ASDPLNG-54: Review puppet-profile_allow_ssh_from_bastion

Add basic sssd data for NCSA setup common NCSA settings for SSSD Setup sssd debug_level Add profile hiera data enable and include profile_allow_ssh_from_bastion enable ncsa/sshd added groups for allow_ssh_from_bastion to control repo Remove simple_allow_groups from default sssd and let ssh add them Add default bastion_nodelist to control repo Upgrade concat module include ::pam_access point to latest tag of profile_pam_access point profile_pam_access to topic branch Update to ncsa/sshd v0.3.0 Update profile_allow_ssh_from_bastion to v0.2.0 Update profile_pam_access to v0.0.4
2021-01-29 17:09:50 -06:00 · 2021-01-29 17:09:50 -06:00 · 0e9d96eee7
commit 0e9d96eee7
parent f4f3015939
7 changed files with 364 additions and 20 deletions
--- a/.github/workflows/yamllint.yml
+++ b/.github/workflows/yamllint.yml
@ -0,0 +1,12 @@
+---
+name: "yamllint"
+on:
+  - "push"
+  - "pull_request"
+jobs:
+  lintAllTheThings:
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v1"
+      - name: "yaml-lint"
+        uses: "ibiqlik/action-yamllint@v3"
--- a/39
+++ b/39
@ -1,41 +1,46 @@
 forge 'https://forge.puppet.com'
 # mod 'aboe/chrony', '0.3.2'
-# mod 'bodgit-bodgitlib', '2.0.1'
+mod 'bodgit-bodgitlib', '2.0.1'
 # mod 'bodgit-dbus', '2.0.1'
-# mod 'herculesteam/augeasproviders', '2.4.1'
-# mod 'herculesteam/augeasproviders_base', '2.1.0'
-# mod 'herculesteam/augeasproviders_core', '2.6.0'
-# mod 'herculesteam/augeasproviders_pam', '2.2.1'
-# mod 'herculesteam/augeasproviders_ssh', commit: 'e4eee3726d0472cba1d2d66a2d09031f1d100914', git: 'https://github.com/hercules-team/augeasproviders_ssh'
-# mod 'inkblot/ipcalc', '2.2.0'
-# mod 'ncsa/pam_access', tag: 'v1.0.3', git: 'https://github.com/ncsa/puppet-pam_access'
+mod 'herculesteam-augeasproviders', '2.4.1'
+mod 'herculesteam/augeasproviders_base', '2.1.0'
+mod 'herculesteam/augeasproviders_core', '2.6.0'
+mod 'herculesteam/augeasproviders_pam', '2.2.1'
+mod 'herculesteam/augeasproviders_ssh', commit: 'e4eee3726d0472cba1d2d66a2d09031f1d100914', git: 'https://github.com/hercules-team/augeasproviders_ssh'
+mod 'inkblot/ipcalc', '2.2.0'
+# mod 'MiamiOH-pam_access', '1.0.2'
+mod 'ncsa/pam_access', tag: 'v1.0.3', git: 'https://github.com/ncsa/puppet-pam_access'
 mod 'ncsa/profile_additional_packages', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_additional_packages'
 mod 'ncsa/profile_additional_yumrepos', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_additional_yumrepos'
+mod 'ncsa/profile_allow_ssh_from_bastion', tag: 'v0.2.0', git: 'https://github.com/ncsa/puppet-profile_allow_ssh_from_bastion'
 # mod 'ncsa/profile_chrony', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_chrony'
 # mod 'ncsa/profile_email', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_email'
 # mod 'ncsa/profile_firewall', tag: 'v1.0.1', git: 'https://github.com/ncsa/puppet-profile_firewall'
-# mod 'ncsa/profile_pam_access', branch: 'include_pam_access', git: 'https://github.com/ncsa/puppet-profile_pam_access'
+mod 'ncsa/profile_pam_access', tag: 'v0.0.4', git: 'https://github.com/ncsa/puppet-profile_pam_access'
 # mod 'ncsa/profile_puppet_master', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_puppet_master'
 # mod 'ncsa/profile_sudo', tag: 'v0.1.0', git: 'https://github.com/ncsa/profile_sudo'
 # mod 'ncsa/profile_timezone', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_timezone'
-# mod 'ncsa/sshd', tag: 'v0.2.0', git: 'https://github.com/ncsa/puppet-sshd'
