ASDPLNG-54: Review puppet-profile_allow_ssh_from_bastion

Add basic sssd data for NCSA setup common NCSA settings for SSSD Setup sssd debug_level Add profile hiera data enable and include profile_allow_ssh_from_bastion enable ncsa/sshd added groups for allow_ssh_from_bastion to control repo Remove simple_allow_groups from default sssd and let ssh add them Add default bastion_nodelist to control repo Upgrade concat module include ::pam_access point to latest tag of profile_pam_access point profile_pam_access to topic branch Update to ncsa/sshd v0.3.0 Update profile_allow_ssh_from_bastion to v0.2.0 Update profile_pam_access to v0.0.4
2021-01-29 17:09:50 -06:00 · 2021-01-29 17:09:50 -06:00 · 0e9d96eee7
commit 0e9d96eee7
parent f4f3015939
7 changed files with 364 additions and 20 deletions
--- a/.github/workflows/yamllint.yml
+++ b/.github/workflows/yamllint.yml
@ -0,0 +1,12 @@
 ---
 name: "yamllint"
 on:
  - "push"
  - "pull_request"
 jobs:
  lintAllTheThings:
    runs-on: "ubuntu-latest"
    steps:
      - uses: "actions/checkout@v1"
      - name: "yaml-lint"
        uses: "ibiqlik/action-yamllint@v3"
--- a/39
+++ b/39
@ -1,41 +1,46 @@
 forge 'https://forge.puppet.com'
 # mod 'aboe/chrony', '0.3.2'
-# mod 'bodgit-bodgitlib', '2.0.1'
+mod 'bodgit-bodgitlib', '2.0.1'
 # mod 'bodgit-dbus', '2.0.1'
-# mod 'herculesteam/augeasproviders', '2.4.1'
+mod 'herculesteam-augeasproviders', '2.4.1'
-# mod 'herculesteam/augeasproviders_base', '2.1.0'
+mod 'herculesteam/augeasproviders_base', '2.1.0'
-# mod 'herculesteam/augeasproviders_core', '2.6.0'
+mod 'herculesteam/augeasproviders_core', '2.6.0'
-# mod 'herculesteam/augeasproviders_pam', '2.2.1'
+mod 'herculesteam/augeasproviders_pam', '2.2.1'
-# mod 'herculesteam/augeasproviders_ssh', commit: 'e4eee3726d0472cba1d2d66a2d09031f1d100914', git: 'https://github.com/hercules-team/augeasproviders_ssh'
+mod 'herculesteam/augeasproviders_ssh', commit: 'e4eee3726d0472cba1d2d66a2d09031f1d100914', git: 'https://github.com/hercules-team/augeasproviders_ssh'
-# mod 'inkblot/ipcalc', '2.2.0'
+mod 'inkblot/ipcalc', '2.2.0'
-# mod 'ncsa/pam_access', tag: 'v1.0.3', git: 'https://github.com/ncsa/puppet-pam_access'
+# mod 'MiamiOH-pam_access', '1.0.2'
 mod 'ncsa/pam_access', tag: 'v1.0.3', git: 'https://github.com/ncsa/puppet-pam_access'
 mod 'ncsa/profile_additional_packages', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_additional_packages'
 mod 'ncsa/profile_additional_yumrepos', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_additional_yumrepos'
 mod 'ncsa/profile_allow_ssh_from_bastion', tag: 'v0.2.0', git: 'https://github.com/ncsa/puppet-profile_allow_ssh_from_bastion'
 # mod 'ncsa/profile_chrony', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_chrony'
 # mod 'ncsa/profile_email', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_email'
 # mod 'ncsa/profile_firewall', tag: 'v1.0.1', git: 'https://github.com/ncsa/puppet-profile_firewall'
-# mod 'ncsa/profile_pam_access', branch: 'include_pam_access', git: 'https://github.com/ncsa/puppet-profile_pam_access'
+mod 'ncsa/profile_pam_access', tag: 'v0.0.4', git: 'https://github.com/ncsa/puppet-profile_pam_access'
