Project

General

Profile

RealmJoinIntegration » History » Version 5

Dominic Cleal, 10/03/2013 09:48 AM
Guy's work

1 1 Dominic Cleal
h1. Realm Join Integration
2
3
*This is just sketching out some ideas, it doesn't exist, yet.*
4
5
This page covers ideas for joining hosts to FreeIPA realms or Active Directory domains when they're built, using a hypothetical foreman_realm plugin.
6
7
h2. DNS management
8
9 2 Dominic Cleal
Related, but not actually realm joining.  Updates to DNS can be made via the normal smart proxy route, however for both FreeIPA and AD we require GSS-TSIG support for nsupdate.  This was completed for Foreman 1.2 via #1685.
10 1 Dominic Cleal
11
h2. Realm configuration
12
13
foreman_realm should add a realm model and associate them with domains, plus everything needed to manage them.
14
15 4 Dominic Cleal
* model: ForemanRealm::Realm
16
** associated with domain (one realm to many domains?)
17
** attribute: realm name
18
** attribute: proxy id
19
* controller and views: ForemanRealm::Realms
20
** index, update, edit, delete realms
21
* API controller: ForemanRealm::Api::V2::Realms
22
** index, update, delete realms
23
24
A new orchestration hook needs adding to call the proxy (via Foreman's proxy API) if the associated domain has a realm:
25
26
* app/models/foreman_realm/orchestration/realm.rb
27
** include this into Host::Managed
28
** calls proxy API to add/remove host from realm
29
** saves OTP into host.params for now, perhaps to a separate model later
30
31
The "kickstart templates":https://github.com/theforeman/community-templates would need updating to check for @@host.params["realm-otp"]@ or similar, then run the appropriate join command.
32
33 3 Dominic Cleal
To support classes and hostgroups in IPA (see below), additional attributes could be added to Foreman's host groups (or whatever they get replaced with) to define the IPA classes that the host would have when created.
34 1 Dominic Cleal
35 5 Dominic Cleal
Guy Matz has implemented the orchestration and proxy API bit of this OK: https://github.com/guymatz/foreman/compare/develop...1809-add_IPA_support.  I'm not sure about the controllers and associating realms directly to hosts - needs some thought, perhaps associating with a domain isn't correct either.
36
37 1 Dominic Cleal
h2. Host/computer creation
38
39
h3. Proxy support
40
41 4 Dominic Cleal
The proxy should provide an API for creating hosts in realms (or computer objects in AD domains).  As an example:
42 1 Dominic Cleal
43 4 Dominic Cleal
* POST @/realm/:domain/:hostname@
44
** param: classes, array of clases to apply to host
45
* DELETE @/realm/:domain/:hostname@
46
47
(http://projects.theforeman.org/projects/smart-proxy/wiki/API)
48
49
It should advertise the "Realm" API feature.  Foreman core's proxy API and smart proxy model will need updating to understand this new feature.
50
51
Guy Matz has implemented much of this already, complete with vendor/provider support so IPA and other implementations can be swapped: https://github.com/guymatz/smart-proxy/compare/develop...1809-add_IPA_support
52
53 3 Dominic Cleal
h4. FreeIPA
54 1 Dominic Cleal
55 3 Dominic Cleal
For FreeIPA, this can either call the @ipa host-add@ command or the XMLRPC API that backs it.  Here's an example of creating a user with minimal privileges that can create new hosts:
56
57
<pre>
58
# kinit admin
59
# ipa user-add --first=Host --last=Adder hadder
60
61
# ipa privilege-add "Add computers" --desc"Add computers"
62
# ipa privilege-add-permission "Add computers" --permissions="add hosts"
63
64
# ipa role-add "Host Adder" --desc="Can add new hosts"
65
# ipa role-add-privilege "Computer creator" --privilege="Add computers"
66
# ipa role-add-member "Computer creator" --user=hadder
67
68
# ipa-getkeytab -s `hostname` -p hadder@IDM.LAB.BOS.REDHAT.COM -k /root/hadder.keytab
69
# kinit -kt /root/hadder.keytab hadder@IDM.LAB.BOS.REDHAT.COM
70
# klist
71
Ticket cache: DIR::/run/user/0/krb5cc/tkt3GbmCZ
72
Default principal: hadder@IDM.LAB.BOS.REDHAT.COM    <<<<<
73
74
Valid starting       Expires              Service principal
75
06/14/2013 21:54:06  06/15/2013 21:54:06
76
krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM
77
</pre>
78
79
System user is now privileged to add hosts to IPA:
80
81
<pre>
82
# ipa host-add random.host.test --random --force
83
-----------------------------
84
Added host "random.host.test"
85
-----------------------------
86
  Host name: random.host.test
87
  Random password: K8-5rr0U8vL,
88
  Password: True
89
  Keytab: False
90
  Managed by: random.host.test
91
</pre>
92
93
He is unable to perform other administrative tasks as expected:
94
95
<pre>
96
# ipa host-mod random.host.test --desc=foo
97
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
98
'description' attribute of entry
99
'fqdn=random.host.test,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'.
100
</pre>
101
102
As a later step, classes can be assigned to hosts in IPA that associate it with hostgroups (not to be confused with Foreman host groups).
103
104
The attribute is called "userClass" in IPA LDAP, it is available by default with host entries under "--class" option. This is how it works:
105
106
1. We create a hostgroups to demonstrate how the automatic assignment of hosts to host groups works
107
108
<pre>
109
# ipa hostgroup-add webservers
110
Description: web servers
111
----------------------------
112
Added hostgroup "webservers"
113
----------------------------
114
  Host-group: webservers
115
  Description: web servers
116
</pre>
117
118
2. Create an automember rule for this hostgroup
119
120
<pre>
121
# ipa automember-add --type=hostgroup webservers
122
----------------------------------
123
Added automember rule "webservers"
124
----------------------------------
125
  Automember Rule: webservers
126
</pre>
127
128
3. The automember condition is hooked to the host's userclass attribute
129
130
<pre>
131
# ipa automember-add-condition --key=userclass --type=hostgroup
132
--inclusive-regex=^webserver webservers
133
----------------------------------
134
Added condition(s) to "webservers"
135
----------------------------------
136
  Automember Rule: webservers
137
  Inclusive Regex: userclass=^webserver
138
----------------------------
139
Number of conditions added 1
140
----------------------------
141
</pre>
142
143
Steps 1, 2 and 3 need to be done just once when the IPA is being configured.
144
145
4. Now this is the best part. When Foreman proxy adds a host, it can specify
146
the host class which will automatically triggers
147
148
<pre>
149
# ipa host-add web.example.com --force --class=webserver --class=mailserver
150
----------------------------
151
Added host "web.example.com"
152
----------------------------
153
  Host name: web.example.com
154
  Principal name: host/web.example.com@EXAMPLE.COM
155
  Class: webserver, mailserver                    <<<<<<<<<<
156
  Password: False
157
  Member of host-groups: webservers               <<<<<<<<<<
158
  Indirect Member of netgroup: webservers
159
  Keytab: False
160
  Managed by: web.example.com
161
</pre>
162
163
You can have more these rules in parallel.
164
165
h4. Active Directory
166 1 Dominic Cleal
167
For AD, adcli can be used (available in F18+):
168
* http://fedoraproject.org/wiki/Features/ActiveDirectory
169
* https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration (has an adcli example)
170
171
h3. Foreman support
172
173
foreman_realm should add an orchestration step to create and destroy the host object via the proxy.  The OTP used when creating should be stored.
174
175
h2. Joining hosts
176
177 4 Dominic Cleal
foreman_realm could add a new %post snippet which uses the "realm" command (part of realmd) to join the host to the specified realm.
178 1 Dominic Cleal
* http://www.freedesktop.org/software/realmd/docs/index.html (see joining sections)
179
180
For new anacondas, we could use this instead (maybe a second snippet):
181
* https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration
182
183
For older (EL5/6/F18), it should also support the ipa* client tools as realm is only just getting FreeIPA support:
184
* http://fedoraproject.org/wiki/Features/RealmdFreeIpaSupport
185 3 Dominic Cleal
186
Example: @ipa-client-install --password K8-5rr0U8vL,@