-# mod 'ncsa/sssd', tag: 'v3.0.0', git: 'https://github.com/ncsa/puppet-sssd'
+mod 'ncsa/sshd', tag: 'v0.3.0', git: 'https://github.com/ncsa/puppet-sshd'
+mod 'ncsa/sssd', tag: 'v3.0.0', git: 'https://github.com/ncsa/puppet-sssd'
 # mod 'ncsa/telegraf', tag: 'v3.1.1', git: 'https://github.com/ncsa/puppet-telegraf.git'
 # mod 'puppet/epel', '3.0.1'
 # mod 'puppet/python', '4.1.1'
 # mod 'puppet/rsyslog', '5.0.1'
 # mod 'puppetlabs/apt', '7.3.0'
-# mod 'puppetlabs/concat', '6.2.0'
-# mod 'puppetlabs/firewall', '2.5.0'
+mod 'puppetlabs/concat', '6.4.0'
+mod 'puppetlabs/firewall', '2.5.0'
+#mod 'puppetlabs-firewall', '2.8.0'
 # mod 'puppetlabs/inifile', '4.1.0'
 # mod 'puppetlabs/mailalias_core', '1.0.6'
 mod 'puppetlabs/stdlib', '6.3.0'
 # mod 'puppetlabs/translate', '2.1.0'
 # mod 'puppetlabs/xinetd', '3.3.0'
-# mod 'richardc-datacat', '0.6.2'
+mod 'richardc-datacat', '0.6.2'
 # mod 'saz/limits', '3.0.4'
 # mod 'saz/sudo', '6.0.0'
 # mod 'saz/timezone', '6.0.0'
-# mod 'sharumpe/tcpwrappers', '1.0.4'
-# mod 'thrnio-ip', '1.0.1'
-# mod 'woodsbw/augeasfacter', commit: '9aea81311d277ed7ff1e8f2d4f79d13cd25f6ded', git: 'https://github.com/woodsbw/augeasfacter'
+# mod 'sharumpe-tcpwrappers', '1.0.4'
+#mod 'sharumpe-tcpwrappers', tag: '1.0.7', git: 'https://github.com/sharumpe/puppet-tcpwrappers.git'
+#mod 'ffquintella-tcpwrappers', tag: '1.0.7', git: 'https://github.com/ffquintella/puppet-tcpwrappers.git'
+mod 'thrnio-ip', '1.0.1'
+mod 'woodsbw/augeasfacter', commit: '9aea81311d277ed7ff1e8f2d4f79d13cd25f6ded', git: 'https://github.com/woodsbw/augeasfacter'
--- a/README.md
+++ b/README.md
@ -1,5 +1,7 @@
 # A Puppet Control Repository

+![yamllint](https://github.com/ncsa/control-repo/workflows/yamllint/badge.svg)
+
 * [What You Get From This control\-repo](#what-you-get-from-this-control-repo)
 * [Copy This Repo Into Your Own Git Server](#copy-this-repo-into-your-own-git-server)
  * [GitLab](#gitlab)
--- a/data/common.yaml
+++ b/data/common.yaml
@ -1,2 +1,269 @@
 ---
 message: "This node is using common data"
+
+profile::sssd::enablemkhomedir: true
+
+profile_allow_ssh_from_bastion::bastion_nodelist:
+  - "141.142.148.5"
+  - "141.142.236.22"
+  - "141.142.236.23"
+  - "141.142.148.24"
+profile_allow_ssh_from_bastion::groups:
+  - org_asd
+  - org_irst
+
+sssd::debug_level: 0
+sssd::domains:
+  ncsa.illinois.edu:
+    access_provider: "simple"
+    auth_provider: "krb5"
+    cache_credentials: false
+    chpass_provider: "krb5"
+    debug_level: 0
+    enumerate: false
+    id_provider: "ldap"
+    krb5_auth_timeout: 3
+    krb5_lifetime: "25h"
+    krb5_realm: "NCSA.EDU"
+    krb5_renew_interval: 3600
+    krb5_renewable_lifetime: "7d"
+    krb5_use_kdcinfo: false
+    krb5_validate: true
+    ldap_backup_uri:
+      - ldaps://ldap.ncsa.illinois.edu
+      #- ldaps://ldap3.ncsa.illinois.edu
+      #- ldaps://ldap4.ncsa.illinois.edu
+    ldap_group_member: "uniqueMember"
+    ldap_group_search_base: "dc=ncsa,dc=illinois,dc=edu"
+    ldap_schema: "rfc2307bis"
+    ldap_search_base: "dc=ncsa,dc=illinois,dc=edu"
+    #ldap_tls_cacert: "/etc/pki/ca-trust/source/anchors/incommon-ca.pem"
+    # Above not present on CentOS; below one is
+    ldap_tls_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