 # mod 'ncsa/profile_puppet_master', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_puppet_master'
 # mod 'ncsa/profile_sudo', tag: 'v0.1.0', git: 'https://github.com/ncsa/profile_sudo'
 # mod 'ncsa/profile_timezone', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_timezone'
-# mod 'ncsa/sshd', tag: 'v0.2.0', git: 'https://github.com/ncsa/puppet-sshd'
+mod 'ncsa/sshd', tag: 'v0.3.0', git: 'https://github.com/ncsa/puppet-sshd'
-# mod 'ncsa/sssd', tag: 'v3.0.0', git: 'https://github.com/ncsa/puppet-sssd'
+mod 'ncsa/sssd', tag: 'v3.0.0', git: 'https://github.com/ncsa/puppet-sssd'
 # mod 'ncsa/telegraf', tag: 'v3.1.1', git: 'https://github.com/ncsa/puppet-telegraf.git'
 # mod 'puppet/epel', '3.0.1'
 # mod 'puppet/python', '4.1.1'
 # mod 'puppet/rsyslog', '5.0.1'
 # mod 'puppetlabs/apt', '7.3.0'
-# mod 'puppetlabs/concat', '6.2.0'
+mod 'puppetlabs/concat', '6.4.0'
-# mod 'puppetlabs/firewall', '2.5.0'
+mod 'puppetlabs/firewall', '2.5.0'
 #mod 'puppetlabs-firewall', '2.8.0'
 # mod 'puppetlabs/inifile', '4.1.0'
 # mod 'puppetlabs/mailalias_core', '1.0.6'
 mod 'puppetlabs/stdlib', '6.3.0'
 # mod 'puppetlabs/translate', '2.1.0'
 # mod 'puppetlabs/xinetd', '3.3.0'
-# mod 'richardc-datacat', '0.6.2'
+mod 'richardc-datacat', '0.6.2'
 # mod 'saz/limits', '3.0.4'
 # mod 'saz/sudo', '6.0.0'
 # mod 'saz/timezone', '6.0.0'
-# mod 'sharumpe/tcpwrappers', '1.0.4'
+# mod 'sharumpe-tcpwrappers', '1.0.4'
-# mod 'thrnio-ip', '1.0.1'
+#mod 'sharumpe-tcpwrappers', tag: '1.0.7', git: 'https://github.com/sharumpe/puppet-tcpwrappers.git'
-# mod 'woodsbw/augeasfacter', commit: '9aea81311d277ed7ff1e8f2d4f79d13cd25f6ded', git: 'https://github.com/woodsbw/augeasfacter'
+#mod 'ffquintella-tcpwrappers', tag: '1.0.7', git: 'https://github.com/ffquintella/puppet-tcpwrappers.git'
 mod 'thrnio-ip', '1.0.1'
 mod 'woodsbw/augeasfacter', commit: '9aea81311d277ed7ff1e8f2d4f79d13cd25f6ded', git: 'https://github.com/woodsbw/augeasfacter'
--- a/README.md
+++ b/README.md
@ -1,5 +1,7 @@
 # A Puppet Control Repository
 ![yamllint](https://github.com/ncsa/control-repo/workflows/yamllint/badge.svg)
 * [What You Get From This control\-repo](#what-you-get-from-this-control-repo)
 * [Copy This Repo Into Your Own Git Server](#copy-this-repo-into-your-own-git-server)
  * [GitLab](#gitlab)
--- a/data/common.yaml
+++ b/data/common.yaml
@ -1,2 +1,269 @@
 ---
 message: "This node is using common data"
 profile::sssd::enablemkhomedir: true
 profile_allow_ssh_from_bastion::bastion_nodelist:
  - "141.142.148.5"
  - "141.142.236.22"
  - "141.142.236.23"
  - "141.142.148.24"
 profile_allow_ssh_from_bastion::groups:
  - org_asd
  - org_irst
 sssd::debug_level: 0
 sssd::domains:
  ncsa.illinois.edu:
    access_provider: "simple"
    auth_provider: "krb5"
    cache_credentials: false
    chpass_provider: "krb5"
    debug_level: 0
    enumerate: false
    id_provider: "ldap"
    krb5_auth_timeout: 3
    krb5_lifetime: "25h"
    krb5_realm: "NCSA.EDU"
    krb5_renew_interval: 3600
    krb5_renewable_lifetime: "7d"
    krb5_use_kdcinfo: false
    krb5_validate: true
    ldap_backup_uri:
      - ldaps://ldap.ncsa.illinois.edu
      #- ldaps://ldap3.ncsa.illinois.edu
      #- ldaps://ldap4.ncsa.illinois.edu
    ldap_group_member: "uniqueMember"
    ldap_group_search_base: "dc=ncsa,dc=illinois,dc=edu"
    ldap_schema: "rfc2307bis"
    ldap_search_base: "dc=ncsa,dc=illinois,dc=edu"
    #ldap_tls_cacert: "/etc/pki/ca-trust/source/anchors/incommon-ca.pem"
