Forge Home

choria_aaasvc

Installs and configure the Choria centralised AAA service

2,732 downloads

1,778 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.2.0 (latest)
  • 0.1.1
  • 0.1.0
released Dec 23rd 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 7.0.0
  • , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'exaldraen-choria_aaasvc', '0.2.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add exaldraen-choria_aaasvc
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install exaldraen-choria_aaasvc --version 0.2.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

exaldraen/choria_aaasvc — version 0.2.0 Dec 23rd 2019

choria_aaasvc

Build Status

Installs and configure the Choria centralised AAA service

Table of Contents

Description

This module installs the Choria centralised AAA service, part of the choria orchestration system.

This service provides an alternative to the traditional certificate based AAA system provided in Choria and allows you to e.g. use your organization's SSO system to authenticate users.

For more background see the choria blog on this topic.

Setup

What choria_aaasvc affects

  • The aaasvc package and it's configuration
  • Files in the mcollective libdir.

Setup Requirements

You will need:

  • An up-to-date choria deployment (choria >= 0.13.1)
  • Three sets of certificates for use by aaasvc, as described in the aaasvc documentation

Beginning with choria_aaasvc

  1. Add the choria_aaasvc and choria (from choria/choria) classes to a host
  2. Provision the certificates on the host - this is currently not handled by the module and must be done out of band.
  3. Run puppet on the host
  4. Verify the aaasvc installation using the method described in the docs

Note: the host you install choria_aaasvc on must be able to access the choria release repo or another repo that has the aaasvc package.

Usage

Configure MCO client to use AAA svc

  • Add the choria_aaasvc::client class
  • Configure the MCO client to use the AAA service
plugin.choria.security.request_signer.url = http://localhost:8080/choria/v1/sign
plugin.choria.security.request_signer.token_environment = CHORIA_TOKEN
plugin.choria.security.request_signer.force = 1

Configure AAA service to use a static list of users

To configure the AAA service to use a static list of users, we need to configure it to use the userlist authenticator and configure the list of users.

To configure the userlist authenticator, ensure that the authenticator parameter is set to userlist (this is the default):

choria_aaasvc::config:
  authenticator: userlist

To configure the list of users, set the choria_aaasvc::user_config parameter. For example:

choria_aaasvc::user_config:
- username: puppetadmin
  password: "$2y$05$c4b/0WZ5WJ3nhSZPN9m8keCUPlCYtNOTkqU4fDNEPCUy1C9Pfqn2e"
  acls:
  - puppet.*
- username: admin
  password: "....."
  opa_policy_file: "/etc/choria/signer/common.rego"

For details on the syntax and contents of the user list file, see the aaasvc docs

Limitations

Only tested on CentOS 7, but should work on any RedHat derivative.

Development

See CONTRIBUTING.md.