [['JupyterHub'], {'service' : '${service_name}'}]},
)
|EOF

Expand All @@ -56,31 +68,33 @@
command => "kinit_wrapper ipa console ${jupyterhub::prefix}/bin/ipa_register_service.py",
refreshonly => true,
require => [
Exec['jupyterhub_venv'],
File["${jupyterhub::prefix}/bin/kinit_wrapper"],
Exec['ipa-install'],
],
subscribe => File["${jupyterhub::prefix}/bin/ipa_register_service.py"],
environment => ["IPA_ADMIN_PASSWD=${ipa_passwd}"],
path => ['/bin', '/usr/bin', '/sbin','/usr/sbin', " ${jupyterhub::prefix}/bin"],
path => ['/bin', '/usr/bin', '/sbin','/usr/sbin', "${jupyterhub::prefix}/bin"],
}

exec { 'jupyterhub_keytab':
command => "kinit_wrapper ipa-getkeytab -p ${service_name} -k /etc/jupyterhub/jupyterhub.keytab",
command => 'kinit_wrapper ipa-getkeytab -p jupyterhub/jupyterhub -k /etc/jupyterhub/jupyterhub.keytab',
creates => '/etc/jupyterhub/jupyterhub.keytab',
require => [
Exec['jupyterhub_venv'],
File["${jupyterhub::prefix}/bin/kinit_wrapper"],
Exec['jupyterhub_ipa_service_register'],
Exec['ipa-install'],
],
environment => ["IPA_ADMIN_PASSWD=${ipa_passwd}"],
path => ['/bin', '/usr/bin', '/sbin','/usr/sbin', " ${jupyterhub::prefix}/bin"],
path => ['/bin', '/usr/bin', '/sbin','/usr/sbin', "${jupyterhub::prefix}/bin"],
}
}

class profile::jupyterhub::node {
if lookup('jupyterhub::node::prefix', String, undef, '') !~ /^\/cvmfs.*/ {
include jupyterhub::node
if lookup('jupyterhub::kernel::setup') == 'venv' and lookup('jupyterhub::kernel::venv::python') =~ /^\/cvmfs.*/ {
Class['profile::software_stack'] -> Class['jupyterhub::kernel::venv']
}
file { '/etc/jupyterhub/jupyterhub.keytab':
owner => 'root',
group => 'jupyterhub',
mode => '0640',
subscribe => Exec['jupyterhub_keytab'],
require => Group['jupyterhub'],
}
}

0 comments on commit 7ad69b6

Please sign in to comment.