    # Above not present on CentOS; below one is
    ldap_tls_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
    ldap_tls_reqcert: "demand"
    ldap_uri:
      - ldaps://ldap1.ncsa.illinois.edu
      - ldaps://ldap2.ncsa.illinois.edu
    ldap_user_search_base: "dc=ncsa,dc=illinois,dc=edu"
    # LEAVE simple_allow_groups BLANK - ncsa/sshd MODULE DYNAMICALLY ADDS GROUPS
    #simple_allow_groups:
    simple_deny_groups:
      - all_disabled_usr
 sssd::services:
  nss:
    override_homedir: "/home/%u"
    shell_fallback: "/bin/bash"
    allowed_shells:
      - /usr/ncsa/bin/tcsh
      - /usr/ncsa/bin/bash
      - /usr/ncsa/bin/zsh
      - /bin/csh
      - /bin/tcsh
      - /bin/zsh
    vetoed_shells:
      - /usr/ncsa/bin/tcsh
      - /usr/ncsa/bin/bash
      - /usr/ncsa/bin/zsh
      - /bin/csh
    filter_groups:
      - adm
      - apache
      - asmadmin
      - asmdba
      - asmoper
      - audio
      - avahi
      - avahi-autoipd
      - backupdba
      - bin
      - cdrom
      - cgred
      - chronograf
      - chrony
      - condor
      - conserver
      - daemon
      - dba
      - dbus
      - dgdba
      - dhcpd
      - dialout
      - dip
      - disk
      - docker
      - elasticsearch
      - floppy
      - ftp
      - games
      - geoclue
      - git
      - gitlab-prometheus
      - gitlab-psql
      - gitlab-redis
      - gitlab-www
      - grafana
      - graylog
      - graylog-web
      - hsqldb
      - influxdb
      - input
      - kmdba
      - kmem
      - ldap
      - levelone
      - lock
      - lp
      - mail
      - man
      - mem
      - mongod
      - munge
      - myproxy
      - myproxyoauth
      - mysql
      - nagios
      - named
      - nfsnobody
      - nobody
      - nrpe
      - nscd
      - ntp
      - oinstall
      - oper
      - oprofile
      - pdagent
      - polkitd
      - postdrop
      - postfix
      - postgres
      - puppet
      - puppetdb
      - qserv
      - qualys
      - rabbitmq
      - racdba
      - redis
      - root
      - rpc
      - rpcuser
      - saslauth
      - screen
      - sfcb
      - simpleca
      - slocate
      - slurm
      - sshd
      - ssh_keys
      - sssd
      - stapdev
      - stapsys
      - stapusr
      - suiadmin
      - SupportAssistAdmins
      - SupportAssistUsers
      - sys
      - systemd-bus-proxy
      - systemd-journal
      - systemd-network
      - tape
      - tcpdump
      - telegraf
      - tss
      - tty
      - unbound
      - users
      - utempter
      - utmp
      - video
      - wheel
    filter_users:
      - activemq
      - adm
      - apache
      - avahi
      - avahi-autoipd
      - bin
      - chronograf
      - chrony
      - condor
      - daemon
      - dbus
      - docker
      - elasticsearch
      - ftp
      - games
      - geoclue
      - grafana
      - graylog
      - graylog-web
      - grid
      - halt
      - hsqldb
      - influxdb
      - ldap
      - lp
      - mail
      - mongod
      - munge
      - myproxy
      - myproxyoauth
      - mysql
      - nagios
      - nfsnobody
      - nobody
      - nrpe
      - nscd
      - nslcd
      - ntp
      - operator
      - oprofile
      - oracle
      - pdagent
      - polkitd
      - postfix
      - rabbitmq
