choria_aaasvc

pdk
Installs and configure the Choria centralised AAA service

Alexander Hermes

exaldraen

2,216 downloads

1,406 latest version

5.0 quality score

Version information

  • 0.2.0 (latest)
  • 0.1.1
  • 0.1.0
released Dec 23rd 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 7.0.0
  • CentOS
    ,
    OracleLinux
    ,
    RedHat
    ,
    Scientific

Start using this module

Documentation

exaldraen/choria_aaasvc — version 0.2.0 Dec 23rd 2019

choria_aaasvc

Build Status

Installs and configure the Choria centralised AAA service

Table of Contents

Description

This module installs the Choria centralised AAA service, part of the choria orchestration system.

This service provides an alternative to the traditional certificate based AAA system provided in Choria and allows you to e.g. use your organization's SSO system to authenticate users.

For more background see the choria blog on this topic.

Setup

What choria_aaasvc affects

  • The aaasvc package and it's configuration
  • Files in the mcollective libdir.

Setup Requirements

You will need:

  • An up-to-date choria deployment (choria >= 0.13.1)
  • Three sets of certificates for use by aaasvc, as described in the aaasvc documentation

Beginning with choria_aaasvc

  1. Add the choria_aaasvc and choria (from choria/choria) classes to a host
  2. Provision the certificates on the host - this is currently not handled by the module and must be done out of band.
  3. Run puppet on the host
  4. Verify the aaasvc installation using the method described in the docs

Note: the host you install choria_aaasvc on must be able to access the choria release repo or another repo that has the aaasvc package.

Usage

Configure MCO client to use AAA svc

  • Add the choria_aaasvc::client class
  • Configure the MCO client to use the AAA service
plugin.choria.security.request_signer.url = http://localhost:8080/choria/v1/sign
plugin.choria.security.request_signer.token_environment = CHORIA_TOKEN
plugin.choria.security.request_signer.force = 1

Configure AAA service to use a static list of users

To configure the AAA service to use a static list of users, we need to configure it to use the userlist authenticator and configure the list of users.

To configure the userlist authenticator, ensure that the authenticator parameter is set to userlist (this is the default):

choria_aaasvc::config:
  authenticator: userlist

To configure the list of users, set the choria_aaasvc::user_config parameter. For example:

choria_aaasvc::user_config:
- username: puppetadmin
  password: "$2y$05$c4b/0WZ5WJ3nhSZPN9m8keCUPlCYtNOTkqU4fDNEPCUy1C9Pfqn2e"
  acls:
  - puppet.*
- username: admin
  password: "....."
  opa_policy_file: "/etc/choria/signer/common.rego"

For details on the syntax and contents of the user list file, see the aaasvc docs

Limitations

Only tested on CentOS 7, but should work on any RedHat derivative.

Development

See CONTRIBUTING.md.