choria_aaasvc
Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
- Puppet >= 4.10.0 < 7.0.0
- , , ,
Start using this module
Add this module to your Puppetfile:
mod 'exaldraen-choria_aaasvc', '0.2.0'Learn more about managing modules with a PuppetfileDocumentation
choria_aaasvc
Installs and configure the Choria centralised AAA service
Table of Contents
Description
This module installs the Choria centralised AAA service, part of the choria orchestration system.
This service provides an alternative to the traditional certificate based AAA system provided in Choria and allows you to e.g. use your organization's SSO system to authenticate users.
For more background see the choria blog on this topic.
Setup
What choria_aaasvc affects
- The
aaasvcpackage and it's configuration - Files in the
mcollectivelibdir.
Setup Requirements
You will need:
- An up-to-date choria deployment (choria >= 0.13.1)
- Three sets of certificates for use by aaasvc, as described in the aaasvc documentation
Beginning with choria_aaasvc
- Add the
choria_aaasvcandchoria(from choria/choria) classes to a host - Provision the certificates on the host - this is currently not handled by the module and must be done out of band.
- Run puppet on the host
- Verify the
aaasvcinstallation using the method described in the docs
Note: the host you install choria_aaasvc on must be able to access the choria release repo or another repo that has the aaasvc package.
Usage
Configure MCO client to use AAA svc
- Add the
choria_aaasvc::clientclass - Configure the MCO client to use the AAA service
plugin.choria.security.request_signer.url = http://localhost:8080/choria/v1/sign
plugin.choria.security.request_signer.token_environment = CHORIA_TOKEN
plugin.choria.security.request_signer.force = 1
Configure AAA service to use a static list of users
To configure the AAA service to use a static list of users, we need to configure it to use the userlist authenticator and configure the list of users.
To configure the userlist authenticator, ensure that the authenticator parameter is set to userlist (this is the default):
choria_aaasvc::config:
authenticator: userlist
To configure the list of users, set the choria_aaasvc::user_config parameter. For example:
choria_aaasvc::user_config:
- username: puppetadmin
password: "$2y$05$c4b/0WZ5WJ3nhSZPN9m8keCUPlCYtNOTkqU4fDNEPCUy1C9Pfqn2e"
acls:
- puppet.*
- username: admin
password: "....."
opa_policy_file: "/etc/choria/signer/common.rego"
For details on the syntax and contents of the user list file, see the aaasvc docs
Limitations
Only tested on CentOS 7, but should work on any RedHat derivative.
Development
See CONTRIBUTING.md.
Reference
Table of Contents
Classes
Public Classes
choria_aaasvc: Installs, configures and manages the Choria AAA systemchoria_aaasvc::client: Configure an MCO client to interact with the Choria AAA svc
Private Classes
choria_aaasvc::config: Configures the Choria Serverchoria_aaasvc::install: Installs thechoria-aaasvcpackagechoria_aaasvc::service: Manages theaaasvcservice
Classes
choria_aaasvc
Installs, configures and manages the Choria AAA system
- See also https://github.com/choria-io/aaasvc
Examples
include choria_aaasvc
Parameters
The following parameters are available in the choria_aaasvc class.
config_file
Data type: Stdlib::Compat::Absolute_path
Absolute path to the main choria AAA configuration file
choria_config_file
Data type: Stdlib::Compat::Absolute_path
Absolute path to the AAA svc choria config file
config
Data type: Hash
The main configuration for AAA svc
choria_config
Data type: Hash
The choria side configuration for AAA svc
ensure
Data type: Enum['present', 'absent']
Add or remove the software
package_name
Data type: String
The package to install
service_name
Data type: String
Name of the choria AAA service
version
Data type: String
The version of Choria AAA to install
user_config
Data type: Array[Hash]
List of users to configure for the userlist authenticator.
userlist_file
Data type: Stdlib::Compat::Absolute_path
Absolute path to the file containing the list of users.
Note that this is only used if using the userlist authenticator.
choria_aaasvc::client
Configure an MCO client to interact with the Choria AAA svc
Examples
include choria_aaasvc::client
Parameters
The following parameters are available in the choria_aaasvc::client class.
config
Data type: Hash
Changelog
All notable changes to this project will be documented in this file.
Release 0.2.0
Features
- Update default
aaasvcversion to0.3.1. - Support configuration of separate users file for the userlist authenticator
- Add more unit test coverage
Bugfixes
Known Issues
- All certificates and keys need to be provisioned by hand.
Release 0.1.1
Features
- Travis CI build integration with badge.
- Expand README to describe setup / getting started further.
Release 0.1.0
Features
- First working version with very basic setup of config.
Bugfixes
Known Issues
- All certificates and keys need to be provisioned by hand.
Dependencies
- choria/choria (>= 0.13.0 < 2.0.0)
- choria/mcollective (>= 0.4.0 < 2.0.0)
- puppetlabs/stdlib (>= 4.24.0 < 6.0.0)