+    ldap_tls_reqcert: "demand"
+    ldap_uri:
+      - ldaps://ldap1.ncsa.illinois.edu
+      - ldaps://ldap2.ncsa.illinois.edu
+    ldap_user_search_base: "dc=ncsa,dc=illinois,dc=edu"
+    # LEAVE simple_allow_groups BLANK - ncsa/sshd MODULE DYNAMICALLY ADDS GROUPS
+    #simple_allow_groups:
+    simple_deny_groups:
+      - all_disabled_usr
+sssd::services:
+  nss:
+    override_homedir: "/home/%u"
+    shell_fallback: "/bin/bash"
+    allowed_shells:
+      - /usr/ncsa/bin/tcsh
+      - /usr/ncsa/bin/bash
+      - /usr/ncsa/bin/zsh
+      - /bin/csh
+      - /bin/tcsh
+      - /bin/zsh
+    vetoed_shells:
+      - /usr/ncsa/bin/tcsh
+      - /usr/ncsa/bin/bash
+      - /usr/ncsa/bin/zsh
+      - /bin/csh
+    filter_groups:
+      - adm
+      - apache
+      - asmadmin
+      - asmdba
+      - asmoper
+      - audio
+      - avahi
+      - avahi-autoipd
+      - backupdba
+      - bin
+      - cdrom
+      - cgred
+      - chronograf
+      - chrony
+      - condor
+      - conserver
+      - daemon
+      - dba
+      - dbus
+      - dgdba
+      - dhcpd
+      - dialout
+      - dip
+      - disk
+      - docker
+      - elasticsearch
+      - floppy
+      - ftp
+      - games
+      - geoclue
+      - git
+      - gitlab-prometheus
+      - gitlab-psql
+      - gitlab-redis
+      - gitlab-www
+      - grafana
+      - graylog
+      - graylog-web
+      - hsqldb
+      - influxdb
+      - input
+      - kmdba
+      - kmem
+      - ldap
+      - levelone
+      - lock
+      - lp
+      - mail
+      - man
+      - mem
+      - mongod
+      - munge
+      - myproxy
+      - myproxyoauth
+      - mysql
+      - nagios
+      - named
+      - nfsnobody
+      - nobody
+      - nrpe
+      - nscd
+      - ntp
+      - oinstall
+      - oper
+      - oprofile
+      - pdagent
+      - polkitd
+      - postdrop
+      - postfix
+      - postgres
+      - puppet
+      - puppetdb
+      - qserv
+      - qualys
+      - rabbitmq
+      - racdba
+      - redis
+      - root
+      - rpc
+      - rpcuser
+      - saslauth
+      - screen
+      - sfcb
+      - simpleca
+      - slocate
+      - slurm
+      - sshd
+      - ssh_keys
+      - sssd
+      - stapdev
+      - stapsys
+      - stapusr
+      - suiadmin
+      - SupportAssistAdmins
+      - SupportAssistUsers
+      - sys
+      - systemd-bus-proxy
+      - systemd-journal
+      - systemd-network
+      - tape
+      - tcpdump
+      - telegraf
+      - tss
+      - tty
+      - unbound
+      - users
+      - utempter
+      - utmp
+      - video
+      - wheel
+    filter_users:
+      - activemq
+      - adm
+      - apache
+      - avahi
+      - avahi-autoipd
+      - bin
+      - chronograf
+      - chrony
+      - condor
+      - daemon
+      - dbus
+      - docker
+      - elasticsearch
+      - ftp
+      - games
+      - geoclue
+      - grafana
+      - graylog
+      - graylog-web
+      - grid
+      - halt
+      - hsqldb
+      - influxdb
+      - ldap
+      - lp
+      - mail
+      - mongod
+      - munge
+      - myproxy
+      - myproxyoauth
+      - mysql
+      - nagios
+      - nfsnobody
+      - nobody
+      - nrpe
+      - nscd
+      - nslcd
+      - ntp
+      - operator
+      - oprofile
+      - oracle
+      - pdagent
+      - polkitd
+      - postfix
+      - rabbitmq
+      - redis