      - redis
      - rsbackup
      - qserv
      - qualys
      - root
      - rpc
      - rpcuser
      - saslauth
      - shutdown
      - simpleca
      - slurm
      - sshd
      - sssd
      - suiadmin
      - sync
      - systemd-bus-proxy
      - systemd-network
      - tcpdump
      - telegraf
      - tomcat
      - tss
      - unbound
      - wireshark
      # NCSA LDAP users w/ uid below 1000:
      - acraig
      - bw
      - cbushell
      - ceperley
      - cox
      - ferguson
      - johns
      - lex
      - norman
      - proth
      - radha
      - redman
      - rkufrin
      - scott
      - scoyle
      - straka
      - svinson
      - u10956
      - welge
      - wicker
  pam: {}
--- a/site-modules/profile/data/os/RedHat.yaml
+++ b/site-modules/profile/data/os/RedHat.yaml
@ -0,0 +1,3 @@
 ---
 profile::sssd::authconfig_pkgs:
  - authconfig
--- a/site-modules/profile/manifests/base.pp
+++ b/site-modules/profile/manifests/base.pp
@ -3,11 +3,12 @@ class profile::base {
  include ::profile_additional_packages
  include ::profile_additional_yumrepos
  include ::profile_allow_ssh_from_bastion
 #  include ::profile_email
-#  include ::profile_pam_access
+  include ::profile_pam_access
 #  include ::profile_sudo
 #  include ::profile_timezone
-#  include ::sshd
+  include ::profile::sssd
-#  include ::tcpwrappers
+  include ::sshd
 }
--- a/site-modules/profile/manifests/sssd.pp
+++ b/site-modules/profile/manifests/sssd.pp
@ -0,0 +1,54 @@
 # Configure SSSD for use with LDAP and Kerberos
 #
 # @summary Configure SSSD for use with LDAP and Kerberos
 # Requires ncsa/sssd and bodgit/sssd as dependancy. 
 #
 # @example
 #   include profile::sssd
 class profile::sssd (
    # PARAMETERS: general
    Boolean       $enablemkhomedir,
    Array[String] $authconfig_pkgs,
    #String        $cacert-content,
    #String        $cacert-file-path,
 ) {
    # INSTALL INCOMMON ROOT CA
    # TODO - make this a paramter, then use a hiera interpolation lookup in hiera
    #file { ${cacert-file-path} :
    #    content => "${cacert-content}",
    #    mode   => '0444',
    #    before => Service['sssd'],
    #}
    include ::sssd
    # ENABLE MKHOMEDIR (create homedir on first login)
    ensure_packages( $authconfig_pkgs )
    # create appropriate args
    if $enablemkhomedir {
        $authconfig_args = ['--enablemkhomedir', '--enablesssd', '--enablesssdauth']
    }
    else {
        $authconfig_args = ['--disablemkhomedir', '--enablesssd', '--enablesssdauth']
    }
    $authconfig_args_f = join($authconfig_args, ' ')
    # run authconfig
    exec { 'enablesssdauth':
        path    => '/bin/:/sbin/:/usr/bin/:/usr/sbin/',
        onlyif  => 'test `grep -i "SSSD" /etc/sysconfig/authconfig | grep "=yes" | wc -l` -lt 2',
        command => "authconfig ${authconfig_args_f} --updateall", # should we just be using '--update'?
    }
    # ENSURE SSSD SERVICE IS RESTARTED IF/WHEN ANY KRB5 CFG FILES CHANGE
 #    $krb_cfgfile_data = lookup( 'system_authnz::kerberos::cfg_file_settings',
 #                                Hash,
 #                                'hash' )
 #    # setup a "notify" relationship from filename to service
 #    $krb_cfgfile_data.each() | $filename, $junk | {
 #        File[ $filename ] ~> Class[ '::sssd::service' ]
 #    }
 }