Forge Home


Installs and configure the Choria centralised AAA service


1,615 latest version

5.0 quality score

Version information

  • 0.2.0 (latest)
  • 0.1.1
  • 0.1.0
released Dec 23rd 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 7.0.0
  • , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'exaldraen-choria_aaasvc', '0.2.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add exaldraen-choria_aaasvc
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install exaldraen-choria_aaasvc --version 0.2.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



exaldraen/choria_aaasvc — version 0.2.0 Dec 23rd 2019


Build Status

Installs and configure the Choria centralised AAA service

Table of Contents


This module installs the Choria centralised AAA service, part of the choria orchestration system.

This service provides an alternative to the traditional certificate based AAA system provided in Choria and allows you to e.g. use your organization's SSO system to authenticate users.

For more background see the choria blog on this topic.


What choria_aaasvc affects

  • The aaasvc package and it's configuration
  • Files in the mcollective libdir.

Setup Requirements

You will need:

  • An up-to-date choria deployment (choria >= 0.13.1)
  • Three sets of certificates for use by aaasvc, as described in the aaasvc documentation

Beginning with choria_aaasvc

  1. Add the choria_aaasvc and choria (from choria/choria) classes to a host
  2. Provision the certificates on the host - this is currently not handled by the module and must be done out of band.
  3. Run puppet on the host
  4. Verify the aaasvc installation using the method described in the docs

Note: the host you install choria_aaasvc on must be able to access the choria release repo or another repo that has the aaasvc package.


Configure MCO client to use AAA svc

  • Add the choria_aaasvc::client class
  • Configure the MCO client to use the AAA service = http://localhost:8080/choria/v1/sign = CHORIA_TOKEN = 1

Configure AAA service to use a static list of users

To configure the AAA service to use a static list of users, we need to configure it to use the userlist authenticator and configure the list of users.

To configure the userlist authenticator, ensure that the authenticator parameter is set to userlist (this is the default):

  authenticator: userlist

To configure the list of users, set the choria_aaasvc::user_config parameter. For example:

- username: puppetadmin
  password: "$2y$05$c4b/0WZ5WJ3nhSZPN9m8keCUPlCYtNOTkqU4fDNEPCUy1C9Pfqn2e"
  - puppet.*
- username: admin
  password: "....."
  opa_policy_file: "/etc/choria/signer/common.rego"

For details on the syntax and contents of the user list file, see the aaasvc docs


Only tested on CentOS 7, but should work on any RedHat derivative.