+      - rsbackup
+      - qserv
+      - qualys
+      - root
+      - rpc
+      - rpcuser
+      - saslauth
+      - shutdown
+      - simpleca
+      - slurm
+      - sshd
+      - sssd
+      - suiadmin
+      - sync
+      - systemd-bus-proxy
+      - systemd-network
+      - tcpdump
+      - telegraf
+      - tomcat
+      - tss
+      - unbound
+      - wireshark
+      # NCSA LDAP users w/ uid below 1000:
+      - acraig
+      - bw
+      - cbushell
+      - ceperley
+      - cox
+      - ferguson
+      - johns
+      - lex
+      - norman
+      - proth
+      - radha
+      - redman
+      - rkufrin
+      - scott
+      - scoyle
+      - straka
+      - svinson
+      - u10956
+      - welge
+      - wicker
+  pam: {}
--- a/site-modules/profile/data/os/RedHat.yaml
+++ b/site-modules/profile/data/os/RedHat.yaml
@ -0,0 +1,3 @@
+---
+profile::sssd::authconfig_pkgs:
+  - authconfig
--- a/site-modules/profile/manifests/base.pp
+++ b/site-modules/profile/manifests/base.pp
@ -3,11 +3,12 @@ class profile::base {

  include ::profile_additional_packages
  include ::profile_additional_yumrepos
+  include ::profile_allow_ssh_from_bastion
 #  include ::profile_email
-#  include ::profile_pam_access
+  include ::profile_pam_access
 #  include ::profile_sudo
 #  include ::profile_timezone
-#  include ::sshd
-#  include ::tcpwrappers
+  include ::profile::sssd
+  include ::sshd

 }
--- a/site-modules/profile/manifests/sssd.pp
+++ b/site-modules/profile/manifests/sssd.pp
@ -0,0 +1,54 @@
+# Configure SSSD for use with LDAP and Kerberos
+#
+# @summary Configure SSSD for use with LDAP and Kerberos
+# Requires ncsa/sssd and bodgit/sssd as dependancy. 
+#
+# @example
+#   include profile::sssd
+class profile::sssd (
+    # PARAMETERS: general
+    Boolean       $enablemkhomedir,
+    Array[String] $authconfig_pkgs,
+    #String        $cacert-content,
+    #String        $cacert-file-path,
+
+) {
+
+    # INSTALL INCOMMON ROOT CA
+    # TODO - make this a paramter, then use a hiera interpolation lookup in hiera
+    #file { ${cacert-file-path} :
+    #    content => "${cacert-content}",
+    #    mode   => '0444',
+    #    before => Service['sssd'],
+    #}
+
+    include ::sssd
+
+    # ENABLE MKHOMEDIR (create homedir on first login)
+    ensure_packages( $authconfig_pkgs )
+    # create appropriate args
+    if $enablemkhomedir {
+        $authconfig_args = ['--enablemkhomedir', '--enablesssd', '--enablesssdauth']
+    }
+    else {
+        $authconfig_args = ['--disablemkhomedir', '--enablesssd', '--enablesssdauth']
+    }
+    $authconfig_args_f = join($authconfig_args, ' ')
+    # run authconfig
+    exec { 'enablesssdauth':
+        path    => '/bin/:/sbin/:/usr/bin/:/usr/sbin/',
+        onlyif  => 'test `grep -i "SSSD" /etc/sysconfig/authconfig | grep "=yes" | wc -l` -lt 2',
+        command => "authconfig ${authconfig_args_f} --updateall", # should we just be using '--update'?
+    }
+
+    # ENSURE SSSD SERVICE IS RESTARTED IF/WHEN ANY KRB5 CFG FILES CHANGE
+#    $krb_cfgfile_data = lookup( 'system_authnz::kerberos::cfg_file_settings',
+#                                Hash,
+#                                'hash' )
+#    # setup a "notify" relationship from filename to service
+#    $krb_cfgfile_data.each() | $filename, $junk | {
+#        File[ $filename ] ~> Class[ '::sssd::service' ]
+#    }
+
+}
+